Hikvision Responds To Cracked Security Codes

By: Brian Karas, Published on Aug 15, 2017

Hikvision has responded to IPVM's report on Hikvision's security code being cracked, both with a 2 page update to dealers and communication directly with IPVM.

In this note, we examine Hikvision's response, evaluating the positive and negative elements of it.

Good

On the positive side, Hikvision:

  • Revamped the password reset procedure to a method that is more challenging to crack
  • Has been releasing new recorder firmware that makes an improved method available to users

Bad

On the negative side, problems remain:

  • Hikvision knew about the cracked codes for a long time but never notified dealers until after IPVM published
  • The new method still cannot be disabled
  • The new method still risks being cracked

Improved ******** ******** ** *********

******* *** ******** (*******) software *** ********** ***** codes *** *********** ****** the ******* ** ******* support ******, ********* **** the *** ******* ** centrally ****** ****** *** company, *** ****** ** more ******** **********. **** should make ** ****** ** it ** ** ****** and / ** *******

New ******** **** ******

********* ****** *** *** method, ***** **** ***** to ** *** "**** key ******** ********" ** more ******, ****** **** did not ******* ********* *******, such ** ** ** was ***** ** ****** algorithms ** ********** ** a *********/******** ***** ********.

*** ******* ******** ** similar ** ****** **** data ***** ********* *******, sent ** ********* *******, a **** ** **** is ******** *** **** code/file ******** * ******** reset.

***** *** ******** ******* was ***** ** *** device's ******* **** *** serial ******, *** *** method ******* ** ****** in ** ***** **** of *** *********, ***** on *** ********* ********* the *******:

  • ****** ****** ******
  • ****** ****
  • ******* ***** ******** ** admin ******** ***
  • ****** ** *** ******** or ****** ****** ******** at ******

*** ***** *******, *** possibly ***** ****, *** used ** **** * random *****-******* ******, ***** is **** **** ** Hikvision *******. ** ******* of **** ******, **** one ** *** **** units, ** ***** *****:

(**** *** ****** ****** is ********* ** ********* at *** *** ** the ******, ***** ***** ** easier *** ********* ******* to ****** ** *** unit ** ******** *** support)

******** ***** **** ********* support ** *** ***** of *** *** ******** and ****** **** **********, "9963844e" *** "********" ***** examples ** ****** ***** we ********.

*** ********* ******** **** is **** *** * days, ***** ******** ***** were ****-*******. *******, ********* states **** *** ***** are **** *** **** 1 ***, ***** ******** codes ***** ** **** an ********* ****** ** times *** * ***** date. 

********* ** *********, *** reset **** ******** **** support **** ** ******* if *** ****** *** rebooted, ** *** ***** password ******* ***** *** device *********** ******.

No ******** ****** ******

** ******** ****** ** the ****** ** ****** to ****** ******* *** password ***** ********* ******, or *** *** ******** code ********* ** ********* to ***** *** ***** password. ********* ******** ************ for ***** ******* ****, ******-**** ********** ******* ***** ********* over * *******. **** makes ******* ********** ** anyone *** *** ****** the *** *** ******** is ******** **.

Firmware ******* *********

********* ****** ******** *.*.** and ***** (*.*., *.*.*, 3.4.92) ******* *** *** password ***** *********.

*********'* ******** ******** ****** *** **** ******* ********* for ********** *********, ***** *********'* ***** ******* **** Support ****** **** ***** ******* ******** for **** ** *** recorders, ****** **** **** being ***** ***** ****'* report. ****: ********* ***** America ******* ***** ******** customers ** *** *** European ******** ** ***** can ** ******** *********** ** the *** *****.

No *********

**** *** *** ******, *** new ****** **** *** allow ********* **** ******** reset **********. **** ***** that ****** *** *** retrieve * ******'* ****** number *** ******* ** submit * ******** ***** request ** *********. ** they *** **** ** convince ********* ** ******** a ***** **** (***** is ****** ***** ***** verification / ********** ** minimal), **** **** *** use **** **** ** take **** *** ******'* admin *******.

Still *********

** *** ***, ***** still ****** ** ********* within ********* **** *** take * ****** ** characters *** *** * computation **** ******* ** a *** ****** ** characters, ***** *** **** be **** ** **** out ** *** ***** password ** *** ******. Thus, *** **** ** still **** ** ** cracked, ******* ** ******** versions, *** ****/** *** code ** *******, ***** Hikvision ****** ** *** would ** ********** ** attack.

Failed ** ****** / ****

****** ********* *** ******* aware **** *** ******** reset ********* ** ******** versions *** ****, ******* and *********** ******, **** did *** **** ***** of ****, ** ******* the ******* ******** ** solving * ******** *****. Unfortunately, ********* *** * history ** **** ************** ****** security ***************, **** ** in *** ***-******.*** ********************** ***** ** ******* being ****** **** ***** it *** **********, ** ******* *************. **** ************* ****** **************** **** ***** **** notified ********* **** ** were ***** ** ******* on **.

Overall - ************ *** **** ******

** *** ******** ****, Hikvision *** ***** ***** both ** *** ********* side *** *** ************* side ** ******* **** issue *** ****** *** chances ********* *** ******** an ***** ******** *****.

** *** ******** ****, Hikvision ****** **** ********* this ******* * **** time ***, ****** **** waiting *** ** ** be ******** ****** ***. Users ****** **** ** given * ****** ** opt-out ** ****** ***** devices ********** ** ***** codes. ****, *** *** method ** ***** ** risk ** ***** *******, and *** ***** ** requested ******* ********** ** authorization/ownership, ******* ***** ***** of ********* ********* *********** vulnerable.  

*********'* ****** ** ********** to ***** ********, *** applicability ** ********** *** enterprise ********, *** *** be ***** ********* ***** security ***** **** ** non-destructive *******-***** ******** ****** exist ** ***** ********.

Comments (22)

Hikvision has a challenge here:

  • If they pro-actively notify the industry of their security vulnerabilities, Hikvision knows it will hurt their brand and expansion.
  • If they try to hide it, they can benefit if no one else reports on it. But if someone else reports on it, their reputation will be even more impacted as people find them untrustworthy and worry about what else is being hidden.

I think Hikvision is better off being pro-active and clear. Not only is it the right thing but it helps them build / repair trust.

How do you think Hikvision should handle these issues?

A never ending saga showing that 'security' is not high on their agenda and comes a solid second or worse behind selling product, whether it's 'safe' or not. It's ridiculous that they do not respond to any vulnerabilities until such time they are disclosed by IPVM.

Yes I agree and after having taken business classes in Japan and learning about saving face, I think it might be worthwhile for IPVM to explore that concept in Chinese-related business/society:

http://www.china-mike.com/chinese-culture/understanding-chinese-mind/cult-of-face/

"In the US, you can admit and apologize for your shortcomings and gain respect for your honest efforts to learn from the past. Americans are generally forgiving if someone takes responsibility for their problems.

"For instance, during his Presidential run, George W. Bush spoke openly about overcoming his addiction to alcohol. This is something that no Chinese official would ever do it—it would be a devastating loss of face and almost impossible to recover from."

Please note: I am NOT defending Hikvision, but hopefully this can give some answers to why they might choose to or not to do something. They are doing business in America and they need to be privy to the social norms of that society both publicly and privately.

Sure, things are different in China.

Another example: China, Addicted to Bootleg Software, Reels From Ransomware Attack

And another: China’s Intellectual Property Theft Must Stop

And yet another: Chinese Government Spies on Churches With Video Surveillance

Net/net it is more than simply saving 'face', but a fundamental ethical conflict.

Yes, but according to who's ethics? You would think that theft, spying, and lying would be accepted world-wide as wrong no matter the situation, but that's simply not the case. Unfortunately for companies that are unwilling to change according to the region they do business in, they will be hurt by such acts and I know Hikvision's unwillingness to do so IS hurting them now (as seen by US agencies getting rid of all Hikvision equipment as you reported on).

 

Keep up the good reporting John, we deserve to know what really goes on!

Yes, but according to who's ethics?

Side stepping the philosophical debate, as you note, Hikvision wants to be in business in the West where Enlightenment ethics are well established. They can 'accommodate' us or risk the problems they are having. As a practical matter, the West overall has been soft on the PRC for so long that we have emboldened the PRC to act as they do.

I have agreed from the beginning.

Not surprised

 

I know that every device has way of resetting the admin password. It's just not readily published on the internet like Hikvision.

I've done it on Burglar Alarm Panel such as DSC and Elk. Hivivision is always on the chopping block since, well let's admit it, they are the biggest video surveillance by volume...

On a side note, TVT, who is major OEM supplier, has one master password that will reset their entire line of recorders. It's a fact since I've done it myself. I am not going to share it though for the sake of cyber security. I really hope that TVT patches this as soon as possible. It's just matter of time before this gets leaked, or maybe it already has? LOL

I know that every device has way of resetting the admin password. It's just not readily published on the internet like Hikvision.

This is not necessarily true, and more importantly, it matters HOW the reset is performed. For example, Milestone Husky, and Genetec SV appliances have no way to reset their passwords, according to statements from both companies. Mobotix requires the unit to be shipped back to the factory. You can argue if this is too extreme or not, but it does ensure that the unit can not be simply reset across the network.

Other devices have a physical button that needs to be pressed, often while the device is rebooted, requiring physical access to the unit, instead of just network access, as is the case with Hikvision.

Regarding TVT, we plan to investigate that and will report on what we find. Given the way TVT OEMs to a broad range of brands (see: Interview With Researcher Who Cracked Security Of 70+ DVR Brands), it would be a widespread vulnerability if a static password could be used to reset all of those devices.

"according to statements from both companies" Take that with a grain of salt!

Pass the salt, please...

Hikvision claims the new method, which they refer to as the "GUID key password recovery" is more secure...

Take that with a grain of salt!

 

Why? Do you know of a way to reset the admin passwords on those devices? Do you know of a history of reported security issues with those companies? (not just here, but on public disclosure lists such as CERT, etc.)

 

If "9963844e" and "d0111167" are examples of reset codes, then it seems like it might be an 8-character hexadecimal number or a 32bit pass code. That is still 4.2 billion possible combinations (fewer if their algorithm has collisions). I wonder how secure the cameras are against a brute force attack?

Hikvision should implement one or both of the following if they haven't done so already

  • Limit password reset capability to a short time frame after the last reboot, thus greatly limiting the exposure to brute force attacks. This would break their current implementation though as it relies on up-time.

  • Require a reboot (or a very long wait) if too many unsuccessful attempts are made. They already lock cameras if too many normal login attempts are made, so maybe they do this already.

There's still the issue of there being an algorithm to generate the code. I think it's a great service to be able to offer the ability to restore access to an NVR/DVR without losing data, but I think this should absolutely require physical access to the unit. And for IP cameras I would prefer that a factory reset via physical button on the camera be the only method to restore access.

Why brute force? The "Magic_Number" is already out in the wild for their old password reset tools. If you can hit the LAN of the IP Camera then you can own it. 


http://sergei.nz/files/reset_hikvision_password.py

There was always more to it than just the 'Magic Number', the magic number was factored with other data from the device, and then the output converted to type-able ASCII characters.

The new method clearly uses a different overall approach, even the output is very different. They could be using the same 'Magic Number' (and I suspect they are not), but enough other elements are different that existing code/methods/numbers provide little help.

 

I was under the misconception that U5 was talking about the old code. My Apologies.

As for the new password reset method it is still the same BS in my option. It is just more security though obscurity and sooner or later someone will leak the new algorithm and we will be right back to square one. 

It is just more security though obscurity

Based on past performance from Hikvision, I would tend to agree with you. That is why I think they really need to offer up some proof (see my comment above) to show they have solved the crackability problem, not just a statement that it is now different.

To clarify, the examples used were actual values from reset requests we performed. There was a third one I didn't publish, but it followed the same format. All 3 of them had a single lower-case letter at one end of the code, and then the balance made up of 7 digits.

There are obviously a lot of unknowns about the new method, though some answers may be easy to determine with some simple testing.

I thought about various brute-force attacks. One big question is determining first if the password reset request 'flips a bit' that makes the unit ready to accept a reset code, or if a proper code was randomly guessed would the unit accept it?

If the unit would accept a request code without any 'priming', it makes it a lot more susceptible to a distributed bot-net attack. Think of a spin on Mirai that is fed a list of Hikvision IP's, and each device picks a random code and random IP, and tries them. Even with timeouts, reboots, etc, this would likely stumble on a fair number of devices over time. That feedback could then also be potentially used to crack the algorithm.

In the current scenario, where Hikvision chooses not to disclose details on what exactly makes the password reset approach trustable, I think that having this capability, with no ability to disable it, hurts them. It is too easy for people to outline practical scenarios that could lead to another wide-spread exploit, and thus decide that Hikvision's products are not suitable for their applications.

Similarly a substantial bug-bounty could also instill confidence. Offer $10,000 to anyone that can crack the new algorithm as a show of faith.

@ Brian. Dahua's NVR58XX series can integrate with Milestone and Genetec. Also, some of the HIKVision DVRs/NVRs can be added to Milestone through ONVIF. So if there are remote sites using DAHUA or HIKVision that are not connected to any external network (or Internet), but which are linked to a Central Command Centre running Milestone or Genetec, is there a Security concern?

So if there are remote sites using DAHUA or HIKVision that are not connected to any external network (or Internet), but which are linked to a Central Command Centre running Milestone or Genetec, is there a Security concern?

Yes, there is still a security concern. If someone can get the admin password reset and take over a recorder, then they have high-level access to a core component on the security network. From that you can potentially extract other information (IP addresses of servers, other passwords, etc.) and use that to attack other components of the network.

For deployments like you describe, (remote sites, use of higher-level VMSes), the organizations tend to be larger, and risk of internal attacks (rogue employees) also increases. Your security threat is different than a small single-recorder site directly connected to the internet, but a still a threat.

I sense a Hik-Blog post condemning "The Blogger" in the near future.

Read this IPVM report for free.

This article is part of IPVM's 6,536 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Seek Scan Thermal Temperature Screening System Tested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
Disruptive Free Lead Generation Added To IPVM on May 15, 2020
IPVM has added lead generation for sellers, for free, disrupting the...
JCI / Tyco Security Products Layoffs on Jun 05, 2020
Johnson Controls / Tyco Security Products has confirmed COVID-19 related...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
School District Admits Not Following FDA Guidelines With 144, No Blackbody, Hikvision Fever Cameras on Aug 21, 2020
The Baldwin County School District has admitted it is not following FDA...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
Integrators Rising Against Coronavirus on May 27, 2020
IPVM integrator statistics make it clear - Coronavirus's impact on business...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...