Improved ******** ******** ** *********
******* *** ******** (*******) software *** ********** ***** codes *** *********** ****** the ******* ** ******* support ******, ********* **** the *** ******* ** centrally ****** ****** *** company, *** ****** ** more ******** **********. **** should make ** ****** ** it ** ** ****** and / ** *******
New ******** **** ******
********* ****** *** *** method, ***** **** ***** to ** *** "**** key ******** ********" ** more ******, ****** **** did not ******* ********* *******, such ** ** ** was ***** ** ****** algorithms ** ********** ** a *********/******** ***** ********.
*** ******* ******** ** similar ** ****** **** data ***** ********* *******, sent ** ********* *******, a **** ** **** is ******** *** **** code/file ******** * ******** reset.
***** *** ******** ******* was ***** ** *** device's ******* **** *** serial ******, *** *** method ******* ** ****** in ** ***** **** of *** *********, ***** on *** ********* ********* the *******:
- ****** ****** ******
- ****** ****
- ******* ***** ******** ** admin ******** ***
- ****** ** *** ******** or ****** ****** ******** at ******
*** ***** *******, *** possibly ***** ****, *** used ** **** * random *****-******* ******, ***** is **** **** ** Hikvision *******. ** ******* of **** ******, **** one ** *** **** units, ** ***** *****:

(**** *** ****** ****** is ********* ** ********* at *** *** ** the ******, ***** ***** ** easier *** ********* ******* to ****** ** *** unit ** ******** *** support)
******** ***** **** ********* support ** *** ***** of *** *** ******** and ****** **** **********, "9963844e" *** "********" ***** examples ** ****** ***** we ********.
*** ********* ******** **** is **** *** * days, ***** ******** ***** were ****-*******. *******, ********* states **** *** ***** are **** *** **** 1 ***, ***** ******** codes ***** ** **** an ********* ****** ** times *** * ***** date.
********* ** *********, *** reset **** ******** **** support **** ** ******* if *** ****** *** rebooted, ** *** ***** password ******* ***** *** device *********** ******.
No ******** ****** ******
** ******** ****** ** the ****** ** ****** to ****** ******* *** password ***** ********* ******, or *** *** ******** code ********* ** ********* to ***** *** ***** password. ********* ******** ************ for ***** ******* ****, ******-**** ********** ******* ***** ********* over * *******. **** makes ******* ********** ** anyone *** *** ****** the *** *** ******** is ******** **.
Firmware ******* *********
********* ****** ******** *.*.** and ***** (*.*., *.*.*, 3.4.92) ******* *** *** password ***** *********.
*********'* ******** ******** ****** *** **** ******* ********* for ********** *********, ***** *********'* ***** ******* **** Support ****** **** ***** ******* ******** for **** ** *** recorders, ****** **** **** being ***** ***** ****'* report. ****: ********* ***** America ******* ***** ******** customers ** *** *** European ******** ** ***** can ** ******** *********** ** the *** *****.
No *********
**** *** *** ******, *** new ****** **** *** allow ********* **** ******** reset **********. **** ***** that ****** *** *** retrieve * ******'* ****** number *** ******* ** submit * ******** ***** request ** *********. ** they *** **** ** convince ********* ** ******** a ***** **** (***** is ****** ***** ***** verification / ********** ** minimal), **** **** *** use **** **** ** take **** *** ******'* admin *******.
Still *********
** *** ***, ***** still ****** ** ********* within ********* **** *** take * ****** ** characters *** *** * computation **** ******* ** a *** ****** ** characters, ***** *** **** be **** ** **** out ** *** ***** password ** *** ******. Thus, *** **** ** still **** ** ** cracked, ******* ** ******** versions, *** ****/** *** code ** *******, ***** Hikvision ****** ** *** would ** ********** ** attack.
Failed ** ****** / ****
****** ********* *** ******* aware **** *** ******** reset ********* ** ******** versions *** ****, ******* and *********** ******, **** did *** **** ***** of ****, ** ******* the ******* ******** ** solving * ******** *****. Unfortunately, ********* *** * history ** **** ************** ****** security ***************, **** ** in *** ***-******.*** *************, ********* ***** ** ******* being ****** **** ***** it *** **********, ** ******* *************. **** ************* ****** **************** **** ***** **** notified ********* **** ** were ***** ** ******* on **.
Overall - ************ *** **** ******
** *** ******** ****, Hikvision *** ***** ***** both ** *** ********* side *** *** ************* side ** ******* **** issue *** ****** *** chances ********* *** ******** an ***** ******** *****.
** *** ******** ****, Hikvision ****** **** ********* this ******* * **** time ***, ****** **** waiting *** ** ** be ******** ****** ***. Users ****** **** ** given * ****** ** opt-out ** ****** ***** devices ********** ** ***** codes. ****, *** *** method ** ***** ** risk ** ***** *******, and *** ***** ** requested ******* ********** ** authorization/ownership, ******* ***** ***** of ********* ********* *********** vulnerable.
*********'* ****** ** ********** to ***** ********, *** applicability ** ********** *** enterprise ********, *** *** be ***** ********* ***** security ***** **** ** non-destructive *******-***** ******** ****** exist ** ***** ********.
Comments (22)
John Honovich
Hikvision has a challenge here:
I think Hikvision is better off being pro-active and clear. Not only is it the right thing but it helps them build / repair trust.
How do you think Hikvision should handle these issues?
Create New Topic
Undisclosed Manufacturer #1
A never ending saga showing that 'security' is not high on their agenda and comes a solid second or worse behind selling product, whether it's 'safe' or not. It's ridiculous that they do not respond to any vulnerabilities until such time they are disclosed by IPVM.
Create New Topic
Mick Brown
Not surprised
Create New Topic
Undisclosed Integrator #2
I know that every device has way of resetting the admin password. It's just not readily published on the internet like Hikvision.
I've done it on Burglar Alarm Panel such as DSC and Elk. Hivivision is always on the chopping block since, well let's admit it, they are the biggest video surveillance by volume...
On a side note, TVT, who is major OEM supplier, has one master password that will reset their entire line of recorders. It's a fact since I've done it myself. I am not going to share it though for the sake of cyber security. I really hope that TVT patches this as soon as possible. It's just matter of time before this gets leaked, or maybe it already has? LOL
Create New Topic
Brian Karas
This is not necessarily true, and more importantly, it matters HOW the reset is performed. For example, Milestone Husky, and Genetec SV appliances have no way to reset their passwords, according to statements from both companies. Mobotix requires the unit to be shipped back to the factory. You can argue if this is too extreme or not, but it does ensure that the unit can not be simply reset across the network.
Other devices have a physical button that needs to be pressed, often while the device is rebooted, requiring physical access to the unit, instead of just network access, as is the case with Hikvision.
Regarding TVT, we plan to investigate that and will report on what we find. Given the way TVT OEMs to a broad range of brands (see: Interview With Researcher Who Cracked Security Of 70+ DVR Brands), it would be a widespread vulnerability if a static password could be used to reset all of those devices.
Create New Topic
Marty Calhoun
"according to statements from both companies" Take that with a grain of salt!
Create New Topic
Undisclosed #5
If "9963844e" and "d0111167" are examples of reset codes, then it seems like it might be an 8-character hexadecimal number or a 32bit pass code. That is still 4.2 billion possible combinations (fewer if their algorithm has collisions). I wonder how secure the cameras are against a brute force attack?
Hikvision should implement one or both of the following if they haven't done so already
There's still the issue of there being an algorithm to generate the code. I think it's a great service to be able to offer the ability to restore access to an NVR/DVR without losing data, but I think this should absolutely require physical access to the unit. And for IP cameras I would prefer that a factory reset via physical button on the camera be the only method to restore access.
Create New Topic
Undisclosed Integrator #6
@ Brian. Dahua's NVR58XX series can integrate with Milestone and Genetec. Also, some of the HIKVision DVRs/NVRs can be added to Milestone through ONVIF. So if there are remote sites using DAHUA or HIKVision that are not connected to any external network (or Internet), but which are linked to a Central Command Centre running Milestone or Genetec, is there a Security concern?
Create New Topic
Undisclosed #8
I sense a Hik-Blog post condemning "The Blogger" in the near future.
Create New Topic