Warning: ADI and Tri-Ed Video Products Major Security Risk

By John Honovich, Published Sep 22, 2015, 12:00am EDT (Info+)

Recently, ADI and Tri-Ed both started OEMing Hikvision products. Reference - IPVM test on ADI W Box, IPVM test of Tri-Ed Northern Video.

Both ADI and Tri-Ed are using old firmware (respectively 5.2 and 5.1) that were involved in major Hikvision hacks from March 2015. Since then, Hikvision has released a significant upgrade (see IPVM Hikvision 5.3 test results) to help mitigate the core problems.

*** *** *** ***-** *** ***** using *****, *** ** **** ******** is *******.

[******: ***-** *** ***** / ******** to *.*]

*******, **** ** ******* ***** **** connecting *** *** ***-** ******* ** Hikvision's ***:

**** *****, ********* *** **** *** with another******* ******** (**** **** *** *** mobile ***). ***** *** *** ***-**'* *** versions ** *** ****** ** ** ******** for **** (******* **** *** ***** older *** ******** **** **** *** compromised), **** **** ********** ********* *** their *** ******** ********* **** *** other ******* (**** ** *** ** date '*****' ****** ********).

******* *** ********

**** *** ******** **** ********* *** and ***-** ***** ******* **** *** 'strong' ******** ******* **** ********* **** not ****. ************, ** ** **** publication, ***** *** ** ******** *** and ***-** ******** *********.

*****

*** ******* ** **** *** ******* ADI *** ***-** **** ** ****** buying *** *** ***** *** ** the ***** ***********, *** *********** **** issues. *******, ** **** *** **** these ****** *********.

*****, **** **** ** *********, *** firmware *** *** ** ******** **** (or *** *****) ******* ***** *************** open ************ *** ******.

** *** **** ******** '******' ******** firmware ******** *** ********, ** **** add ** **** ****.

[****** ***** ****: ***-** *** ******** the *.* ********. *** *** ***.]

Comments (19)

Why is Hikvision still supplying cameras with this old firmware? I am generally not a conspiracy theorist, but...

Agree: 1
Disagree
Informative
Unhelpful
Funny

You know the expression "never assume malice when stupidity will suffice."

I don't know. Best guess is that ADI and Tri-Ed do not care.

Agree: 5
Disagree
Informative
Unhelpful
Funny: 2

Is it possible to enter a strong password on old firmware?

Agree
Disagree
Informative
Unhelpful
Funny: 1

Yes. I don't remember off the top of my head how long passwords can be using the old firmware, but it's at least 8 characters, special characters allowed.

Agree
Disagree
Informative
Unhelpful
Funny

The password can be between 8 and 16 characters.

Agree
Disagree
Informative
Unhelpful
Funny

Could I be forgiven for imagining that I had heard the words "8 characters" and "strong password" in nearly the same breath?

In 2009, the U.S. National Institute of Standards and Technology Draft Pub 800-118 said,

"A password with a character set size of 72 and a length of 8 characters has a maximum keyspace of 7*1014. For the example described above, hashes for this entire keyspace could be generated in 12 minutes. Increasing the character set size to 95 only increases the time to 2 hours."

Several "Moore's Law" cycles later, 8 bit passwords can be within reach of major players, even when salted with 32 bit hashes.

Those who do not believe that network device security is important needn't worry about the inconvenience of a password. For the rest of us, even a 14 character password length constraint seems surprisingly limiting.

Agree
Disagree
Informative
Unhelpful
Funny

Yes, there are more safe recommendations. And those recommendations have been around for years. And it has been (less than 48 hours) since a camera vendor shipped me a new model with password processing so crude it can't handle "?" and fails beyond 8 characters. Apparently there are camera vendors out there that "do not believe that network device security is important". Who knew? (Other than ipvm.com readers.)

Agree
Disagree
Informative: 1
Unhelpful
Funny

If these players did the wrong kind of oem deal (bought 20 containers of cameras, no followon support...) this could be a self-inflicted problem. I keep seeing IPVM shout about this, I'm not seeing the distributors jump up and contest the comment, or even trying to throw Hikvision under the bus. I think this sounds like "we don't need no steenkin' cyber security features" attitude on the part of ADI management, which would have implications for everything else they sell...

Agree: 1
Disagree
Informative
Unhelpful
Funny

In fairness to ADI, they don't really care about anything, so don't think it's 'just' against cybersecurity.

Recent fiasco example: Problem With Milestone VMS License Ordered Through ADI

Agree
Disagree
Informative
Unhelpful
Funny: 1
I'm sure there's quite a few other hikvision OEM's affected also, is there a complete list around somewhere?
Agree
Disagree
Informative
Unhelpful
Funny

Short list: Swann, Trendnet, Lorex, ADI, LTS, Winictech

Long list.

Agree
Disagree
Informative
Unhelpful
Funny

To be clear, that is a list of probable Hikvision OEMs (though some of these companies OEM from multiple sources).

Also, more importantly, we have not verified that those companies are using the older firmware. It's certainly possible that they have the newer 5.3 non-'risky' firmware.

Agree: 1
Disagree
Informative
Unhelpful
Funny

John, yes these are just probable Hikvision OEM's. Some may be shipping the latest firmware, now.

Even if they are though, I think the list is useful, as there will be older models that need to be brought forward. Owners of many of these vulnerable OEM products may not even be aware that they are at risk, if not aware they own Hik.

One of the downsides of a tight lipped OEM program. What's the Hik response?

Agree
Disagree
Informative
Unhelpful
Funny

"What's the Hik response?"

I know they are working on upgrading firmware for their OEMs, which is not a surprise. I just followed up with them this morning to see what has been released in production.

Agree
Disagree
Informative
Unhelpful
Funny

Let's not forget UTC (Interlogix).

Agree
Disagree
Informative
Unhelpful
Funny

UTC / Interlogix shows either 5.0 or 5.1 as the latest available firmware on their website for their IP cameras (tech support confirmed to us that it is listed under the download tab for each camera like so). As such, and if true, that makes them very out of date and risky.

Agree
Disagree
Informative
Unhelpful
Funny

Just to be recap and be clear in this thread for those that are using these cameras, what exactly are the vulnerabilities?

1)unsecured default guest user?

2)not forcing change of the default password?

3)telnet enabled ?(this one is ridiculous to me, can it be disabled in previous firmware?)

4)no limit on hacking attempts?

1 thru 3 seem easily remedied by the integrator taking proper precations, #4 creates some challenges on cameras running on Port 80 and publicly reachable.

Agree
Disagree
Informative
Unhelpful
Funny

There have also been various buffer overflow exploits reported in some devices, in the older version of the firmware.

Agree
Disagree
Informative
Unhelpful
Funny

There is no guest user by default.

The main issues were the weak admin password, telnet enabled with no way to disable it, and no limit on login attempts.

Changing passwords is easily remedied, but with the number of Hikvision cameras sold, and easy availability/low cost, a lot of consumers were purchasing them and had no idea about these vulnerabilities, which is likely where a lot of issues came from. Even among integrators, many still use default passwords.

Firmware 5.3 forces a complex password and disables telnet by default. It also includes an illegal login lock, which locks out an IP address after 3 failed login attempts, and can send emails to notify of these attempts.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports