Why is Hikvision still supplying cameras with this old firmware? I am generally not a conspiracy theorist, but...
Warning: ADI and Tri-Ed Video Products Major Security Risk
Recently, ADI and Tri-Ed both started OEMing Hikvision products. Reference - IPVM test on ADI W Box, IPVM test of Tri-Ed Northern Video.
Both ADI and Tri-Ed are using old firmware (respectively 5.2 and 5.1) that were involved in major Hikvision hacks from March 2015. Since then, Hikvision has released a significant upgrade (see IPVM Hikvision 5.3 test results) to help mitigate the core problems.
*** *** *** ***-** *** ***** using *****, *** ** **** ******** is *******.
[******: ***-** *** ***** / ******** to *.*]
*******, **** ** ******* ***** **** connecting *** *** ***-** ******* ** Hikvision's ***:
**** *****, ********* *** **** *** with another******* ******** (**** **** *** *** mobile ***). ***** *** *** ***-**'* *** versions ** *** ****** ** ** ******** for **** (******* **** *** ***** older *** ******** **** **** *** compromised), **** **** ********** ********* *** their *** ******** ********* **** *** other ******* (**** ** *** ** date '*****' ****** ********).
******* *** ********
**** *** ******** **** ********* *** and ***-** ***** ******* **** *** 'strong' ******** ******* **** ********* **** not ****. ************, ** ** **** publication, ***** *** ** ******** *** and ***-** ******** *********.
*****
*** ******* ** **** *** ******* ADI *** ***-** **** ** ****** buying *** *** ***** *** ** the ***** ***********, *** *********** **** issues. *******, ** **** *** **** these ****** *********.
*****, **** **** ** *********, *** firmware *** *** ** ******** **** (or *** *****) ******* ***** *************** open ************ *** ******.
** *** **** ******** '******' ******** firmware ******** *** ********, ** **** add ** **** ****.
[****** ***** ****: ***-** *** ******** the *.* ********. *** *** ***.]
You know the expression "never assume malice when stupidity will suffice."
I don't know. Best guess is that ADI and Tri-Ed do not care.
Is it possible to enter a strong password on old firmware?
Yes. I don't remember off the top of my head how long passwords can be using the old firmware, but it's at least 8 characters, special characters allowed.
Could I be forgiven for imagining that I had heard the words "8 characters" and "strong password" in nearly the same breath?
In 2009, the U.S. National Institute of Standards and Technology Draft Pub 800-118 said,
"A password with a character set size of 72 and a length of 8 characters has a maximum keyspace of 7*1014. For the example described above, hashes for this entire keyspace could be generated in 12 minutes. Increasing the character set size to 95 only increases the time to 2 hours."
Several "Moore's Law" cycles later, 8 bit passwords can be within reach of major players, even when salted with 32 bit hashes.
Those who do not believe that network device security is important needn't worry about the inconvenience of a password. For the rest of us, even a 14 character password length constraint seems surprisingly limiting.
Yes, there are more safe recommendations. And those recommendations have been around for years. And it has been (less than 48 hours) since a camera vendor shipped me a new model with password processing so crude it can't handle "?" and fails beyond 8 characters. Apparently there are camera vendors out there that "do not believe that network device security is important". Who knew? (Other than ipvm.com readers.)
If these players did the wrong kind of oem deal (bought 20 containers of cameras, no followon support...) this could be a self-inflicted problem. I keep seeing IPVM shout about this, I'm not seeing the distributors jump up and contest the comment, or even trying to throw Hikvision under the bus. I think this sounds like "we don't need no steenkin' cyber security features" attitude on the part of ADI management, which would have implications for everything else they sell...
In fairness to ADI, they don't really care about anything, so don't think it's 'just' against cybersecurity.
Recent fiasco example: Problem With Milestone VMS License Ordered Through ADI
To be clear, that is a list of probable Hikvision OEMs (though some of these companies OEM from multiple sources).
Also, more importantly, we have not verified that those companies are using the older firmware. It's certainly possible that they have the newer 5.3 non-'risky' firmware.
John, yes these are just probable Hikvision OEM's. Some may be shipping the latest firmware, now.
Even if they are though, I think the list is useful, as there will be older models that need to be brought forward. Owners of many of these vulnerable OEM products may not even be aware that they are at risk, if not aware they own Hik.
One of the downsides of a tight lipped OEM program. What's the Hik response?
"What's the Hik response?"
I know they are working on upgrading firmware for their OEMs, which is not a surprise. I just followed up with them this morning to see what has been released in production.
UTC / Interlogix shows either 5.0 or 5.1 as the latest available firmware on their website for their IP cameras (tech support confirmed to us that it is listed under the download tab for each camera like so). As such, and if true, that makes them very out of date and risky.
Just to be recap and be clear in this thread for those that are using these cameras, what exactly are the vulnerabilities?
1)unsecured default guest user?
2)not forcing change of the default password?
3)telnet enabled ?(this one is ridiculous to me, can it be disabled in previous firmware?)
4)no limit on hacking attempts?
1 thru 3 seem easily remedied by the integrator taking proper precations, #4 creates some challenges on cameras running on Port 80 and publicly reachable.
There have also been various buffer overflow exploits reported in some devices, in the older version of the firmware.
There is no guest user by default.
The main issues were the weak admin password, telnet enabled with no way to disable it, and no limit on login attempts.
Changing passwords is easily remedied, but with the number of Hikvision cameras sold, and easy availability/low cost, a lot of consumers were purchasing them and had no idea about these vulnerabilities, which is likely where a lot of issues came from. Even among integrators, many still use default passwords.
Firmware 5.3 forces a complex password and disables telnet by default. It also includes an illegal login lock, which locks out an IP address after 3 failed login attempts, and can send emails to notify of these attempts.