*** *** *** ***-** *** ***** using *****, *** ** **** ******** is *******.
[******: ***-** *** ***** / ******** to *.*]
*******, **** ** ******* ***** **** connecting *** *** ***-** ******* ** Hikvision's ***:
**** *****, ********* *** **** *** with another******* ******** (**** **** *** *** mobile ***). ***** *** *** ***-**'* *** versions ** *** ****** ** ** ******** for **** (******* **** *** ***** older *** ******** **** **** *** compromised), **** **** ********** ********* *** their *** ******** ********* **** *** other ******* (**** ** *** ** date '*****' ****** ********).
******* *** ********
**** *** ******** **** ********* *** and ***-** ***** ******* **** *** 'strong' ******** ******* **** ********* **** not ****. ************, ** ** **** publication, ***** *** ** ******** *** and ***-** ******** *********.
*****
*** ******* ** **** *** ******* ADI *** ***-** **** ** ****** buying *** *** ***** *** ** the ***** ***********, *** *********** **** issues. *******, ** **** *** **** these ****** *********.
*****, **** **** ** *********, *** firmware *** *** ** ******** **** (or *** *****) ******* ***** *************** open ************ *** ******.
** *** **** ******** '******' ******** firmware ******** *** ********, ** **** add ** **** ****.
[****** ***** ****: ***-** *** ******** the *.* ********. *** *** ***.]
Comments (19)
Sal Visone
Why is Hikvision still supplying cameras with this old firmware? I am generally not a conspiracy theorist, but...
Create New Topic
Undisclosed Manufacturer #1
Is it possible to enter a strong password on old firmware?
Create New Topic
Horace Lasell
Could I be forgiven for imagining that I had heard the words "8 characters" and "strong password" in nearly the same breath?
In 2009, the U.S. National Institute of Standards and Technology Draft Pub 800-118 said,
"A password with a character set size of 72 and a length of 8 characters has a maximum keyspace of 7*1014. For the example described above, hashes for this entire keyspace could be generated in 12 minutes. Increasing the character set size to 95 only increases the time to 2 hours."
Several "Moore's Law" cycles later, 8 bit passwords can be within reach of major players, even when salted with 32 bit hashes.
Those who do not believe that network device security is important needn't worry about the inconvenience of a password. For the rest of us, even a 14 character password length constraint seems surprisingly limiting.
Create New Topic
Undisclosed
If these players did the wrong kind of oem deal (bought 20 containers of cameras, no followon support...) this could be a self-inflicted problem. I keep seeing IPVM shout about this, I'm not seeing the distributors jump up and contest the comment, or even trying to throw Hikvision under the bus. I think this sounds like "we don't need no steenkin' cyber security features" attitude on the part of ADI management, which would have implications for everything else they sell...
Create New Topic
dean woodyatt
Create New Topic
Sal Visone
Just to be recap and be clear in this thread for those that are using these cameras, what exactly are the vulnerabilities?
1)unsecured default guest user?
2)not forcing change of the default password?
3)telnet enabled ?(this one is ridiculous to me, can it be disabled in previous firmware?)
4)no limit on hacking attempts?
1 thru 3 seem easily remedied by the integrator taking proper precations, #4 creates some challenges on cameras running on Port 80 and publicly reachable.
Create New Topic