Who Is Hacking Hikvision Devices?

By Brian Karas, Published Mar 06, 2017, 11:36am EST

Someone or organization is mass hacking Hikvision devices, actively and systematically running a script / program across the Internet that looks for Hikvision devices, finds them, and, at least, locks the user out.

The most significant misconception is that someone is simply randomly or manually looking up individual devices and changing admin passwords. This is absolutely not the case as Hikvision themselves have acknowledged.

This is a serious problem for Hikvision and their customers.

This is also the case of someone who is unethically and probably illegally running these hacks.

Motivations *** ******

**** ***** **** *** carried *** ** ********** devices **** **** *** done *** * ** 3 main *******:

  1. ** ***** ***** ******, typically ** ********** ** obscure ** ******* ******** in * ****** ** order ** **** ***** abilities *** ***-***** *******
  2. ** *** *** ****** devices ** * ****** to ****** **** ***** target, ** *** ******* resources (********* **** **** ** Worst ******* ****** ****).
  3. ** ***** ******* ***** and ********** *** ******/***** of *** ****** ("*** the **** [**** ** longer *********]")

** **** ****, *** hacked ******* *** *** default ** **** ***** passwords, ***** ***** ****** #1 ********, ***** ** not * *** ** skill ******** ** ***** attacks. ** **** ***** has **** ** *********** of *** ****** ******* being **** ** *******, but *** ******* ***** be ******* ** ***** a ****** ****** ** units ****** ********* * botnet ******. ** ** also ******** **** ** being **** ** **** attention ** *** **** security *** **** ** compromise ** ***** *****.

Botnet ********

** *** ******* *** turned **** * ******, they **** ********** **** to ******* ** * C&C (******* *** *******) server ** ******* ************. Additionally, *** ****** ****** would ****** **** *** botnet *** ** ****** who **** ** *** it ** ****** ***** sites. ** **** ****** get ******** **** *********** the ******, ** ******* it *** *******, *** chances ** ** **** someone ************* ******* *********** about **********, *** **** can ** **** ** trace **** ** *** person(s) ****** *** ******. This ** *********** *** the******* ****** * ***** botnet **** ***** ** ******** ********** ***** Krebs.

Lulz ********

** *** ******'* ******* motivation ** ** ******* systems, ** *** ** much ****** ** ***** them ****. ** ********* script ***** ** ****** on * ** **** hacked *******, *** ** probe *** ******** *** vulnerable *******, *** **** carry *** *** ****** automatically. *** ******** ***** have ****** **** ** be *********** ********, ** to **** ********** ***** to ******, ******** *** chances ** **************.

Anti-Hikvision **********

**** ********* ******************* * *** ********, that *** ****** ***** be ******* ***:

******** ********* *** ****** everyone ** ****** ***** devices **** ******, ******* it ***** ***** * PR ********* *** *********.

***** *** ******* ********** of **** **** **** support *** ******. *** example, ******** *** ***** password ****** ***** ** be ****** *** ** their *** *******, **** could ** * "*** the ****" ****, ** it ***** ** *******/** organization **** ************ ***** to ******* ********* ***** and **** *** ************* of *** ********* ** attention. ****, ** *** damaging *** ****** (********* configurations, ******* *****, ******** camera ********, ******** ***** user ********) *** ********* are *** ******* *********** harm. *******, ********* *** forced ** **** * notification that **** *** ******** yet ******* ******** ******** [link ** ****** *********], generating ******** *****.

Extent ** **** *******

** ****, ** *********** have ******** ************* **** hack, ** **** **** might ** ********* ****** changing *** ***** ******** and ****** *** ****** account. ****** **** *********** on **** ****, ** anything, ** ***** **** as **** ** **** could **** ********** *** motivation ** *** ******(*), and ******* ***** ** their ********.

Likelihood Of ******* ******

****** ***** ** * major ***** ** *** attacks, *** ******(*) ****** this *** ** ********. The ***** **** ******** enough ******** ** **** awareness ** *** ******** industry, *** **** *** been ***** ****** ** targeted ****** ** **** widespread ********. **** *** reduce *** ******* **** security *********** **** *** time ** *********** **** or ******** ********* ** gathering **** ***********, ***** reduces *** ******* *** hacker ** ******.

Hikvision *************

********* ** ********* ************* this ** *** *** find *** ****** *** prevent **** ******* **** being ******. **** *** be **** ** ***** ******** **** * ********** ***, or ******** ******* ******** machines **** *******/***** ** gain **** ******* **** what *** ******** ****** beyond *** ***** ********, where *** ******* ********* from, ** ** *** affected ******* ******* ** communicate **** ***** ******* for ********** ************. **** information ***** **** ****** the ******'* ********.

Request For ***********

** *** **** *********** on ****** *** *** hacker ** ** *** ******* of *** **** ***, please ******* ** ** info@ipvm.com

 

Comments (88)

Avatar

Jim Kirk

03/06/17 10:14pm

I have 8 Hikvision cameras and 1 Hikvision NVR on my LAN.  I have one router on my LAN and the router is connected to the internet.  I assign fixed LAN IP address to all 9 Hikvision devices.

It seems like the only thing a user can do is be sure the default password for "admin" is changed on all their Hikvision devices and also change the default internet port if you use a router with port forwarding.     

For example, I changed the default internet access port of each of my devices to something like 80xx (vs 8000) where xx is the last two digits of the devices IP address on the LAN.  

If all the Hikvision cameras on the LAN are used as an input to a LAN NVR (e.g. Hikvision NVR) you could just have the LAN port on the NVR forwarded (say 80yy rather then 8000) and leave all the individual camera ports not forwarded.  You still get full internet access of all cameras when you use the internet and log into the NVR.

I'd love to change the username in addition to the password for "admin" but I haven't been able to do that on my Hikvision devices.  Can this be done?

I'm open to any other things I might do to make my Hikvision devices less vulnerable to being hacked. 

Jim

 

Undisclosed #1

In reply to Jim Kirk | 03/06/17 10:47pm

Does it need to be on the internet?  The simplest option is just disconnecting it if it does not need to be.

Srikanth Kamath

In reply to Jim Kirk | 03/07/17 03:18am

any private network connected to internet is connected via gateway (people call them Gateway-Routers) and these simple devices promises to have a builtin firewall. which block the traffic from Outside to Inside, provide access through NAT to the Device on the Inside from Outside

How far and how much can you trust these sub 100 USD Gateway Firewall. Its also clearly understand able that utm devices (Unified threat management) are not economical solution.

"MarketsandMarkets expects that the global unified threat management market is estimated to be $2584.6 million in 2014 and is expected to grow to $4445.7 million in 2019. This represents an estimated Compound Annual Growth Rate (CAGR) of 11.5% from 2014 to 2019. In the current scenario, NA is expected to be the largest market on the basis of spending and adoption for the unified threat management solutions and services."

I would suggest that a simple, workaround is access the Inside only through VPN and not use NAT at all. again please remember even VPN are not hack proof, I recommend OpenVPN or SSL VPN. Implementation of VPN is quite easy, there are devices like ASUS RT-N16 (+100 USD) or FVS318G etc.

at the device head, use VPN Server and on your device use VPN Clients to create the tunnel. While creating the tunnel you could disable access to Local Network devices and just Tunnelled NAT to your DVR, hence only the DVR is accessible and not the cameras.

By using a VPN Tunnel, you create a secure tunnel into your private network, hence the gateway is configured to block all access. This resolves the most basic issues way of securing your device, keep it away from Internet access. I have documented "How To" at http://tskamath.pactindia.net/?s=VPN

Srikanth Kamath

In reply to Srikanth Kamath | 03/07/17 03:20am

DVR--> also NVR / VMS Server, etc

Undisclosed Manufacturer #2

03/06/17 11:01pm

Scenario 5: This issue was revealed as a smoke screen.  While Hik looks transparent and responsible, the real backdoors are still wide open to the dictators who run the company.

Undisclosed #3

03/06/17 11:39pm

I would place my bets on the 'for the lulz' with access to run their own botnet unassisted, deploy and run away. As long as the vulnerability is fashionable it will attract many curious entities with many agendas. Unfortunately we will benefit as smart devices, IoT and public computing is thwarted, the final outcome is a better more efficient configuration or protocol to follow. We are in the infant stages, before all was open and you were free to play if you knew how. As we grow up we must understand that a security based foundation is needed before a sales and production rollout. It is not a matter of design it is a matter of rule.

Marty Calhoun

IPVMU Certified | 03/07/17 12:19am

I have my bet on a competitor who is at best 'grabbing for straws' in an elusive yet feeble attempt to discredit the hard working and always generous folks over at HIKVISION. It is clear that no 'credible hacker' would waste his time chasing down some DVR not even knowing what he'might' see on the other end. Why not open some fake bank accounts? much more lucrative for sure. I've always wondered myself through all of these supposed 'crises' that seem to occur weekly just what a hacker will gain sneaking into unknown DVR's and NVR's? I suppose one could surmise some lame attempt at a Ransom situation if one ran across a 'checkmate' scenario but that in itself is a stretch so what is the advantage to be gained UNLESS you are a competitor and just 'suturing the pot' because you have loss so much business the last couple years. I mean really, sitting around in some back dark room trying  to hit an open DVR and Wa la you get lucky, then what? Its someones back door, a sidewalk, a street corner or a barking dog? Big deal. Then what? It is made out to seem like hacking these units is a 'world class feat' and will offer great riches but in reality you see some video of somewhere you dont even know, have no clue in hell where it is, or what it is or anything else.....WTF?

So lets surmise here....one of the largest manufacturers in the world, employing many thousands of good hard working citizens is superstitiously slipping in the backdoor of the DVR and NVR units to cause what ill? What ill can you cause? For what gain? Humans do things to gain some advantage, explain the advantage please? Oh yea, cant log in to see the dog I forgot....

Andrew Tierney

In reply to Marty Calhoun | 03/07/17 08:40am

I don't think you really understand hacker mentality.

People will do this for fun, so they can boast about it. Trust me.

Marty Calhoun

IPVMU Certified | In reply to Andrew Tierney | 03/07/17 10:38am

I understand that of course, but think about it, what do you get from a DVR? Especially one that you do not know where it is located or what the hell the cameras are observing? Sure you can screw someone over by changing the password but that is about it. I admit and agree that hackers could be committing this crime but it seems that the one to gain the most (thats how humans think) are competitors that are pissed and want to 'fuel the fire' so to speak.

Undisclosed Integrator #6

In reply to Marty Calhoun | 03/07/17 01:25pm

Why hack a camera or DVR?

You potentially get access to the corporate network or at the very least the surveillance network.

Why does China want access to our corporation's networks you may ask?

It's called economic espionage.  

 

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Integrator #6 | 03/07/17 01:32pm

Do you, honestly, think that Hikvision would need to change your admin password in order to access your network? Let's ask a few questions here:

1) Why not just leave the default password? Why tip off anyone that you were even here?

2) If Hikvision was so nefarious, wouldn't they have some other method of access than simple user accounts? Couldn't the devices just create some encrypted tunnel back to home base?

3) You do understand that this whole scenario is BAD for Hikvision, right?

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Andrew Tierney | 03/07/17 01:02pm

How many "for the lulz" hacks have you seen where the grand abundance of the damage done was one added user account and changing the admin creds?

Adding the SERVICE account would lead one to think this hack was perpetrated by the same people as the Dahua hack. Smoke screen if you ask me. 

If all you wanted to do was some lulz, why add a SERVICE account? There is no reason to do so? You already changed the admin account and have that? The reason why they added the SERVICE account in the Dahua hack was because they DIDN'T change the admin creds. 

And if it's for the lulz, why change the admin creds alone? Why not change channel labels to some funny text? Why not tag the device with something really creative? Why not drop some code to make it beep?

Bottom line, the more you look, the more this is corporate sabotage. 

Undisclosed Integrator #7

In reply to Jon Dillabaugh | 03/07/17 02:41pm

This is exactly what myself and my stupid classmates did at university to lab servers, switches, peoples PCs in our dorm halls, etc. The goal of our lulz was the inside joke and knowledge of doing something so insignificant, not to cause instant mayhem and awareness. We would often create service accounts with a login reference to an admin account the lab monitors, or engineering department lab admin account, so it would appear that someone may have set it up for backup legitimate purposes. 

I didnt actually vote that this was "for the lulz", I think its for botnet (money making) purposes, but just wanted to give you a perspective from a first wave millennial troll what we considered "lulz"

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Integrator #7 | 03/07/17 02:45pm

I won't argue any of your points and will accept your anecdote at face value. 

My only counterpoint would be that why would this whole thing be newsworthy then? If it was just for the lulz, then no harm, no foul. 

Hikvision has already made changes years ago that prevent this sort of attack going forward. This attack was just for lulz and will lead to better security. So net-net, it was a positive ordeal. 

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/07/17 02:50pm

My only counterpoint would be that why would this whole thing be newsworthy then? If it was just for the lulz, then no harm, no foul.

It is newsworthy because significant numbers of users are being locked out of accessing their system, causing service calls / expenses / problems for the integrators, dealers and distributors that have to deal with this.

There is certainly some harm in the Hikvision case, unlike what #7 describes in his case.

Undisclosed Integrator #7

In reply to Jon Dillabaugh | 03/07/17 04:20pm

Yeah, I don't mean to make it seem like I think you're wrong in your thinking, just providing my experience. No one in here obviously really knows why it was done. I don't really think it was for lulz in this case, but in my opinion, its newsworthy because people are clearly interested in it.

If people are clicking, responding, and discussing it, and its information about a situation in the general security industry... that's newsworthy. I felt the same way about the Axis hack, Cisco backdoors, Sony rootkit, etc

Undisclosed Integrator #11

In reply to Jon Dillabaugh | 03/07/17 05:13pm
I am still on the boat saying that this is most likely a botnet operator changing the passwords to lock out other operators from 'their' new botnet. However that is just my personal option. (IE- Risk vs. Reward: Most users won't notice the change on the system for awhile vs. Having to compete with other botnet operators for control of these units)

Undisclosed #13

In reply to Undisclosed Integrator #11 | 03/08/17 06:42pm

I could not disagree more.

No botnet operator would do something as 'overt' as changing the admin pw and locking out the real users.

And your example of this being a botnet operator changing the admin pw to 'lock out other botnet operators from 'their' new botnet' is simply ridiculous, imo.

Botnets exist in the shade - sunlight kills botnets just like it does vampires.

Undisclosed Integrator #11

In reply to Undisclosed #13 | 03/08/17 07:08pm

Under normal circumstances I couldn't agree with your more. That being said the main reason I believe it could still be a botnet operator changing the password is because how Mirai cannibalized the pre-existing Q-Bots in the wild. I personally believe that a hacker would choose to take ownership of a botnet for a short period of time rather than being completely starved to death by their competition. 

Undisclosed #13

In reply to Undisclosed Integrator #11 | 03/08/17 07:29pm

your logic does not make sense to me.

"the main reason I believe it could still be a botnet operator changing the password is because how Mirai cannibalized the pre-existing Q-Bots in the wild."

what?

do you think that Q-bots are just things that happen to be sitting around waiting to be used by botnet operators?  Or maybe, there is only a limited number of devices that can be compromised?

A 'Q-bot' (your term) is simply any networked device that has been compromised to be used as part of an attack - in the future, on 0 day.

"I personally believe that a hacker would choose to take ownership of a botnet for a short period of time rather than being completely starved to death by their competition."

I don't think you understand how botnets work.  How does any number of pre-existing compromised machines (by another botnet operator) effect the total number of IoT devices that can be compromised by a new botnet operator?.

Botnets by their very nature are only effective if the owners of the compromised devices have no clue that their devices are enrolled in the botnet.

And the best way to show that a device is compromised is to change the admin pw and lock the actual owner out.

 

Undisclosed Integrator #11

In reply to Undisclosed #13 | 03/08/17 08:27pm

I concede the point UD13. If you wanted to operate a long standing botnet then your view is most correct. All I was trying to state is that if you wanted to operate a large botnet temporarily then you could get more gain from locking others out over a 1 month period than trying to compete for the same resources as everyone else. However I don't think we will see eye to eye on this subject. 

Undisclosed #13

In reply to Undisclosed Integrator #11 | 03/08/17 08:48pm

i would imagine that botnets are generally not very 'long-standing' by their nature.... botnet acquisition (if the aim is a 0 day exploit, i.e. DDoS attack) would seemingly be most beneficial within a short period of time before 0 day anyway (so as not to give too much time for nosy sysadmins to notice their device's infection).

So I will concede that your logic at least has merit.

I wouldn't put money on it, but I see where you are coming from.  :)

Undisclosed Integrator #11

In reply to Undisclosed #13 | 03/08/17 08:57pm

To each their own. It was an interesting discussion and I am glad I could get another point of view on the subject.  As a side note do you believe multiple hackers would share the same compromised device, or would they just keep knocking one another off while playing king of the hill?

Undisclosed Manufacturer #14

In reply to Undisclosed Integrator #11 | 03/09/17 02:22am

If your PC is one of botnet. Trust me. They won't change your password and let your know. You maybe will know it after DDOS attacked started. (Just maybe)
Someone may say change the password can keep out another operator login and let the attacker be the only one user.

It's stupid like you can sneak into someone house. You change the door lock to "make sure" you can sneak in again in the future.
Before that. No hacker will change the device password to let someone know. (For botnet purpose)
Change user password should be sabotage or ransom action.

Normal procedure for botnet should be add another admin user or do nothing.....

100% is not for botnet. Otherwise this one is really PhuX0RIN' 57Upid

Undisclosed #3

In reply to Jon Dillabaugh | 03/07/17 06:01pm

Lulz is a complicated subject, it's consociates are many psychologies. It will be hard to predict if a Lulz will want funny text or creativity as you mention above. These unique actions keep things spontaneous, smoked screened yet adaptable for more play.

If it was some logical ordered attack by some offended competing manufacturer it will be a lot easier to trace back to the origin. Lulz is not an apple and orange concept, it is more of a self awareness trait that feeds the emotion of the commander.

Undisclosed Manufacturer #2

In reply to Marty Calhoun | 03/07/17 01:31pm

They don't hack the DVR to get the DVR, they hack the DVR to get the network.  Remember the HUGH data breech at Target stores a few years back?  Millions of credit cards compromised?  Billions of dollars of damage?  The hackers infiltrated the network through an insecure HVAC system. 

https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

It's not about the system, it's the system behind the system. 

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #2 | 03/07/17 01:36pm

Frickin' Hugh data breech....

Undisclosed #13

In reply to Undisclosed Manufacturer #2 | 03/08/17 06:53pm

"The hackers infiltrated the network through an insecure HVAC system"

This is incorrect.

From the krebs piece:

"the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor."

From what I understand about the Target hack, that HVAC company was a vendor of Target's that used an online vendor portal that Target uses for all 3rd party billing and invoicing, etc.

An employee of the HVAC vendor clicked on a phishing email that compromised that particular machine (at the HVAC vendor) which gave the blackhats their initial approach to the Target network - i.e. by stealing their portal credentials.

How the blackhats converted this 'portal' access to being able to roam the Target network to identify the POS devices (where the nefarious code got installed) is anyone's guess.

 

Eddie Perry

In reply to Marty Calhoun | 03/07/17 01:41pm

Most hackers ( in this case Wanabe /apprentice hackers) do this to sharpen their skills. embedded Linux devices are easy to learn of of and are the majority of devices out there.

Guess what cameras are embedded Linux devices.

I strongly suggest even if you dont understand the technical aspects of this video you watch it for the thought process of a hacker.

Hacking a camera 2013 blackhat

 

Some thing to point out

1. he targets cheap cameras because he cant afford to buy a high end one

2. firmware cracking is simple given the list of tools out there. unless its encrypted.

3. Shodan has a list of free cameras to practice on.

4. most of them copy and paste firmware across models including OEM's

 

so take a guess which camera's are going to be hit most often. Oh look all the ones we keep seeing in the news and forums here.

how many high end camera manufacturers cameras do you see getting hacked anywhere of any high end brand? oh that right its almost not existent. wonder why? Oh look that are are starting to release some sort of Cyber security measures in all their brands, encrypted firmware so hackers have to first crack the Firmware before they can poke around the guts of a camera with out having to buy one. encrypted streams and connections from the camera to the NVR to the Internet. Forcing users to enter a new user and password on first boot, etc etc .

ChinaCams are being targeted because they are cheap, easy, and plentiful to hack whether for experience or botnet, end users who buy direct dont care about security so hacker can practice on them first before moving on the crack locked down ones installed by security companies. 

Trust me if I had the money and was in the position to do "corporate sabotage" China cams would be broadcasting porn to schools flooding you tube streams of live feeds of people property, showing live streams of china, and what ever else I could to to damage them.

no one throws money for "corporate sabotage" just to put in a fake account and leave.

Undisclosed Integrator #8

In reply to Marty Calhoun | 03/07/17 02:45pm

As it has been stated, the cameras or DVR's can lead to greater potential, potential access to the network.  There are a lot of hackers out there who are trying to make a name for themselves, exploit financially, or as John stated, just for kicks.  I've attended several "hacker" conventions and am amazed at what some people will boast on what they've hacked.

The fact that you think this is a conspiracy theory is concerning to me.  I've thought your previous posts about Hikvision hacks have been well thought out and offered excellent points on how to prevent for the average user.  This seems to me that you're running out of legitimate points to defend against and are now just hurling accusations.  

Undisclosed #1

03/07/17 12:59am

Uh... what he said.

Undisclosed Manufacturer #4

03/07/17 04:51am

Fight fire with fire by creating a fireline. 

Undisclosed #1

03/07/17 08:45am

Who is hacking Hikvision devices?

At this rate it may be easier to ask who isn't?

Undisclosed Integrator #5

03/07/17 09:17am

Just a note to say that we had 14+ NVRs "User account locked out" issues over the weekend.

UK-based and Dahua - NOT HIK.

Doesn't seem to be limited to Hikvision kit...

Undisclosed Integrator #9

03/07/17 03:41pm

Correct me if I'm wrong but I think anyone of us could try to hack Hik vision devices. Get yourself an Angry IP Scanner and scan the Internet for devices that expose 8000 port open and try default username and password. After that if someone didn't change their default username and password you have full access to the system. Some probably are going to change the username and password just to be malicious.

On the other hand what hacker would change username and password if they wanted to use those devices as botnets. They would most likely leave the password untouched. They wouldn't be willing to be discovered at all and hijack the system in such a way that nobody would notice.

Undisclosed #3

In reply to Undisclosed Integrator #9 | 03/07/17 06:09pm

That is the culture of not customizing. No need to add fresh paint.

Undisclosed Manufacturer #10

03/07/17 03:48pm

www.insecam.org

Undisclosed Distributor #12

03/07/17 05:19pm

Where is the inside job option on the poll?

John Honovich

IPVM | In reply to Undisclosed Distributor #12 | 03/07/17 05:25pm

Where is the inside job option on the poll?

Why would it be an inside job? That does not make sense to me but I'd be curious to hear your theory.

Undisclosed Distributor #12

In reply to John Honovich | 03/07/17 05:33pm

It's 95% a joke and I don't want to derail with some wild knee jerk conspiracy theories. You can remove this  post if it's too off topic.

Undisclosed #3

In reply to Undisclosed Distributor #12 | 03/07/17 06:13pm

It is not off topic, Theory is the Enemy of Knowledge. An intellectual weather system that brings change.

This thread seems to have hacking content, so why not try to understand what a powerful fuel curiosity can be, from there you learn not to make comments such as inside job. Otherwise prove your theory.

Undisclosed Distributor #12

In reply to Undisclosed #3 | 03/07/17 06:26pm

None of these theories have been proven, it is quite literally all speculation at this point. I think speculating about an inside job, considering Hikvision's ownership & alignment, isn't actually too far off. Looking at the poll options, "Inside Job" fits just as well.

So, I guess to "prove" my theory as much as anyone, seeing as Hikvision is owned by the Chinese government, it could very well be an inside job. Either a dissident, or this is just a magicians trick to keep your eyes away from their real motive.

I mean, why leave these back doors in the product when you have all of the resources of Hikvision to make them properly secure? The only reason is to use them at some point. They have the money & technology to avoid this non-sense.

 

Where did you even come up with "Theory is the Enemy of Knowledge" ? That is absurd. Theory is the next step to gaining knowledge, right after discovery. Oh and for clarity; experimenting & testing follows theory.

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Distributor #12 | 03/07/17 06:32pm

I mean, why leave these back doors in the product when you have all of the resources of Hikvision to make them properly secured?

It wasn't a backdoor at all. It was the front door with the keys hanging in the lock set. 

Undisclosed Distributor #12

In reply to Jon Dillabaugh | 03/07/17 06:36pm

Point stands, with all the engineers & resources Hik has & boasts, why allow it? Not for Altruistic reasons.

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Distributor #12 | 03/07/17 06:37pm

Allow what? Default passwords? They changed that two years ago? What is it that Hikvision allowed?

Undisclosed Distributor #12

In reply to Jon Dillabaugh | 03/07/17 06:42pm

Jon, I know you're in bed with Hik and I don't want to get into this with you. I'm just saying with that much money & "engineers" they could've implemented something so simple as forcing the user to change their password before they can use the unit, forcing secure passwords with caps, lower case, numerical and special characters. Like other MFGs who take security seriously.

Look... I wouldn't care as much as it seems I do, but I really don't want some jerk to take down my play station network because end users & installers were too lazy to secure their devices... it's that serious/simple.

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Distributor #12 | 03/07/17 06:57pm

That is exactly what they changed TWO YEARS AGO!

This argument has less to do with me selling Hikvision and more to do with your axe to grind with them. You are purposely uninformed at this point. 

Undisclosed Distributor #12

In reply to Jon Dillabaugh | 03/07/17 07:02pm

Or I'm including my vast knowledge of ALL of the Hikvision insecurities, because while we are commenting on a specific article, this article is just another tick in the trend of Hikvision being a terrible "Security" product.

Two Years Ago... my router from 10 years ago had these features. Point still stands, they have the resources to actually care about security. They had the resources two years ago.

Yes, I have an axe to grind with Hikvision. I think any American supporting Hikvision should be ashamed. They're owned by the Chinese government, they're putting installers & integrators out of business, they embrace Amazon and direct to consumer. They're bad for the industry, and they're bad for American security.

The US Government Agrees

 

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Distributor #12 | 03/07/17 07:05pm

Any integrator who leave default creds after install deserves to be put out of business. But that is a side point. 

Undisclosed Distributor #12

In reply to Jon Dillabaugh | 03/07/17 07:06pm

I agree.

Marty Calhoun

IPVMU Certified | In reply to Undisclosed Distributor #12 | 03/08/17 12:13am

Ashamed really? Do you use Light Bulbs? Guess where 98% are produced?  There are so many items we BUY FROM the Chinese that it is way too many to list. I know first thing...that company is not owned by the government, right?

This is a discussion that has no end, everyone is buying product somehow that is made in China....... DVR, Dish soap or a Light Bulb I dont know.

 Sure someone COULD hack into something important but if they can Hack Hikvision they can hack 500+ other brands too. So lets jump on that Witch Hunt....  

Undisclosed #1

In reply to Marty Calhoun | 03/08/17 08:07am

This is true MARTY.  However, keep in mind Hikvision is relevant to our industry - SECURITY.  Additionally HIKVISION is SUBSIDIZED and GOVERNMENT owned.  I am not so worried about my Chinese MANUFACTURED light bulbs.

Undisclosed Distributor #12

In reply to Marty Calhoun | 03/08/17 05:59pm

Yes Marty, Ashamed. The argument is less of the "boycott Walmart its all cheap Chinese stuff!" and more "boycott Hikvision, they're a government entity in a nation we're at odds with, losing an economic war to, and hurting working class Americans." Also their government manipulates currency and breaks WTO rules.

Take a look at what we did to the Japanese & Germans during WWII, take a look at what Russian technology & products we used during the Cold War, and tell me why we're feeding the enemy during this financial war... It's asinine and I feel like the only reason it's happening is because no one is thinking two or three moves later. Only the here and now, immediate short-term profit.

Americans are so naive and short sighted these days... It's certainly not the same nation my grandfather(whom lied about his age to get into WWII and fight) told me about.

Which I guess is why Amazon and Hikvision are winning everything.

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Distributor #12 | 03/08/17 06:14pm

The above image is what someone looks like when they are dead set against progress, just for progress sake.

In this modern world, you have to change and adapt much quicker. Back in the WWII days, the Japanese and Germans were our mortal enemies. In my youth, it was the Soviets. Recently it has been anyone with oil that we can confiscate.

When I was a kid, we used to receive catalogs from Sears, JC Penney, etc that you could mail an order for and hope to receive it within a few months. No tracking info, just waiting daily for the mailman.

Now you can order something on Amazon and receive it in under an hour! How the hell can that piss anyone off is beyond me. When I order a pizza, I can track its entire progress.

So no, the USA today isn't the same as when your grandfather lived, and thank god for that.

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/08/17 06:19pm

If we are making historical comparisons, my projection is that China is to the 2010s what Japan was to the 1980s.

Back in the 1980s, there was widespread fear / anticipation of Japan's booming economy / growing economic strength / buying out big American assets / etc. Obviously, that did not come to be.

This will be similar to China. China will come back to Earth, some Chinese companies will turn out to have staying power, many others will crash, as China matures / changes into a sustainable economy, not one driven by a debt / infrastructure bubble.

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 03/08/17 06:32pm

One big difference is that China has way more resources than Japan and they weren't bombed into oblivion before making a comeback. 

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/08/17 07:32pm

they weren't bombed into oblivion before making a comeback.

China had its equivalent disaster - Chairman Mao, his Great Leap Forward which killed tens of millions, and effectively zero economic growth for 30 years:

China bombed itself into oblivion for those 30 years, and for the last 35 years by correcting that they have had super growth. Now, the easy growth has run out and China is addicted to impractical levels of debt growth.

Undisclosed Distributor #12

In reply to John Honovich | 03/08/17 07:55pm

It's weird how they worship that guy too... knowing full well what he did. So China will be the next "Great Recession", it's already unsustainable and they haven't even gotten pollution & wages taken care of. I don't think it ends well for them.

One difference is that the Japanese were making things well, the quality was high, and the innovation was happening. Certain sectors of China are trying to innovate, but it always falls short and it's always piggy-backed on some international research cooperative.

The thought process of those people was destroyed by Chairman Mao, China's great disaster. You'll talk to entire generations that just seem brainwashed or way too convicted. Then you talk to younger kids who have VPNs, and they're not so rigid & believing in their government.

It may be at least another generation before China settles into its modern self. The current image of China, on the whole, can't last much longer.

Undisclosed Distributor #12

In reply to Jon Dillabaugh | 03/08/17 06:37pm

Enjoy your dystopian future where corporations are governments and boys are girls. I'll stay old.

Marty Calhoun

IPVMU Certified | In reply to Undisclosed Distributor #12 | 03/08/17 11:46pm
So if every dealer in the USA stopped buying HIKVISION today it would be about the size of a pimple on and Elephants ass to HIKVISION global sales. Forget it, your 'boycott' of their quality product because its Chinese government owned is FRIVOLOUS at best and will never make any difference. So instead of complaining about things I cannot control I will continue to purchase, continue to win bids and continue to make MONEY which is what I am in business to do instead of wining about ownership. You and everyone else that thinks they will change the course of the Industry are wasting their time and losing money while wining about it. Get over it, the Chinese have gotten ahead of the Industry, its the way it is, too bad soo sad, I am moving forward every day. If Poland came out with a great product for a reasonable price I would consider it, its an equal field, too hell with who is supporting who, that does not come into play when depositing into our payroll account, what does is SELLING VIDEO SYSTEMS....Get over it
Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Marty Calhoun | 03/08/17 11:51pm

I voted the three positives to equal out all the negative flames you are about to score. 

John Honovich

IPVM | In reply to Marty Calhoun | 03/09/17 12:18am

because its Chinese government owned

I am glad you've come around to admitting its Chinese government owned. It's amazing that your US military customers accept this.

Undisclosed #1

In reply to Marty Calhoun | 03/09/17 04:08am

TRUNK SLAMMED!  Exit stage right.

Marty Calhoun

IPVMU Certified | In reply to Undisclosed #1 | 03/15/17 06:15pm

UI#1 why dont you reveal your name and occupation instead of devising 'cheap unproven childish comments' and then hiding behind the banner of' undisclosed integrator'?

Undisclosed #1

In reply to Marty Calhoun | 03/15/17 09:35pm

I would gladly post satire fully disclosed.  Alas, I cannot.  Would it change anything if I were disclosed?

If the undisclosed status did not exist this thread would consist solely of you and Jon talking about how great Hikvision is.

Eddie Perry

In reply to Undisclosed #1 | 03/15/17 10:12pm

Nah If it was like that I would totally be troll posting to point John would have to step in

There is not one Manufacturer that has perfect rating across the board on all their products no matter how many shills scream it so.

IMHO it seems to come in waves as one manufacturer rises and gets it right they grow complacent and another rises that put them to shame.

 

for me first it was Pelco, then it was AXIS, Now a mix of Panasonic and Samsung moving more towards Hanwha.

Undisclosed Manufacturer #10

In reply to Marty Calhoun | 03/09/17 10:34am

The 'sticking your head in the sand' response to anything should from here on out be called ''The Marty $$$'

'The Marty $$$'

 

Marty Calhoun

IPVMU Certified | In reply to Undisclosed Manufacturer #10 | 03/15/17 06:15pm

UI#10 why dont you reveal your name and occupation instead of devising 'cheap unproven childish comments' and then hiding behind the banner of' undisclosed integrator'?

Undisclosed Integrator #8

In reply to Marty Calhoun | 03/15/17 06:33pm

Hi Marty,

I'm also in this to make money, but not by giving my customers cheap products that are security risks.  I may make less margin on cameras like Axis, Oncam and Avigilon, but I rest easy knowing I've given them a quality product.  My customers know I have to make a living but they also need a reliable product.

Marty Calhoun

IPVMU Certified | In reply to Undisclosed Integrator #8 | 03/15/17 09:28pm

 It is an endless argument because in many minds is a matter of political principles instead of best solution for the client. I make no apology that I respectfully disagree that HIKVISION is not a quality product. My customers are not cheap nor ignorant and 100% understand where HIKVISION is made they have agreed time and time again in a direct shoot out that HIKVISION is a superior product. 

Undisclosed #13

In reply to Marty Calhoun | 03/15/17 09:35pm

i am neither agreeing nor disagreeing with your assessment of the Hik product...

But why, then, does your company showcase Axis on their homepage with no mention of Hikvision?

Undisclosed #1

In reply to Undisclosed #13 | 03/15/17 11:32pm

But why, then, does your company showcase Axis on their homepage with no mention of Hikvision?

Bait and switch?  Honestly though, whose page is up to date?  I shudder at the items listed on our web page.

Undisclosed Manufacturer #2

In reply to Undisclosed Distributor #12 | 03/07/17 06:36pm

If you google "Theory is the Enemy of Knowledge", it takes you to youtube videos from Zeteticism.com, which is a flat earth society.  You are, quite possible, having a discussion with someone who believes the Earth is flat, which is a growing trend.

 

Undisclosed Distributor #12

In reply to Undisclosed Manufacturer #2 | 03/07/17 06:38pm

Hahahahahahaha holy cow you just saved me from engaging further in troll bait internet arguments. Thank you! I knew something was up when he botched the scientific method...

Marty Calhoun

IPVMU Certified | In reply to Undisclosed Distributor #12 | 03/15/17 06:16pm

UI#12 why dont you reveal your name and occupation instead of devising 'cheap unproven childish comments' and then hiding behind the banner of' undisclosed integrator'?

Marty Calhoun

IPVMU Certified | In reply to Undisclosed Manufacturer #2 | 03/15/17 06:16pm

UI#2 why dont you reveal your name and occupation instead of devising 'cheap unproven childish comments' and then hiding behind the banner of' undisclosed integrator'?

Undisclosed #13

In reply to Marty Calhoun | 03/15/17 06:22pm

Undisclosed Manufacturer #2

In reply to Marty Calhoun | 03/16/17 04:12am

I didn't hide behind the banner of "Undisclosed Integrator".

Undisclosed #13

In reply to Undisclosed Distributor #12 | 03/08/17 07:00pm

"Theory is the Enemy of Knowledge" ? That is absurd."

Glad someone else said this so I didn't have to.

Undisclosed #3

03/07/17 06:30pm

I like that you think about magicians, sums it up for me!

Undisclosed Distributor #12

In reply to Undisclosed #3 | 03/07/17 06:31pm

If not sarcastic you must also like to play chess!

Undisclosed Integrator #9

03/09/17 01:34am

Let's assume that scenario of hackers hijack Hik Vision devices to use as botnets. They change the password and lock out the users. To gain access back to the devices you send a serial number of the device to the mfg or distributor and get the code to gain access back to the devices. How does it affect the botnet that may have been installed on the device? Doesn't it still run? How do you make sure that whatever hacker did is gone from your system? Do you have to reset the device to factory settings? And if so does it really clean the system or just reloads the firmware without touching the OS?

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Integrator #9 | 03/09/17 01:40am

I'm unsure 100% with Hikvision devices, but with Dahua devices if you simply reset credentials, they may be overwritten by the OS level, if the exploit went as far to do so. So, you reset defaults, reboot, and return to an exploited device. 

I cant say with any certainty that Hikvision devices operate in the same manor, but I suspect the firmware section of the device is only a minor part and uploading firmware isn't likely to do anything to disrupt other parts of the OS and storage. 

To check for yourself, look at the size of the download of the firmware file. If it seems small and normal, that's just the "firmware app".

If it is like some of the newer Dahua downloads, where they are 100MB files, that is more likely the entire OS and firmware in one download. They still get applied in different ways. But they are separate. 

Avatar

Attila Szucs

03/09/17 12:26pm

I'm quiet surprised, as they claim so many times, that they have thousands of engineers.

They don't have an ethical hacking team?

 

 

Avatar

Michael Budalich

Bosch Security Systems Inc.
In reply to Attila Szucs | 03/15/17 09:10pm

Attila,

To be fair, I do not know of any manufacturer that has an on board ethical hacking team. I may be wrong, but I don't think any IP camera manufacturers have this sort of personnel on staff. Usually, IP camera makers hire a 3rd party company to do this type of work.

Undisclosed Manufacturer #2

In reply to Michael Budalich | 03/16/17 04:15am

For the sake of avoiding self promotion, I will say only that I know of at least one VMS manufacturer that has a group of internal ethical hackers, and also hosts hack-a-thons to try to find vulnerabilities.

Andrew Tierney

03/15/17 09:45pm

Ethical hackers isn't really what these products need though.

These are engineering failures. They need a security team and to adopt a secure development lifecycle.

Undisclosed Manufacturer #15

In reply to Andrew Tierney | 03/17/17 11:36am

Agrees.  Cyber security must be part of the entire software development process. Any code that is reused must be examined and 3rd party modules (busy box, php, cgi, web server, etc) must be kept up to date. Firmware updates can no longer be sporadic updates to add a feature, but to keep pace with vulnerabilities discovered in old software components. 

A detailed cyber security policy must be implemented to ensure that password policies etc are enforced. All to often knowledge isn't transfered from one engineer to another as products go from one engineer to another or from the camera team to nvr team, for example. 

Read this IPVM report for free.

This article is part of IPVM's 6,805 reports, 913 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports