Who Is Hacking Hikvision Devices?

Author: Brian Karas, Published on Mar 06, 2017

Someone or organization is mass hacking Hikvision devices, actively and systematically running a script / program across the Internet that looks for Hikvision devices, finds them, and, at least, locks the user out.

The most significant misconception is that someone is simply randomly or manually looking up individual devices and changing admin passwords. This is absolutely not the case as Hikvision themselves have acknowledged.

This is a serious problem for Hikvision and their customers.

This is also the case of someone who is unethically and probably illegally running these hacks.

******* ** ************ ****** ******* ********* *******, ******** *** ************** ******* * ****** / ******* ****** the ******** **** ***** *** ********* *******, ***** ****, ***, at *****, ***** *** **** ***.

*** **** *********** ************* ** **** ******* ** ****** ******** or ******** ******* ** ********** ******* *** ******** ***** *********. This ** ********** *** *** **** *********** ********** **** ************.

**** ** * ******* ******* *** ********* *** ***** *********.

**** ** **** *** **** ** ******* *** ** *********** and ******** ********* ******* ***** *****.

[***************]

Motivations *** ******

**** ***** **** *** ******* *** ** ********** ******* **** this *** **** *** * ** * **** *******:

** ***** ***** ******, ********* ** ********** ** ******* ** complex ******** ** * ****** ** ***** ** **** ***** abilities *** ***-***** *******
** *** *** ****** ******* ** * ****** ** ****** some ***** ******, ** *** ******* ********* (********* **** **** ** ***** ******* ****** ****).
** ***** ******* ***** *** ********** *** ******/***** ** *** device ("*** *** ****")

** **** ****, *** ****** ******* *** *** ******* ** weak ***** *********, ***** ***** ****** #* ********, ***** ** not * *** ** ***** ******** ** ***** *******. ** date ***** *** **** ** *********** ** *** ****** ******* being **** ** *******, *** *** ******* ***** ** ******* to ***** * ****** ****** ** ***** ****** ********* * botnet ******. ** ** **** ******** **** ** ***** **** to **** ********* ** *** **** ******** *** **** ** compromise ** ***** *****.

Botnet ********

** *** ******* *** ****** **** * ******, **** **** eventually **** ** ******* ** * *&* (******* *** *******) server ** ******* ************. ************, *** ****** ****** ***** ****** rent *** ****** *** ** ****** *** **** ** *** it ** ****** ***** *****. ** **** ****** *** ******** with *********** *** ******, ** ******* ** *** *******, *** chances ** ** **** ******* ************* ******* *********** ***** **********, and **** *** ** **** ** ***** **** ** *** person(s) ****** *** ******. **** ** *********** *** ********** ****** * ***** ****** **** ******* ******** ********** ***** *****.

Lulz ********

** *** ******'* ******* ********** ** ** ******* *******, ** may ** **** ****** ** ***** **** ****. ** ********* script ***** ** ****** ** * ** **** ****** *******, set ** ***** *** ******** *** ********** *******, *** **** carry *** *** ****** *************. *** ******** ***** **** ****** need ** ** *********** ********, ** ** **** ********** ***** to ******, ******** *** ******* ** **************.

Anti-Hikvision **********

**** ********* ******************* * *** ********, **** *** ****** ***** ** ******* who:

******** ********* *** ****** ******** ** ****** ***** ******* **** hacked, ******* ** ***** ***** * ** ********* *** *********.

***** *** ******* ********** ** **** **** **** ******* *** theory. *** *******, ******** *** ***** ******** ****** ***** ** be ****** *** ** ***** *** *******, **** ***** ** a "*** *** ****" ****, ** ** ***** ** *******/** organization **** ************ ***** ** ******* ********* ***** *** **** the ************* ** *** ********* ** *********. ****, ** *** damaging *** ****** (********* **************, ******* *****, ******** ****** ********, deleting ***** **** ********) *** ********* *** *** ******* *********** harm. *******, ********* *** ****** ** **** ************* **** **** *** ******** *** ******* ******** ********, ********** ******** *****.

Extent ** **** *******

** ****, ** *********** **** ******** ************* **** ****, ** what **** ***** ** ********* ****** ******** *** ***** ******** and ****** *** ****** *******. ****** **** *********** ** **** else, ** ********, ** ***** **** ** **** ** **** could **** ********** *** ********** ** *** ******(*), *** ******* clues ** ***** ********.

Likelihood ** ******* ******

****** ***** ** * ***** ***** ** *** *******, *** person(s) ****** **** *** ** ********. *** ***** **** ******** enough ******** ** **** ********* ** *** ******** ********, *** have *** **** ***** ****** ** ******** ****** ** **** widespread ********. **** *** ****** *** ******* **** ******** *********** take *** **** ** *********** **** ** ******** ********* ** gathering **** ***********, ***** ******* *** ******* *** ****** ** caught.

Hikvision *************

********* ** ********* ************* **** ** *** *** **** *** source *** ******* **** ******* **** ***** ******. **** *** be **** ** ***** ************* * ********** ***, ** ******** ******* ******** ******** **** dealers/users ** **** **** ******* **** **** *** ******** ****** beyond *** ***** ********, ***** *** ******* ********* ****, ** if *** ******** ******* ******* ** *********** **** ***** ******* for ********** ************. **** *********** ***** **** ****** *** ******'* identity.

Request *** ***********

** *** **** *********** ** ****** *** *** ****** ** or *** ******* ** *** **** ***, ****** ******* ** at ****@****.***

Comments (88)

Jim Kirk

03/06/17 10:14pm

I have 8 Hikvision cameras and 1 Hikvision NVR on my LAN. I have one router on my LAN and the router is connected to the internet. I assign fixed LAN IP address to all 9 Hikvision devices.

It seems like the only thing a user can do is be sure the default password for "admin" is changed on all their Hikvision devices and also change the default internet port if you use a router with port forwarding.

For example, I changed the default internet access port of each of my devices to something like 80xx (vs 8000) where xx is the last two digits of the devices IP address on the LAN.

If all the Hikvision cameras on the LAN are used as an input to a LAN NVR (e.g. Hikvision NVR) you could just have the LAN port on the NVR forwarded (say 80yy rather then 8000) and leave all the individual camera ports not forwarded. You still get full internet access of all cameras when you use the internet and log into the NVR.

I'd love to change the username in addition to the password for "admin" but I haven't been able to do that on my Hikvision devices. Can this be done?

I'm open to any other things I might do to make my Hikvision devices less vulnerable to being hacked.

Jim

Undisclosed Integrator #1

In reply to Jim Kirk | 03/06/17 10:47pm

Does it need to be on the internet? The simplest option is just disconnecting it if it does not need to be.

Srikanth Kamath

In reply to Jim Kirk | 03/07/17 03:18am

any private network connected to internet is connected via gateway (people call them Gateway-Routers) and these simple devices promises to have a builtin firewall. which block the traffic from Outside to Inside, provide access through NAT to the Device on the Inside from Outside

How far and how much can you trust these sub 100 USD Gateway Firewall. Its also clearly understand able that utm devices (Unified threat management) are not economical solution.

"MarketsandMarkets expects that the global unified threat management market is estimated to be $2584.6 million in 2014 and is expected to grow to $4445.7 million in 2019. This represents an estimated Compound Annual Growth Rate (CAGR) of 11.5% from 2014 to 2019. In the current scenario, NA is expected to be the largest market on the basis of spending and adoption for the unified threat management solutions and services."

I would suggest that a simple, workaround is access the Inside only through VPN and not use NAT at all. again please remember even VPN are not hack proof, I recommend OpenVPN or SSL VPN. Implementation of VPN is quite easy, there are devices like ASUS RT-N16 (+100 USD) or FVS318G etc.

at the device head, use VPN Server and on your device use VPN Clients to create the tunnel. While creating the tunnel you could disable access to Local Network devices and just Tunnelled NAT to your DVR, hence only the DVR is accessible and not the cameras.

By using a VPN Tunnel, you create a secure tunnel into your private network, hence the gateway is configured to block all access. This resolves the most basic issues way of securing your device, keep it away from Internet access. I have documented "How To" at http://tskamath.pactindia.net/?s=VPN

Srikanth Kamath

In reply to Srikanth Kamath | 03/07/17 03:20am

DVR--> also NVR / VMS Server, etc

Undisclosed Integrator #2

03/06/17 11:01pm

Scenario 5: This issue was revealed as a smoke screen. While Hik looks transparent and responsible, the real backdoors are still wide open to the dictators who run the company.

Undisclosed #3

03/06/17 11:39pm

I would place my bets on the 'for the lulz' with access to run their own botnet unassisted, deploy and run away. As long as the vulnerability is fashionable it will attract many curious entities with many agendas. Unfortunately we will benefit as smart devices, IoT and public computing is thwarted, the final outcome is a better more efficient configuration or protocol to follow. We are in the infant stages, before all was open and you were free to play if you knew how. As we grow up we must understand that a security based foundation is needed before a sales and production rollout. It is not a matter of design it is a matter of rule.

Marty Calhoun

IPVMU Certified | 03/07/17 12:19am

I have my bet on a competitor who is at best 'grabbing for straws' in an elusive yet feeble attempt to discredit the hard working and always generous folks over at HIKVISION. It is clear that no 'credible hacker' would waste his time chasing down some DVR not even knowing what he'might' see on the other end. Why not open some fake bank accounts? much more lucrative for sure. I've always wondered myself through all of these supposed 'crises' that seem to occur weekly just what a hacker will gain sneaking into unknown DVR's and NVR's? I suppose one could surmise some lame attempt at a Ransom situation if one ran across a 'checkmate' scenario but that in itself is a stretch so what is the advantage to be gained UNLESS you are a competitor and just 'suturing the pot' because you have loss so much business the last couple years. I mean really, sitting around in some back dark room trying to hit an open DVR and Wa la you get lucky, then what? Its someones back door, a sidewalk, a street corner or a barking dog? Big deal. Then what? It is made out to seem like hacking these units is a 'world class feat' and will offer great riches but in reality you see some video of somewhere you dont even know, have no clue in hell where it is, or what it is or anything else.....WTF?

So lets surmise here....one of the largest manufacturers in the world, employing many thousands of good hard working citizens is superstitiously slipping in the backdoor of the DVR and NVR units to cause what ill? What ill can you cause? For what gain? Humans do things to gain some advantage, explain the advantage please? Oh yea, cant log in to see the dog I forgot....

Andrew Tierney

In reply to Marty Calhoun | 03/07/17 08:40am

I don't think you really understand hacker mentality.

People will do this for fun, so they can boast about it. Trust me.

Marty Calhoun

IPVMU Certified | In reply to Andrew Tierney | 03/07/17 10:38am

I understand that of course, but think about it, what do you get from a DVR? Especially one that you do not know where it is located or what the hell the cameras are observing? Sure you can screw someone over by changing the password but that is about it. I admit and agree that hackers could be committing this crime but it seems that the one to gain the most (thats how humans think) are competitors that are pissed and want to 'fuel the fire' so to speak.

Undisclosed Integrator #6

In reply to Marty Calhoun | 03/07/17 01:25pm

Why hack a camera or DVR?

You potentially get access to the corporate network or at the very least the surveillance network.

Why does China want access to our corporation's networks you may ask?

It's called economic espionage.

Jon Dillabaugh

Pro Focus LLC | In reply to Undisclosed Integrator #6 | 03/07/17 01:32pm

Do you, honestly, think that Hikvision would need to change your admin password in order to access your network? Let's ask a few questions here:

1) Why not just leave the default password? Why tip off anyone that you were even here?

2) If Hikvision was so nefarious, wouldn't they have some other method of access than simple user accounts? Couldn't the devices just create some encrypted tunnel back to home base?

3) You do understand that this whole scenario is BAD for Hikvision, right?

Jon Dillabaugh

Pro Focus LLC | In reply to Andrew Tierney | 03/07/17 01:02pm

How many "for the lulz" hacks have you seen where the grand abundance of the damage done was one added user account and changing the admin creds?

Adding the SERVICE account would lead one to think this hack was perpetrated by the same people as the Dahua hack. Smoke screen if you ask me.

If all you wanted to do was some lulz, why add a SERVICE account? There is no reason to do so? You already changed the admin account and have that? The reason why they added the SERVICE account in the Dahua hack was because they DIDN'T change the admin creds.

And if it's for the lulz, why change the admin creds alone? Why not change channel labels to some funny text? Why not tag the device with something really creative? Why not drop some code to make it beep?

Bottom line, the more you look, the more this is corporate sabotage.

Undisclosed Integrator #7

In reply to Jon Dillabaugh | 03/07/17 02:41pm

This is exactly what myself and my stupid classmates did at university to lab servers, switches, peoples PCs in our dorm halls, etc. The goal of our lulz was the inside joke and knowledge of doing something so insignificant, not to cause instant mayhem and awareness. We would often create service accounts with a login reference to an admin account the lab monitors, or engineering department lab admin account, so it would appear that someone may have set it up for backup legitimate purposes.

I didnt actually vote that this was "for the lulz", I think its for botnet (money making) purposes, but just wanted to give you a perspective from a first wave millennial troll what we considered "lulz"

Jon Dillabaugh

Pro Focus LLC | In reply to Undisclosed Integrator #7 | 03/07/17 02:45pm

I won't argue any of your points and will accept your anecdote at face value.

My only counterpoint would be that why would this whole thing be newsworthy then? If it was just for the lulz, then no harm, no foul.

Hikvision has already made changes years ago that prevent this sort of attack going forward. This attack was just for lulz and will lead to better security. So net-net, it was a positive ordeal.

John Honovich

IPVM | In reply to Jon Dillabaugh | 03/07/17 02:50pm

My only counterpoint would be that why would this whole thing be newsworthy then? If it was just for the lulz, then no harm, no foul.

It is newsworthy because significant numbers of users are being locked out of accessing their system, causing service calls / expenses / problems for the integrators, dealers and distributors that have to deal with this.

There is certainly some harm in the Hikvision case, unlike what #7 describes in his case.

Undisclosed Integrator #7

In reply to Jon Dillabaugh | 03/07/17 04:20pm

Yeah, I don't mean to make it seem like I think you're wrong in your thinking, just providing my experience. No one in here obviously really knows why it was done. I don't really think it was for lulz in this case, but in my opinion, its newsworthy because people are clearly interested in it.

If people are clicking, responding, and discussing it, and its information about a situation in the general security industry... that's newsworthy. I felt the same way about the Axis hack, Cisco backdoors, Sony rootkit, etc

Undisclosed Integrator #11

In reply to Jon Dillabaugh | 03/07/17 05:13pm

I am still on the boat saying that this is most likely a botnet operator changing the passwords to lock out other operators from 'their' new botnet. However that is just my personal option. (IE- Risk vs. Reward: Most users won't notice the change on the system for awhile vs. Having to compete with other botnet operators for control of these units)

Undisclosed #13

In reply to Undisclosed Integrator #11 | 03/08/17 06:42pm

I could not disagree more.

No botnet operator would do something as 'overt' as changing the admin pw and locking out the real users.

And your example of this being a botnet operator changing the admin pw to 'lock out other botnet operators from 'their' new botnet' is simply ridiculous, imo.

Botnets exist in the shade - sunlight kills botnets just like it does vampires.

Undisclosed Integrator #11

In reply to Undisclosed #13 | 03/08/17 07:08pm

Under normal circumstances I couldn't agree with your more. That being said the main reason I believe it could still be a botnet operator changing the password is because how Mirai cannibalized the pre-existing Q-Bots in the wild. I personally believe that a hacker would choose to take ownership of a botnet for a short period of time rather than being completely starved to death by their competition.

Undisclosed #13

In reply to Undisclosed Integrator #11 | 03/08/17 07:29pm

your logic does not make sense to me.

"the main reason I believe it could still be a botnet operator changing the password is because how Mirai cannibalized the pre-existing Q-Bots in the wild."

what?

do you think that Q-bots are just things that happen to be sitting around waiting to be used by botnet operators? Or maybe, there is only a limited number of devices that can be compromised?

A 'Q-bot' (your term) is simply any networked device that has been compromised to be used as part of an attack - in the future, on 0 day.

"I personally believe that a hacker would choose to take ownership of a botnet for a short period of time rather than being completely starved to death by their competition."

I don't think you understand how botnets work. How does any number of pre-existing compromised machines (by another botnet operator) effect the total number of IoT devices that can be compromised by a new botnet operator?.

Botnets by their very nature are only effective if the owners of the compromised devices have no clue that their devices are enrolled in the botnet.

And the best way to show that a device is compromised is to change the admin pw and lock the actual owner out.

Undisclosed Integrator #11

In reply to Undisclosed #13 | 03/08/17 08:27pm

I concede the point UD13. If you wanted to operate a long standing botnet then your view is most correct. All I was trying to state is that if you wanted to operate a large botnet temporarily then you could get more gain from locking others out over a 1 month period than trying to compete for the same resources as everyone else. However I don't think we will see eye to eye on this subject.

Undisclosed #13

In reply to Undisclosed Integrator #11 | 03/08/17 08:48pm

i would imagine that botnets are generally not very 'long-standing' by their nature.... botnet acquisition (if the aim is a 0 day exploit, i.e. DDoS attack) would seemingly be most beneficial within a short period of time before 0 day anyway (so as not to give too much time for nosy sysadmins to notice their device's infection).

So I will concede that your logic at least has merit.

I wouldn't put money on it, but I see where you are coming from. :)

Undisclosed Integrator #11

In reply to Undisclosed #13 | 03/08/17 08:57pm

To each their own. It was an interesting discussion and I am glad I could get another point of view on the subject. As a side note do you believe multiple hackers would share the same compromised device, or would they just keep knocking one another off while playing king of the hill?

Undisclosed Manufacturer #14

In reply to Undisclosed Integrator #11 | 03/09/17 02:22am

If your PC is one of botnet. Trust me. They won't change your password and let your know. You maybe will know it after DDOS attacked started. (Just maybe)
Someone may say change the password can keep out another operator login and let the attacker be the only one user.

It's stupid like you can sneak into someone house. You change the door lock to "make sure" you can sneak in again in the future.
Before that. No hacker will change the device password to let someone know. (For botnet purpose)
Change user password should be sabotage or ransom action.

Normal procedure for botnet should be add another admin user or do nothing.....

100% is not for botnet. Otherwise this one is really PhuX0RIN' 57Upid

Undisclosed #3

In reply to Jon Dillabaugh | 03/07/17 06:01pm

Lulz is a complicated subject, it's consociates are many psychologies. It will be hard to predict if a Lulz will want funny text or creativity as you mention above. These unique actions keep things spontaneous, smoked screened yet adaptable for more play.

If it was some logical ordered attack by some offended competing manufacturer it will be a lot easier to trace back to the origin. Lulz is not an apple and orange concept, it is more of a self awareness trait that feeds the emotion of the commander.

Undisclosed Integrator #2

In reply to Marty Calhoun | 03/07/17 01:31pm

They don't hack the DVR to get the DVR, they hack the DVR to get the network. Remember the HUGH data breech at Target stores a few years back? Millions of credit cards compromised? Billions of dollars of damage? The hackers infiltrated the network through an insecure HVAC system.

https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

It's not about the system, it's the system behind the system.

Undisclosed Integrator #2

In reply to Undisclosed Integrator #2 | 03/07/17 01:36pm

Frickin' Hugh data breech....

Undisclosed #13

In reply to Undisclosed Integrator #2 | 03/08/17 06:53pm

"The hackers infiltrated the network through an insecure HVAC system"

This is incorrect.

From the krebs piece:

"the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor."

From what I understand about the Target hack, that HVAC company was a vendor of Target's that used an online vendor portal that Target uses for all 3rd party billing and invoicing, etc.

An employee of the HVAC vendor clicked on a phishing email that compromised that particular machine (at the HVAC vendor) which gave the blackhats their initial approach to the Target network - i.e. by stealing their portal credentials.

How the blackhats converted this 'portal' access to being able to roam the Target network to identify the POS devices (where the nefarious code got installed) is anyone's guess.

Eddie Perry

In reply to Marty Calhoun | 03/07/17 01:41pm

Most hackers ( in this case Wanabe /apprentice hackers) do this to sharpen their skills. embedded Linux devices are easy to learn of of and are the majority of devices out there.

Guess what cameras are embedded Linux devices.

I strongly suggest even if you dont understand the technical aspects of this video you watch it for the thought process of a hacker.

Hacking a camera 2013 blackhat

Some thing to point out

1. he targets cheap cameras because he cant afford to buy a high end one

2. firmware cracking is simple given the list of tools out there. unless its encrypted.

3. Shodan has a list of free cameras to practice on.

4. most of them copy and paste firmware across models including OEM's

so take a guess which camera's are going to be hit most often. Oh look all the ones we keep seeing in the news and forums here.

how many high end camera manufacturers cameras do you see getting hacked anywhere of any high end brand? oh that right its almost not existent. wonder why? Oh look that are are starting to release some sort of Cyber security measures in all their brands, encrypted firmware so hackers have to first crack the Firmware before they can poke around the guts of a camera with out having to buy one. encrypted streams and connections from the camera to the NVR to the Internet. Forcing users to enter a new user and password on first boot, etc etc .

ChinaCams are being targeted because they are cheap, easy, and plentiful to hack whether for experience or botnet, end users who buy direct dont care about security so hacker can practice on them first before moving on the crack locked down ones installed by security companies.

Trust me if I had the money and was in the position to do "corporate sabotage" China cams would be broadcasting porn to schools flooding you tube streams of live feeds of people property, showing live streams of china, and what ever else I could to to damage them.

no one throws money for "corporate sabotage" just to put in a fake account and leave.

Undisclosed Integrator #8

In reply to Marty Calhoun | 03/07/17 02:45pm

As it has been stated, the cameras or DVR's can lead to greater potential, potential access to the network. There are a lot of hackers out there who are trying to make a name for themselves, exploit financially, or as John stated, just for kicks. I've attended several "hacker" conventions and am amazed at what some people will boast on what they've hacked.

The fact that you think this is a conspiracy theory is concerning to me. I've thought your previous posts about Hikvision hacks have been well thought out and offered excellent points on how to prevent for the average user. This seems to me that you're running out of legitimate points to defend against and are now just hurling accusations.

Undisclosed Integrator #1

03/07/17 12:59am

Uh... what he said.

Undisclosed Manufacturer #4

03/07/17 04:51am