In Defence of Hikvision

Look at this nonsense!

Brian Karas reported on March 2 that he was hearing from multiple Hikvision security camera and DVR users who suddenly were locked out of their devices and had new “system” user accounts added without their permission.

Karas said the devices in question all were set up to be remotely accessible over the Internet, and were running with the default credentials (12345). Karas noted that there don’t appear to be any Hikvision devices sought out by the Mirai worm — the now open-source malware that is being used to enslave IoT devices in a botnet for launching crippling online attacks (in contrast, Dahua’s products are hugely represented in the list of systems being sought out by the Mirai worm.)

[I cut out some text from here (I’ll tell you why)]

According to Karas, Hikvision has not acknowledged an unpatched backdoor or any other equivalent weakness in its product. But on Mar. 2, the company issued a reminder to its integrator partners about the need to be updated to the latest firmware.

OK, so Brian hears that people who a) expose their IP cameras directly to the internet, and b) are using default admin credentials “suddenly were locked out of their devices”. My God, what kind of evil genius hacker is behind this, and there were new “system” user accounts!!?!

This must be the Chinese government’s work. Only a government organisation would be able to crack into IP devices with default passwords that are directly exposed to the internet.

When people got their shit “hacked”…. actually, let’s not call it hacked. Someone logged in, as admin, and changed things, so, not hacking. Someone had done something similar to mirai (which will take any script kiddie 30 minutes to write up, but Karas and Krebs pretend to not understand that). Hikvision sees this, and then reminds people to update their firmware, and as the new firmware does not allow default passwords (as far as I can tell), it seems prudent advice, and what you ought to do.

Krebs seems to want to play a part in all this “dangerous Hikvision camera” bullshit, so instead of posting a meaningful timeline, he spices things up, and injects this little tidbit (which I removed above to ensure a comprehensible timeline).

In addition, a programmer who has long written and distributed custom firmware for Hikvision devices claims he’s found a backdoor in “many popular Hikvision products that makes it possible to gain full admin access to the device,” wrote the user “Montecrypto” on the IoT forum IPcamtalk on Mar. 5. “Hikvision gets two weeks to come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed. I sent them an email. If nothing changes, I will publish all details on March 20th, along with the firmware that disables the backdoor.”

OK, so on the 2nd the n00bs at IPVM and their subscribers are “hacked” by a genius hacker, who is able to guess the password and add new accounts, and then on the 5th, a guy who re-compiles the hikvision firmware discovers a vulnerability. In fact, he tells John Honovich that Hikvision has been very responsive in fixing the issue!! This seems to get lost somewhere between the sensationalist blogs (I think, because I am banned from IPVM).

How the hell do you make a connection between morons who exposes their cameras with default admin credentials, and someone discovering a bug in the validation of a reset packet (I guess that is the vulnerability, because I don’t know the details). You make that connection, if you think it will bring in more subscribers, and by extension, more filthy lucre.

Full disclosure: I am not paid in any way shape or form by Hikvision or any camera manufacturer for that matter. I receive no payment from this blog either, the ads you might see are put there by wordpress that hosts the blog, as compensation for hosting and traffic cost (and profit I guess), but I receive exactly $0.

Author: prescienta

Prescientas ruler

21 thoughts on “In Defence of Hikvision”

    1. Let’s keep this between us.
      Furthermore, people who visit IPVM are there for the entertainment and drama, not for information or knowledge so it would be a waste to place the link there.

    1. Real AI and deep learning still in its infancy; Microsoft recently entered the foray, but the demo was staged and I think it might take 3-5 years before it is ready for general use. There are some examples of content recognition and creation, but people don’t see the enormous amount of training data needed, and we usually are shown the examples where the system works.

      Unfortunately, a lot of people can’t resist the temptation to re-brand old hat techniques as AI or categorize a simple state-machine as such.

      I am working on running a highly scalable VMS on low-end HW (sub $100), and I am taking a somewhat novel approach to the installation procedure. Time will tell if it ever comes to fruition 🙂

    1. Making products that work is really hard work, and the chance of failure is big. It’s more relaxing to write about how everyone else sucks and are making shit products. Maybe someday Brian will get the spark back and create something better. He posted a video about placing cameras on a floorplan that inspired me to do a similar experiment, so… we’ll see…

  1. On positive side, happy that IPVM led me to your blog, I suspect you might get some interested readers out of it that stick around. I tend to agree with your views on IPVM, but it is a bit of fun viewing – with occasional if limited value – from inside the industry, where most other online sources are just advertorials.

    1. Thanks,
      I initially thought that the idea behind IPVM was to be paid, by the subscribers, to provide unbiased and competent reviews. But competent, in-depth, reviews require hiring expensive professionals that know what they are doing. This is a losing proposition, because (and even JH will admit this) most people do not care to read thorough, unbiased, reviews. So it is far more economical to trawl the free online forums and copy the “news” from those sites, and pass it off as “research” (which technically, it is, you “researched” by going to IpCamTalk). Then, as “payment” you offer people the opportunity to provide content on your blog (IPVM even offered to remove me from their IP filter and get me a free 1-year subscription, while in the same email telling me that they would be attacking me!).

      IPVM calls it “hacking” when someone logs into a camera with default admin credentials. I don’t. And I don’t think anyone who knows anything about IP networks do either. Hacking is what they do at blackhat. But if I was an integrator, who exposed my customer’s cameras directly to the internet, and I used default credentials, and someone logged in and messed around, I’d tell my customer that the camera was “hacked” too.

      The Hikvision device reset packet was (is?) a bad idea, but I can understand why they did it. Unfortunately, you could argue that they should have known that this was a dangerous thing to do. I don’t know what went on in the meetings, but let’s speculate: “Let’s put a device reset button on the camera itself” someone says. “Then the employees can hit the reset button, the VMS loses the connection, and they are free to steal from us. Furthermore, if the camera is 20 miles away, in a 30-foot pole, do you really want to have to spend $$$ on resetting the device?”. There’s some thinking, and the engineer comes back “let’s do a port knock sequence that will reset the camera”. A clever guy says “if you put a port-knock sequence in the firmware, hackers will reverse engineer the firmware, and learn the sequence to unlock, this is not going to work”. There’s some debate. Clearly, any mechanism that gives the camera a “sesame, open up” function, is going to be exposed if people disassemble the firmware. Just like “reset” keys for physical locks, where the actual reset key can be made using simple tools, these kinds of things are not secure. It might be simpler than that, it might be that Hikvision had simply forgotten to add a physical interface to reset the camera when people forget their passwords, so they came up with a hack. Either way, this was an error.

      Many vendors, including Hikvision, now ships with the requirement that the user enters a password they make up themselves. A lot of users are STILL going to use 123456 or PASSWORD and so on, simply because it’s easier to remember, and when they expose their cameras to the internet, a trawler script will drop by and take over the camera. Solving this requires many additional steps or a completely different infrastructure that will cost $$$ and ultimately, you are going to expose something to the internet, and that something will need to have a decent password, need patching, but at least (and ideally) only this gateway will need to be maintained.

      We COULD be discussing solutions to problems that potentially plague all IoT devices, or we can try to drive people back to analog because IP is just too damn insecure. IPVM and epecially JH are doing their best to support the latter, and he doesn’t care, as long as you keep going to his site, and keep paying your annual subscription.

  2. When people got their shit “hacked”…. actually, let’s not call it hacked. Someone logged in, as admin, and changed things, so, not hacking.

    Hacking shmacking… are you folks really arguing over the term? From a systems integrator perspective any time someone not authorized does something they shouldn’t it’s an intrusion and when it involves a the physical manipulation of a device over the internet… I guess in it’s basic form would be considered hacking.

    How about discussion the facts…
    -I don’t see the chinese as a friend of the US.
    -Any product funded by the chinese government (any government really) is not one I would choose to use.
    -The overall quality of Hikvision is lacking.
    -I understand Hikvision is a “value” line in most cases. If you want cheap, I guess they work for you.
    -I have used several Hikvision cameras, just not a fan.

    Just my opinion, backed up by experience.

    1. Let’s say you leave the key in the door when you leave your house. You return to your home, and all your valuables are gone. After calling the cops, would you go online and yell and scream that the “lock is unsafe”?

      Did Hikvision fuck up? You bet.

      Does the Chinese government have anything to do with any of it? Neither you, nor I know that, and until there’s any proof, I consider people innocent. I take my precautions, but I am not going to accuse anyone of foul play unless I can substantiate it.

      I truly appreciate you airing a dissenting view and taking the time to post a comment.

      1. That’s a great analogy, I think it’s slightly off target since someone made an effort to exploit a weakness in Hikvision’s password security…at multiple sites.

        So I’d counter, if a manufacturer made every locks that opened with a key pined to 12345 unless you re-keyed it … I would say the lock is unsafe.

        Case and point, Door King made all their panels with the same key. Burglars exploited this weakness. Was that DK’s fault? I’d say yes. Once they found out about it, they changed it.

        I think there’s ample proof that the chinese government owns/controls Hikvision.
        BTW- I love the “Skynet” name for their program.

        Likewise, thanks for your time and response. I love learning new things from people and you seem to know the industry. Cheers!

      2. I have to object to the continued demonization of Hikvision, this issue is an industry-wide issue, and it’s not a new one either, and it will not go away anytime soon. I have, on my desk, a Hikvision camera and an Axis camera. I assume that both are vulnerable, even if there is no known ones for the Axis model I have. I take the necessary precautions. Even if the Hikvision camera has a known vulnerability that is a category 10, I am not concerned about it. I am more concerned about my router, my private web server and my phone.

        Hikvision was clearly not the only company to use default passwords, I did a search and found this tidbit from a site I don’t visit

        IP Cameras Default Passwords Directory –
        May 27, 2016 – Finding an IP camera’s default password can be tedious or aggravating. … With that in mind, we have gathered this list of IP camera manufacturers and their default usernames and passwords to help users get started more quickly. … Axis: Traditionally root/pass, new Axis cameras require …

        It basically offers help to users, but that sort of list is useful for people that write stuff like the Mirai exploit (no connection inferred). So, yes, default passwords are definitely problematic in the wrong hands, but in the hands of true professionals they are not really an issue. There are many other lists available online, but I picked IPVMs because I felt there was a certain irony to it. On the one hand they have a neat list, and they are offended (or baffled) when someone takes advantage of it.. go figure…

        Can this situation be improved? Yes, we can remove the default passwords, and we can require a password of a certain complexity, but companies and their developers need time to update the firmware, and there is no guarantee that amateurs and fools are able or willing to actually update the firmware. There might be immoral companies that object to “wasting” time and money on legacy devices, but I don’t think Hikvision is any better or worse than any other vendor in that regard.

        Even if every single camera manufacture made this change (and I don’t think anyone has any objections to the idea that it improves security), there’s still a risk that the firmware may contain a bug that can be remotely triggered, and cause the camera to revert to its default state. Even the most rigorous review process will miss bugs (heartbleed and shellshock are two examples, but there are thousands of examples in other areas).

        In regards to the daily mail piece, I did a quick search, and came up with this That does not mean it is a lie though. I was an early follower of, so I can’t be the judge on that. But the article also makes the camera seem as if they are some of the best in the market…

  3. I agree with your last post here, basically that many of the camera vendors have a similar set of exploitable weaknesses which need to be managed through an overall system design and better deployment processes. The push to more open systems, coupled with increasing camera compute power, and then meshed with a number of security installers (and DIY owners) who have limited understanding of cyber threats, is only going to compound this.

    The focus on Hikvision is conflating two separate issues – especially in the IPVM forums. The first, that JH rightly does focus on, is that Hikvision is owned by the Chinese government, who appear to be deliberately bankrolling Hikvision to dominate the market on price, and in doing so forcing a price war that isn’t sustainable for other (non state owned) competitors. That’s not a good thing for the industry as a whole, but has nothing to do with generic security vulnerabilities in IP cameras.
    The second issue is around the security flaws in IP cameras – and in the case of Hikvision, whether they’re actually providing a (secret) backdoor for hacking by Chinese state actors, with the Chinese Government – as owners of Hikvision – directing them to provide this backdoor. This is where it gets far more speculative and into conspiracy theory territory. The security flaws uncovered to date, as you noted, are in many cameras. These supposed secret back-doors to China have nothing to do with that. And if they’re going to start worrying about that then better also be worrying about smart phones, smart TVs, and a whole other abundance of networked electronics filled with Chinese sourced components or from Chinese factories.

    Note that I’m not defending China or Chinese companies here. They’re definitely guilty of all sorts of IP theft, and they’re definitely great hackers focused on cyber espionage (both statements also being true of the US!). But the hysterical focus on Hikvision is missing the point that most / all IP cameras are readily exploitable network devices and need to be treated as such.

    1. I agree…

      99.9% of everyone reading this blog were not affected by any of these breaches, simply because they know how to properly handle these devices. Or at least, I hope the percentage is that high.

      The problem of DIY’ers getting a camera to figure out which dog shits on their lawn, is not that the user is spied on by the Chinese, it’s that the camera becomes part of a bot-net that can take down Dyn, which in turn leads to several sites not showing up (a kind of DDOS by proxy).

      Those people might learn to change the password when it reaches main stream media, but most of them have no idea this is happening, and we can write post after post about it, but they are not going to see it until it bites them in the ass (people STILL bring guns to the airports!).

      Professional integrators may have to be extra careful when cloud solutions become more common. A lot of the cameras I have ever used, use RTSP to send data. To do that, a client (the recorder) has to request the stream from the camera. This means that the cloud server needs access to the camera, one way or the other. There are a few ways that this can happen, but today, very few of them are plug and play. Dropcam has a custom firmware that allows the camera to autonomously connect to a particular server outside the network, and then initiate a stream from the camera outbound, to the recorder. The camera itself, initiates all connections (I think!). There is no need for SSH, Telnet, Curl or any of that stuff inside the cameras.

      My preferred solution is to use a proxy between the cameras and the cloud, but who then maintains the proxy? Maybe there’s an opportunity in that 🙂

      I too am somewhat concerned about the loss of manufacturing, and the efficiency the Chinese are displaying is simply mindblowing. I got a raspberry pi clone for <$10 sent directly from the factory, no meaningless interaction with arrogant men in suits. I used to go to the Chinese exhibit at trade shows, this is years ago. They'll quote you a price on the spot for 100 cameras, and they don't care who you are. Try asking a western company for the same thing : "who are you, let's meet, sign this"..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s