Forums New posts Search forums. What's new New posts New resources New profile posts Latest activity. Resources Latest reviews Search resources. Members Current visitors New profile posts Search profile posts. Log in Register. Search titles only.
HikVision Firmware updates - backdoor exploit fully disclosed
Phil Administrator Staff member. Messages 3, Points The below link leads to a recent full disclosure of a weakness found in the firmware of HikVision devices. The weakness was shared with HikVision back in March HikVision released new firmware to resolve the issue.
Now, the weakness has been publicly fully disclosed: "The vulnerability poses a severe risk. Because the vulnerability is trivial to exploit" You must keep your firmware up-to-date to ensure maximum security against hacking etc.
Messages 12 Points 3. Thank you for this - Can you clarify something. The current firmware I have is "V5. Your site has this 5. Thanks Mike. Hi Mike, The cameras are in the R0 family - the latest firmware is here V5. Last night I received my first credible confirmation of customer's HikVision IP cameras being hacked at site. Their cameras became unresponsive, and they had to visit each camera multiple physical sites to regain control and resolve the issue.
The likelihood of your HikVision camera being hacked has been greatly increased by the public declaration of the issue and how it can be used. We released a firmware update that resolves the issue. Please see the following release for detailed information on which cameras are affected and the links to the firmware update for each. Recently, there has been a wave of cyberattacks. Updating all systems is an effective way to prevent your equipment from being vulnerable to cyberattacks. We have provided the solution and we urge all our partners and users to ensure that the firmware update is being applied to all the products.
Thereby you can be sure that you are not affected. Last edited: Sep 28, Our customer has kindly allowed me permission to share his words with you: This weekend, we saw several of our cameras, which are dotted around the country and port-forwarded to the Internet, suddenly become unresponsive, so we went looking for an explanation.
As you have probably guessed, that turned out to be the major security flaw in the firmware of just about every camera we have.If you own Hikvision security cameras you would have noticed the sudden change in the live feed display where the normal footages were replaced with the term HACKED. And now, malicious attackers are trying to exploit this vulnerability, the first example is the appearance of HACKED by replacing live feed of some models of Hikvision security cameras.
Screenshot from ipcamtalk. On Sep 12, a security researcher using the alias Monte Crypto posted access control bypass in IP cameras from Hikvision on Full Disclosure mailing list and warned users that a majority of these cams contain a backdoor that can let unauthentic impersonation of a configured user account.
In his post on Full Disclosure regarding the vulnerability, it is claimed that there is a superuser admin account in all devices manufactured by Hikvision. This account allows understanding of how to retrieve users and roles, how to download camera configuration and how to get camera snapshot without authentication. Monte Crypto also noted that the vulnerability is not new and has been there in Hikvision products since Monte Crypto explained that there are various, negative repercussions of having a security camera with a backdoor installed.
Changing the weak password will not resolve the issue as well. Moreover, you can also try to implement network access control rules that let only the trusted IP addresses to establish connections to the devices that are vulnerable.
Hikvision has already released firmware updates for numerous models of its security cameras where the backdoor is removed so you must install the update if it is available for your device. If you attempt to do so then a boot loop will occur, which can only be recovered by installing the original Chinese language firmware over TFTP.
Hikvision Security Cams Compromised to Display “HACKED”
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world.This is new, and from what has been reported by those affected, appears to be different than Mirai. During the Mirai botnet attacks inthere were no reports of Hikvision devices being hacked.
US, UK and New Zealand integrators have all reported cases of Hikvision recorders being attacked, at least hundreds of devices in the past month from just these reports:. These DVRs will have been hacked.
Over the last week we have had over customer DVRs that have been hacked and the password changed. I just experienced my first one this week. Symptom was DVR not accessible via browser or app, password didn't work. I had to go on site and run the password reset. Was an older firmware and it let me. When I got back in I found this: I never created a "system" account. I have had a couple Interlogix cameras same thing as Hikvision renamed do the same thing and we had to go out and physically factory default the camera.
Something very odd going on here and I can't figure it out. We've had four customers in the last couple of weeks locked out of their Hikvision recorders by what looks like bot. All clients were on old firmware with default admin password of and default ports -I know, I know, they were all installs from years ago who we hadn't visited since. Our Hikvision distributor has been inundated with pw reset code requests. In every case reported so far, the recorders were using the default admin password "", and had remote access to the web interface on port Firmware versions affected are unknown, but are likely older versions before Hikvision forced users to set their own admin password.
The attack changes the default admin password, and adds a new account, "system" to the device. So far there is no evidence the recorders have been used in any kind of botnet attack. Botnets move fast across the Internet - iterating over the finite number of public IP addresses is straightforward, and tools like Shodan plus Hikvision's Online still unfixed enumeration vulnerability make it easy to find devices that may be susceptible to a known exploit. Chances are, if your Hikvision recorder has an admin password of "", or an easily guessed password, and is accessible via the public Internet, it has already been hacked.
If your recorder has a "system" account in the user list that was not added on purpose, it has been affected:. If you have been hacked, you will need to restore the admin password to gain access to the device. If you have not been hacked, ensure the admin password is set to something uncommon and not easily guessed. Additionally, ensure firmware is kept up to date, check Hikvision's firmware directory [link no longer available] for latest versions.
Because affected devices have not had ports like telnet or SSH open, or were running firmware builds known to have these services disabled, the most likely scenario is that the attack utilizes the web UI to create the new account and alter the admin password.
This attack also has the potential to infect many more devices than Mirai did, as it only requires remote access to the standard user interface, and does not require telnet or SSH access. Where Mirai relied on devices with no firewall, or poorly configured firewalls, this attack can target devices that are behind a firewall, as long as they have basic remote access enabled.
What the attack does that may not be visible, such as upload scripts or files intended to be called later, after enough devices are infected to create a strong botnet army, is not yet known. Because of this, the best course of action would be to completely reset the device, upgrade to latest firmware, and set a strong admin password before putting it back online. While Hikvision is responsible for making such equipment, the integrators and users involved are responsible, both for not having upgraded their equipment in 2 years or more since these risks were made clear by Hikvision, and by incidents like the Mirai botnet that relied on poorly secured devices.There a few methods how the Hikvision password reset can be done and all these methods depends on the manufacturing date.
The older Hikvision devices can be reset using the password generator tool, the newer one can be reset using another tool that exploits a software issue on the Hikvision platform. Basically we need to get the serial number for the Hikvision device.
After the software is installed, run it and all your Hikvision devices on the network will be listed there. You need to copy that use it in the next steps. This tool may or may not work for your camera or NVR. Please follow the instructions very carefully and be precise in all your inputs into the tool.
This tool will only work with cameras running firmware older than 5. Link to Hikvision password reset generator. Note: Some Hikvision devices perhaps only NVRs show their model number appended to the beginning of their serial numbers.
You may need to remove this from the serial number that you enter into the tool. Once you get the generated code from the tool above you must enter it on the SADP software and reset the password.
Note you need to install the SADP version 2. Select the camera and enter the Secure code on the box. After the reset is done the password will be This small software is build by bp on Gitbub and exploits a backdoor found on Hikvision devices.
This tool works for these Hikvision firmware versions:. There are five simple steps to reset a password, and you can even skip steps 3 and 4 in many cases. Connect your camera on the network, locate the IP of the camera using the SADP tool and get the http port as well default one is Type the IP and the port on the tool. Then click Get User List and choose the admin account from the list. Try both of them.
Step 2: Click the Export button on the pop-up to export the reset file and then select a folder to save the file to that is easy to find. Once you get a reply from them, follow the next step. Step 4: Open SADP and return to the export pop-up from before, this time you will want to go to step 2 and tick the Import File box, then click the folder icon and find the reset file we just sent you, open it so file route appears in the box like below, finally enter the new password twice and then click Confirm.
After clicking confirm a box should appear with a green tick and the words Reset Password Succeeded. With the password reset you can now open an Internet Explorer browser, search the IP address of the device and log in using the new password, once you can then proceed to do what you like with the device we would recommend checking your Firmware is up to date before you do anything else. Your email address will not be published.
Hikvision, a Chinese manufacturer of video surveillance equipment, recently patched a backdoor in a slew of its cameras that could have made it possible for a remote attacker to gain full admin access to affected devices. The backdoor stems from two bugs: an improper authentication bug and a password in configuration file vulnerability.
Both bugs could have allowed an attacker to escalate privileges and access sensitive information. The password in configuration file issue, meanwhile, received a high severity 8. The warning reiterates a bulletin the company, which is partially owned by the Chinese government, sent customers in March. In the notice, Hikvision warned that request code could be used to access certain IP cameras directly. The researcher promised to disclose details around his findings on March 20, two weeks after he initially disclosed, but retreaded on that decision after making contact with the company.
They are working with ICS-CERT and other organizations, and it is expected that more details will be communicated soon via those channels. If nothing is communicated in the next few weeks, I will proceed with full disclosure.
According to the company, until customers apply the respective firmware patch, the following cameras are still vulnerable:. While Hikvision fixed the improper authentication vulnerability it has yet to fix the password in the configuration file vulnerability, US-CERT points out. Hikvision also directed Threatpost to a letter it sent customers and partners last Thursday notifying them of the March firmware update, 5.
The company also addressed the issue with the configuration file, acknowledging it will enhance its private key decryption storage method in an upcoming release.
Also, the configuration file can only be exported by the admin account. Several years ago, Hikvision, in an effort to better secure its products, contracted the security firm Rapid7 to carry out a penetration test and vulnerability assessment of its IP cameras, embedded recorders, and software tools.
That partnership was spurred after Rapid7 identified a series of vulnerabilities, buffer overflows that allowed the remote execution of arbitrary code, in Hikvision DVRs in Android apps launched for citizens in Iran, Colombia and Italy offer cyberattackers new attack vectors.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics.
Content strives to be of the highest quality, objective and non-commercial. Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community.Hikvision Backdoor Exploit Demo
This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content. Newsletter Subscribe to our Threatpost Today newsletter Join thousands of people who receive the latest breaking cybersecurity news every day.
I agree to my personal data being stored and used to receive the newsletter. I agree to accept information and occasional commercial offers from Threatpost partners. This field is for validation purposes and should be left unchanged. Author: Chris Brook. May 8, pm. Share this article:.In the age of security a lot of device are still vulnerable, this because a lot of them are not updated to the last version of the software. A lot of hikvision's cameras are still vulnerable with some kind of exploit that allow access from an hidden backdoor in the software, allowing an attacker to change all user's password with one of your choice.
So with this python script we will be able to scan, using shodan or censys. A lot of hikvision's cameras are still vulnerable with some kind of exploit that allow access from an hidden backdoor in the software, allowing an attacker to change all user's password with one of your choice So with this python script we will be able to scan, using shodan or censys. Step 1: Download Hikxploit first you wanna download the tool from the official repository on github by doing git clone github.
Subscribe Now. You could get a new Shodan API key and add it to the code. Actually it looks like you could just open api. Share Your Thoughts Click to share your thoughts. Hot Active. Forum Thread : Ruby vs.Forums New posts Search forums.
If you have ever locked yourself out of a Hikvision camera or NVR by forgetting the admin password, and had to beg Hikvision or anyone else for an unlock code, you will appreciate this.
I present a small tool that lets you generate your own unlock codes which can be entered into SADP to reset the admin password on any of your Hikvision cameras. I've built a tool for that.
It only works with cameras not NVRs.
If you need to reset an NVR, click here. Please follow the instructions very carefully and be precise in all your inputs into the tool. Devices on newer firmware require a more secure password reset procedure which I can not help with. I think this tool will only work with cameras running firmware older than 5. I do not know what version is the cutoff for NVRs. Some Hikvision devices perhaps only NVRs show their model number appended to the beginning of their serial numbers.
You may need to remove this from the serial number that you enter into the tool. Spoiler HTML:. The camera will compare its internal date and time with the date and time you have entered above. The Serial Number and date much match perfectly or else the code will not work.
Last edited: Sep 22, Joined Mar 9, Messages 32, Reaction score 11, Very cool! DaveP Getting the hang of it. Well done bp I could of done with this a couple of hours ago, lol. Cool, I tried it with a Swann branded Hikvision cam and didn't have to remove anything from the serial. So that must just be a quirk of the NVR. Mike Staff member. This is awesome, many thanks for sharing! This will definitely come in handy for many.
Thread made sticky.