Backdoor found in Hikvision cameras

[catseyenu]

Testing V5.1.6 build 140412 I get either 404s or Invalid Operation, confirmation of noted non-vulnerable version.

 

[bashis]

DS-2CD2020F-IW
V5.4.3 build 160705: Confirmed working
V5.4.5 Build 170123: Confirmed _not_ working

Nice work montecrypto!

 

[LaZona]

Are cameras behind a hikvision NVR also vulnerable to the same backdoor?

 

[Mike A.]

My relabeled Hik DS-2CD2412F cube cam (ANNKE I61DR) is vulnerable.

Wonder if I can drop newer Hik firmware over it?

Edit to add:

Contacted Annke support and they sent me a firmware update but the issue remains.

File name: digicap.dav
Firmware: V5.3.5 build 161112

Installing Hikvision firmware balks with "The type of upgrade file mismatches."

*sigh*

So after going back and forth with Annke's first line tech support trying to get them to understand this was a significant issue given that this and lots of their relabeled cameras likely are subject to the same and them saying that it wasn't a problem for a variety of reasons, even though I confirmed that the cam is in fact vulnerable even after the update, they finally told me that "As a technical support, we know better for our product."

Yeah, good luck with that. ; ) lol

 

[catseyenu]

Are cameras behind a hikvision NVR also vulnerable to the same backdoor?

The vulnerability is with the camera's firmware allowing remote unauthorized access on your network, a NVR has no mitigating effect.
You can 1. fix the firmware or 2. have a secure network with no "outside" access for an attacker to exploit the vulnerability.

 

[LaZona]

The vulnerability is with the camera's firmware allowing remote unauthorized access on your network, a NVR has no mitigating effect.
You can 1. fix the firmware or 2. have a secure network with no "outside" access for an attacker to exploit the vulnerability.

Ok thanks.

If I disable upnp from the NVR, does that disable access to the cameras even if the cameras have upnp activated?

 

[alexvas]

The latest tinyCam Monitor 9.0.3 for Android will report this Hikvision vulnerability via network scanner.

 

[Tolting Colt Acres]

So after going back and forth with Annke's first line tech support trying to get them to understand this was a significant issue given that this and lots of their relabeled cameras likely are subject to the same and them saying that it wasn't a problem for a variety of reasons, even though I confirmed that the cam is in fact vulnerable even after the update, they finally told me that "As a technical support, we know better for our product."

I wonder how they'd feel when their company name appears in an security advisory?

 

[bp2008]

Alright! Maybe its time to make a new password reset tool that works on a good set of newer firmwares!

 

[catseyenu]

If I disable upnp from the NVR, does that disable access to the cameras even if the cameras have upnp activated?

I don't know how your network is set up, as a rule of thumb I don't advise enabling upnp on anything.

 

[alastairstevenson]

Very good advice.

 

[bp2008]

Alright! Maybe its time to make a new password reset tool that works on a good set of newer firmwares!

Okay. I built the tool to do it, and linked it here: Hikvision camera admin password reset tool

 

[Mike A.]

I wonder how they'd feel when their company name appears in an security advisory?

Guess we'll find out.

They've also not let clear for public view a post that I made on their forum last night asking about it.

Great way to respond to security issues - pretend that they don't exist and hope that nobody notices. lol

 

[LaZona]

Okay. I built the tool to do it, and linked it here: Hikvision camera admin password reset tool

Yes! now we have the power!

 

[alastairstevenson]

Okay. I built the tool to do it, and linked it here: Hikvision camera admin password reset tool

Impressive!

 

[fenderman]

Okay. I built the tool to do it, and linked it here: Hikvision camera admin password reset tool

Those idiots at Hikvision must be seething with rage. Bunch of fools spending time working on ways to brick china cams that users attempt to update but have no time for security updates.

 

[DokkenVersusChicken]

Geez. I found this thread via a thread about the hikvision cube clone (which i just bought a month ago).

I have Ubiquiti Unifi gear. the BI PC is on VLAN2 with no access to my main LAN. My IP camera group on VLAN2 is blocked from access WAN and my main LAN (cannot ping out to WAN or to LAN1). The cameras get their time from my BI PC using the nettime app. The BI PC only runs my cameras.

Does this sound safe? I have not touched the firmware on my 8 cameras in a while.

 

[fenderman]

Geez. I found this thread via a thread about the hikvision cube clone (which i just bought a month ago).

I have Ubiquiti Unifi gear. the BI PC is on VLAN2 with no access to my main LAN. My IP camera group on VLAN2 is blocked from access WAN and my main LAN (cannot ping out to WAN or to LAN1). The cameras get their time from my BI PC using the nettime app. The BI PC only runs my cameras.

Does this sound safe? I have not touched the firmware on my 8 cameras in a while.

yes, you have no risk.

 

[DokkenVersusChicken]

yes, you have no risk.

Thanks, I thought so, but good to have experienced confirmation. I also use L2TP VPN for remote access and to not have any open/forwarded/visible ports. All this works great. I'm a networking novice, but I don't know how in the world normal people are supposed to be expected to set this stuff up.

 

[fenderman]

Thanks, I thought so, but good to have experienced confirmation. I also use L2TP VPN for remote access and to not have any open/forwarded/visible ports. All this works great. I'm a networking novice, but I don't know how in the world normal people are supposed to be expected to set this stuff up.

they are not...they either have to put a bit of effort into learning how (as you have shown, its not that difficult) or hire someone...those same folks wouldn't dare run electrical wiring themselves....so they should hire someone for this as well..