Hikvision Removed From US GSA Sales

[alastairstevenson]

IPVM article and apparent involvement in the action : Hikvision Removed From US GSA Sales

"In December 2016, over 1,400 Hikvision products were listed and available to sale to the US military, US federal agencies, US state governments, etc. In particular, two Hikvision re-sellers were selling hundreds of Hikvision products and falsely categorizing the Chinese government owned manufacturer's products as 'Made In USA'."

Another IPVM article :
Hikvision Pledges 'Never' 'Backdoors'
Hikvision Pledges 'Never' 'Backdoors'

One could argue that the :
"zhimakaimen.Password: ..Enter Debug Mode"
is a back door.
It's certainly not under user control.


@johnipvm John - I'm curious if you've yet run the proposed article about the legality of users modifying the firmware on their Hikvision products, and the drivers instigated by Hikvision that promote such activity.

I'm not an IPVM subscriber, so don't have good visibility of the stories.

@brk I'm not sure if John from IPVM is still a member.

 

[fenderman]

@alastairstevenson its @john-ipvm

 

[alastairstevenson]

OK, many thanks. I couldn't find it, fumble fingers.
That will get his attention.

I'll need to take a look at that back door. Last time I looked was ages ago, it looked like it needed a fob (challenge / response).
But it certainly looks like a privileged way in, if you can connect to the devices.

 

[nayr]

I never properly documented it; but when I had a Hikvision camera on hand to write a program against I noticed by accident that my credentials were entirely invalid, yet commands still worked as expected.. upon further investigation I found that I was entirely mangling the http authentication with a completely non-standard response... When I corrected my coding mistake I got an invalid login as I had expected.

These things have had no penetration testing; and breaking past all authentication seemed to be relatively easy if I could do it purely by accident.

One just has to assume these things are full of backdoors; and if not.. they are still not near vetted enough for Govt/Military use.. I know because Ive been part of software suites developed specifically for such uses, these aren't close to being compliant with any security standards they require..

I would be amazed if those vendors are not permanently barred/blacklisted; they dont take kindly to being told one thing and getting another.

 

[alastairstevenson]

yet commands still worked as expected.. upon further investigation I found that I was entirely mangling the http authentication with a completely non-standard response... When I corrected my coding mistake I got an invalid login as I had expected.

Interesting.
So it sounds like the code may be 'validating valid responses' but not 'invalidating invalid responses'.
A couple of years back I did point Nessus at the Hikvision products I'd newly bought and was actually surprised that the only high severity was against the version of the Dropbear SSH server.

Here is a little nugget I came across yesterday whilst idly looking through some (not Hikvision) firmware that had been posted on here :

LDR     R0, =aSDUsernameSPas ; "%s %d: UserName %s Password %s\n"
LDR     R1, =aProcesshttpreq ; "ProcessHttpRequest"
MOV     R2, #0xE1
BL      sub_DB54
SUB     R3, R11, #-s1
MOV     R0, R3          ; s1
LDR     R1, =aLucky787  ; "Lucky787"
BL      strcmp
MOV     R3, R0
CMP     R3, #0

 

[nayr]

hah; yeah it seems that most camera manufacturers think backdoors are features, probably because end users are too stupid to remember passwords and always lock them selves out.. its one thing to hire someone to setup some cameras and they setup a backup login incase the customer gets locked out of there own account; but hardcoding em into the firmware where they cant be disabled/changed is just fucking terrible.

 

[brk]

We have not yet run the firmware modification report, I am still trying to confirm that the modified firmware can actually be installed/used on a camera. If anyone has had success with that I'd be interested to hear about it.

As for the backdoors, I have not poked around with current Hikvision firmware (anything less than 1 year old), if anyone has an example of current firmware with a backdoor, or ways to circumvent standard auth with malformed requests (whether the malformed request is intentional or not ) I would also be interested to see a proof of concept of that which I could independently verify.

BTW, if you want to check out the Hikvision Pledges No Backdoors post, you can use this link: Hikvision Pledges 'Never' 'Backdoors' let me know if you have any feedback.

 

[alastairstevenson]

I am still trying to confirm that the modified firmware can actually be installed/used on a camera

That's going to vary with the camera series. And the firmware version. Easy enough with the R0 series, even with current 5.4.0 firmware.
I probably should not do this - however:

f anyone has an example of current firmware with a backdoor,

I suppose it may depend on your definition of a backdoor.
Let's say it's a hardcoded access method that the normal end-user cannot permanently change by the normal provided administrative access, eg web GUI 'Maintenance', but is known to the manufacturer.

"zhimakaimen.Password: ..Enter Debug Mode"

I think this above falls into that category.
But it's not the only method :
Modified firmware to inhibit psh and allow SSH, and a native hardcoded backdoor login - sent via PM.