• Hi Guest, Please subscribe to our YouTube channel for fresh new videos each week.

Security Update for Hikvision Systems - Strong Passwords

Dan

Administrator
Staff member
Messages
459
Points
28
Thread starter #1
You may have noticed with recent camera & NVR firmware updates that Hikvision has introduced some new security measures, the most obvious is the addition of security questions (mothers maiden name/first pet/favourite colour/etc..) to help with password recovery, but as well as these more obvious updates that Hikvision published in release notes there were also some smaller updates that we have stumbled onto by accident.

One of these smaller updates was brought to our attention by a customer who had a 7608-K2 NVR with 2 x 2T43 4MP Bullet cameras and 1 x 4A26 ANPR Bullet connected, they were running this setup as a closed system (not connected to a LAN) and only accessing via a directly connected monitor. The customer had been running the NVR fine with just the 4A26 connected but when they came to connect the new 2T43 cameras to it they appeared on the Camera Management page but only ever showed the word detecting and never actually connected to the NVR.

We tried everything from updating firmware and trying different types of cable to hard resetting the cameras and moving the cameras to different ports, nothing seemed to be working. In the end, we asked the customer to ship the 2 x cameras and NVR back to us to test and initially, we saw the same fault with the cameras only displaying detecting and nothing else.

We tried a lot of different possible solutions (including disconnecting the camera from the NVR and plugging it into a PoE switch, which didn't solve the problem but did show us that even though the cameras were plugged directly into the NVR they were not being activated by the NVR as they showed up as inactive in SADP) but then we remembered that when the customer had first sent it back we had requested the password they had set for the NVR, it turned out to be admin123 which is a classic bad/weak password.

So to make things easier for us testing it and to test a possible solution to the problem we changed this weak password to a strong one we use for other test equipment, we then reconnected the inactive 2T43 Bullet to the ports on the NVR and after the minute or so it takes for the camera to boot up we returned to the camera management page and the camera was showing as connected.

From further testing, it would appear that this is related to a firmware update for the new EasyIP 2.0+ & 3.0 cameras, we can confirm this because:

1. The customer already had a 4A26 camera that connected fine with the weak password - obviously because it didn't have the latest G1 Firmware update
2. We also connected a 2343 Turret from our demo system that already had a strong password - so we knew it was not a software/hardware fault of the model or 2.0+ range

So in conclusion, if you are connecting 2.0+/3.0/or newer camera models directly to the PoE ports on an NVR then that NVR will need a strong password for it to activate and add the cameras. But our advice, in general, would be that whether it is a system with new G1(2.0+/3.0) cameras or not make sure your NVR is set up with a strong password, the best strong passwords use capital letters, numbers (not sequences of numbers like 1234), and special characters like !@£$%^&*
 
Last edited:
Top