Let's see what we saw in real life scenario..

While working on Implementation at VROfficePlace video analysis / access control systems, we put a goal to allow custommers simple integration with existing cameras. It was a ton easier for to save budget making an integration as simple as redirecting a camera feed.

There was a strong initiative that offer a value added penetration testing as the final product stage that most customers embraced. At the end of the day, you are implementing a technology on top of exsisting vendors and we thought it is a good idea to both stress-test and pen-test a whole eco-system.

Let me give you an example of our findings.

Almost all models of HikVision products made prior to 2017 got their encrypted config files exposed by a master password "YWRtaW46MTEK".

From there it was just about breaking EAS 128 ECB encyption in order to get a raw XOR encoded confguration. Is it enough to encrypt with EAS 128? Opinions are different as you can see. It might be for real time transmission but against a file? Anyway, your XOR key bytes are 0x73 0x8B 0x55 0x44

Ok, in February of 2019 maybe. Its a December. Anyway, here we are.



Why such a huge number? If we stick to a HikVision, they did patched the issue. However, instead of patching affected devices, models only 2 years old are completely removed from a website being unable to upgrade / apply patch. Not a best approach "act like it never happened" while most of your devices are still in operation.

I put a demonstration script on GitHub to help you check if your HikVision camera expose full access. We will try to cover others as well after we communicate Vendors our findings.