Subscriber Discussion

Has Any American Ever Been The Victim Of A Hik Camera Being Hacked?

U
Undisclosed #1
Jun 21, 2016
IPVMU Certified

I don't consider access via default password a hack, as we would have to include pretty much every manufacturer at one time or another.

No, what I'm talking about cyber exploits against Hik cameras, leading to actual damages preferably.

I said American only so the cases can be easier to research, but failing that, anything that's documented.

UI
Undisclosed Integrator #2
Jun 21, 2016

People would be very reluctant to recognize they have been victims of hack ..

Yet the subject is of interest, much noise has been made about Hikvision cybersecurity issues, it would be interesting to know who's been a victim and how.

(2)
UI
Undisclosed Integrator #3
Jun 21, 2016

I think it would be difficult for many people to identify that they have, indeed, been hacked particularly in the SMB and residential markets that Hikvision is prevalent in. One or two IT people or a home user are unlikely to identify a hacking incident on the least critical system to business operations on the network. How often has someone complained of a "slow computer" only for someone to do some investigation to identify the machine has been donating cycles as a zombie PC, has a keylogger installed, has a rootkit installed, or any number of items. Generally, the "hacks" aren't designed to be easily recognized. Also, it is highly unlikely that anyone would publicize their security failures. Large corporations are much more likely to have publicized attacks due to compromises of customer personal data... but Hik isn't as omnipresent in this space.

Avatar
John Day
Jun 22, 2016
LMN Software Corp

I feel pretty passionately that the real question is about taking security seriously - in principal, the risk of a future hack is what this discussion should be about. I did a quick search for "HIKvision" on Shodan.io and had 377,776 hits - 16,720 in the USA... The consequences of a flaw in network security should be self-evident.

(3)
UI
Undisclosed Integrator #3
Jun 22, 2016

I'm not as familiar with Shodan.IO though I see it cited often. Is this just netting you the public IP address of the device(s)? While that's not a security compromise in and of itself I suppose that does function as an invite to brute force. Is that the risk? Not being facetious, just want to understand how to use this tool to demonstrate security risks.

U
Undisclosed #1
Jun 22, 2016
IPVMU Certified

The risk of a future hack is what this discussion should be about...

In that case, the current Hik firmware seems more hardened than Axis'. Do you agree?

(1)
(1)
Avatar
John Day
Jun 22, 2016
LMN Software Corp

First off - my apology for taking this discussion so off course. This may stray into becoming another thread entirely. Shodan.io provides any information that is not sufficiently protected by a firewall. In most cases if you can see the make of the product then you can also see the ports in use, firmware version and product details. To get that info, all you have to do is click on the IP address and you get the full list. I'm hesitant to post this from an actual site as I wouldn't want someone "outing" my network in public.

The danger is that when you have a known vulnerability and the security company is not protecting the site data, it becomes easy for a pretty low level hacker to get into the site. Again, emphasis on the combination of a known vulnerability AND the lack of network security.

Comparing firmware versions of different manufacturers is beyond my current abilities.

(1)
U
Undisclosed #1
Jun 22, 2016
IPVMU Certified

The danger is that when you have a known vulnerability...

That's a good place to start. What vulnerabilities exist by manufacturer, with ANY version of firmware?

For Hik I know of a purported buffer overflow vulnerability from maybe a year or two ago, for Axis there was one several years ago.

Do you (or anyone) know of any current vulnerabilities?

Avatar
John Day
Jun 23, 2016
LMN Software Corp

From Core Security (www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities)

Here are the three vulnerabilities (Core Security 2013) that I pulled up for the cameras (not the DVRs and not the mobile APP):

  1. [CVE-2013-4975] To obtain the admin password from a non-privileged user account.
  2. [CVE-2013-4976] To bypass the anonymous user authentication using hard-coded credentials (even if the built-in anonymous user account was explicitly disabled).
  3. [CVE-2013-4977] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler.

Their Recommended Work-Arounds (Core Security):

  • Do not expose the camera to internet unless absolutely necessary.
  • Have at least one proxy filtering HTTP requests to /PSIA/System/ConfigurationData.
  • Have at least one proxy filtering the Range parameter in RTSP requests.

Why this matters:

Are security companies re-visiting customers and applying firmware patches?

Most vulnerabilities can (likely) be mitigated by paying close attention to network security. I don't think most security companies are taking any steps to secure the network.

My guess is that most manufacturers have vulnerabilities in their products (they may even be well aware of) and are hoping that they don't get "made public" on.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions