From Core Security (www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities)
Here are the three vulnerabilities (Core Security 2013) that I pulled up for the cameras (not the DVRs and not the mobile APP):
- [CVE-2013-4975] To obtain the admin password from a non-privileged user account.
- [CVE-2013-4976] To bypass the anonymous user authentication using hard-coded credentials (even if the built-in anonymous user account was explicitly disabled).
- [CVE-2013-4977] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler.
Their Recommended Work-Arounds (Core Security):
- Do not expose the camera to internet unless absolutely necessary.
- Have at least one proxy filtering HTTP requests to
/PSIA/System/ConfigurationData
.
- Have at least one proxy filtering the
Range
parameter in RTSP requests.
Why this matters:
Are security companies re-visiting customers and applying firmware patches?
Most vulnerabilities can (likely) be mitigated by paying close attention to network security. I don't think most security companies are taking any steps to secure the network.
My guess is that most manufacturers have vulnerabilities in their products (they may even be well aware of) and are hoping that they don't get "made public" on.