Subscriber Discussion
Virus Impacting Hikvision Products, Hikvision Responds
04/02/14 01:51pm
A Bitcoin miner of all things. If anybody wants to examine it, feel free to download the malware.
[UPDATE With Hikvision official response and tech details.]
04/02/14 01:57pm
Update: this researcher says he found the same malware running on a router as well.
04/02/14 02:00pm
Update two: it's mining Litecoin, not Bitcoin.
Update three: this is what happens when everyone goes to ISC without me and I have too much coffee.
I am unclear on the mechanics of Bitcoin/digital currency miners. What do they do? Aren't these voluntary downloads?
| 04/02/14 02:31pm
To summarize: the way new Bitcoins are introduced into the Bitcoin economy- that is, the way you "earn" new Bitcoins- is by running a program that computes past Bitcoin transactions. This allows Bitcoin to remain decentralized- you don't have to pay anyone to maintain ginormous servers because all required processing is distributed among a million devices all over the world, which means no one could possibly shut down Bitcoin entirely even if they wanted to. Every time you run a computation, you are paid a tiny of a Bitcoin. Not much, but it adds up over time. More here.
I can't imagine you would make much BTC on a single DVR, but thousands of DVRs running a botnet might make this worth it.
To summarize: the way new Bitcoins are introduced into the Bitcoin economy- that is, the way you "earn" new Bitcoins- is by running a program that computes past Bitcoin transactions.
If I may nitpick ever so slightly I would point out that one only earns "old" bitcoins when verifying past Bitcoin transactions. These are the equivalent of credit card processing fees and are paid by the transactors.
Brand spanking new bitcoins on the other hand are "mined" (implying they existed before anyone found them) by discovering numbers that meet a certain formula (hashcode). This computation involves factoring into primes of "ginormous" integers. Because of the non-existence of any efficient prime number generator (the best ones are little better than your 3rd grade teachers prompt of 'Now does 2 go into it evenly?, no, how about 3?'), the miner must test gazzillions of possibilities in order to find one valid one. Once found it simple for others to test if it meets the formula. To put an access control spin on it, if you had a card printer and were making up cards randomly to make a working key, you might be there a while. But when one worked, anyone with a reader could instantly verify it, and you would put the 'card/coin' in your pocket. The miner then registers the coin and essentially pockets it.
My guess would be that the virus is more likely to be the type that is not concerned with past transactions, but rather only interested in discovering new bitcoins. Why? Because its so sneaky (it makes network calls only when you find a coin) and not noisy like verifying transactions (think NASDAQ).
| 04/02/14 04:30pm
Rukmini's explanation is more technically accurate than mine but I'm used to dealing with end users and therefore have gotten into the habit of breaking my explanations into its most essential components, so that even if they are not 100% accurate, they can still allow a previously uninformed person insight into the fundamentals of the situation.
The next Bill Nye? :)
| 04/02/14 05:10pm
I could think of worse fates. I could get used to the bowtie.
Not sure if this is related to this incident but our spider just picked up a strange announcement from Hikvision:
"With the popularity of network video surveillance, more and more networking products are used in public networks, such as Network Video Recorders, Network Cameras, and Routers. But the public network environment is more vulnerable than internal network . You devices might be attacked by various viruses, like malicious network scanning if the devices are used in public networks without any modification of their default passwords .
We get to know some of our customers do not change the default passwords, which might cause heavy damages and losses.
Therefore, we hereby strongly recommend you to change the default passwords of the networking devices before using in public network."
It's weirdly vague and yet ominous.
| 04/02/14 04:47pm
I swear I heard non diagetic music in minor key playing as I heard that.
04/02/14 05:35pm
It seems like the whole issue is an exploit in the Synology NAS (or their Surveillance Station application)....
Can anyone hazzard a guess as to why Hik boxes are the only DVRs they've found scanning port 5000 for vulnerable Synology boxes? The malware appears to be able to reside in various networked devices.... why no other DVRs?
The compromisse[sic] of the DVR likely happened via an exposed telnet port and a default root password (12345).
Perhaps Hikvision's customized default password is to blame, though its just a matter of time before others are tried.
Update: Hikvision is requesting everyone using default passwords to change the password to hoochiemama ASAP.
Note: Hikvision contacted us and said that they will post an official response.
The Hikvision webpage our spider picked up as been removed and an earlier notice from Hikvision directly posted by a member was deleted, per their request.
For those of you concerned about security issues, the big threat right now is Heartbleed.
John- here is the official response:
Actions Taken Against Third Party Virus Causing Network Cameras Scanning Attacks
April 9th, 2014 – On November 26, 2013 Hikvision became aware of an alert regarding a continuous scanning attack that can potentially be launched by a limited number of our network cameras. Since then, we worked diligently to resolve the issue and address the users’ concerns. We investigated the IP address provided, as well as the devices involved, including network cameras and network DVRs. Upon thorough analysis, we determined that the reason for the scanning attack was a worm virus called Linux Darlloz.
Reasons
The investigation discovered that all the network cameras infected with the virus were connected to the public internet without changing the default user name and password. The virus attempted to discover the password according to the password dictionary until cracking it. Upon implanting the script file, the network camera becomes a source of virus to attack the other network devices. After restarting the network camera, the script file will be eliminated, however the risk of being attacked is still there if no fix is adopted. The risk of virus attack is caused by the connection of devices to the public network directly without changing the default user name and password.
Problem Process and Tracking
Our company took immediate and decisive action after Symantec has detected the virus on Nov. 26, 2013. Since December 2013, firmware of all the network cameras and DVRs has been updated, and all the inventory products have been upgraded to protect them from being attacked by Linux Darlloz worm virus.
We took the following actions to enhance the security awareness of users to avoid the possibility of being attacked by such virus.
- Device on Public Network Security Notice was added to the bulletin board of our global website to notify users of the possible risks of using their devices on public network. We also asked the users to change the default password to avoid risks as the network attack and privacy leaking.
- Users can now download the firmware from our website to upgrade their devices to avoid the attack.
- Public network security awareness campaign targeting our partners and distributors was conducted through our partners and distributors. Distributor Monthly magazine, on-site communication, training, and other available communication channels.
With decades of experiences on the surveillance industry, Hikvision attaches great importance to network and information security. With the establishment of Hikvision Security Response Center, effective communications protocol and cooperation with National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), the China National Vulnerability Database (CNVD) and other industry recognized critical infrastructure platforms we were able to increase the investment into internet applications security. Hikvision is dedicated to continuously improving the security of our products and solutions, and is committed to complete security assurance for the users. We thank you for your continuous support.
Hangzhou Hikvision Digital Technology Co., Ltd.
April, 2014
Appendix 1: Introduction of the Hikvision Security Response Center
Organization
The Hikvision Security Response Center is a platform which is dedicated to take feedback, handle and disclose the security flaws of the Hikvision products and solutions. Hikvision pays great importance on its own security, and has taken the user security as its responsibility since the day it is found.
Principles
- Hikvision pays great importance on security of the products and business. We promise that any feedback on the security flaw will be heard, analyzed and processed in time.
- Hikvision supports any responsible disclosure and process of the security flaw. We promise that we will protect the users’ interests and we will reward and be grateful for those who help us to improve the security quality.
- Hikvision objects and condemns the hacking action which damages the user’s interests taking flaw test as its excuse, including but not limited to the stealing of the user privacy and virtual property, hacking the business system, and maliciously spread the security flaws.
- Hikvision believes that the handling and process of every security flaw and the improvement of the whole surveillance industry cannot be separated with the cooperation of each party. Hikvision hopes to promote the cooperation with other enterprises of the industry, the Security Company and investigators to maintain the information security of the industry.
Progress
The Hikvision Security Response Center is built, and the related Chinese and international webpage is created to take feedbacks, handle and disclose the security flaws of the Hikvision products and solutions.
Build connection with the dark cloud website, National Internet emergency coordination center, the National Information Security Flaw Share Platform.
Workflow
- Reporting Security Flaw
Please send email to HSRC@hikvision.com to report the security flaw.
- Reviewing Security Flaw
1) HIkvision Security Response Center of Hikvision will confirm and review the security flaw in one work day.
2) In three work day, the staff of Hikvision Security Response Center will handle the problem and get conclusion. If necessary, the staff may contact the reporter for assistance.
- Fixing Security Flaw
The time of fixing will be determined by the severity of the flaw and the difficulty of handling it. High risk flaw should be fixed in 24 hours, medium risk should be fixed within 3 work days, and low risk should be fixed in 7 work days. In case the security flaw is affected by the new version delivery, the fixing time will be determined according to real situation. Emergent security announcement will be published for severe security flaw.
Bob, thanks for the follow up. Can you elaborate on this section?
"Since December 2013, firmware of all the network cameras and DVRs has been updated, and all the inventory products have been upgraded to protect them from being attacked by Linux Darlloz worm virus."
Does that mean that people who have older Hikvision DVRs without the new firmware are still vulnerable to this virus (if they are using default passwords)? Also, if new firmware is needed to protect the units, where can that firmware be found / downloaded?
04/11/14 01:43pm
Bob, thanks for this thorough and detailed response.
Does Hikvision have any plans to force users to change the default password on initialization, as discussed previously?
Bob, which versions of the firmware are affected and which versions fix the problem?
FWIW, HikVision Camera firmware 5.1 has a date of 12/2/2013 (I upgraded my Hikvision Cameras to that Version in December)
Phil Schaadt
Newest Discussions
| Discussion | Posts | Latest |
|---|---|---|
|
Started by
Undisclosed #1
|
3
|
less than a minute by Undisclosed #3 |
|
Started by
Lee Jones
|
2
|
less than a minute by Undisclosed Manufacturer #1 |
|
Started by
Jeff Schulz
|
1
|
less than a minute by Jeff Schulz |
|
Started by
John Honovich
|
22
|
less than a minute by Undisclosed Integrator #5 |
|
Do Cloud Systems Increase Or Reduce The Need For Integrators To Be Proficient In IT And Networking?
(9)
Started by
Ryan King
|
9
|
about 4 hours by Brian Karas |
