Hikvision IP Camera Critical Vulnerability 2018 Disclosed

Did they do this for PR....trying to copy Genetec's disclosure??

Reactions:

John Honovich

In reply to Undisclosed Manufacturer #1

IPVM

Well, the difference with Hikvision is that they had to because they knew VDOO was going to in a few months. With Genetec, since it was their own hired pen tester, they could have never disclosed it without much risk of an outsider doing so.

What would be impressive if Hikvision disclosed what critical vulnerabilities Rapid7, Cisco and their other hired cybersecurity firms found.

Reactions:

(4)

bashis mcw

In reply to Undisclosed Manufacturer #1

Whatever reason they did for, its good to see changes happening from silence/hiding to talking/disclosure.

Whatever I personally think of Hikvision, I say same things as with Genetec: That's how it should be done! (HIK, but maybe little more coordination with VDOO first) ;-)

Manufactures, Who's next? =]

Reactions:

(5)

Undisclosed #2

Can't say I am very surprised by this. Despite all their claims about making cybersecurity a priority, Hikvision simply has too much legacy of poor code in their devices. It is highly probable that there are dozens of similar exploits buried in their various firmware and software, just waiting to be discovered.

Anticipating how the talking-head Chuck Davis tries to spin this "myth" in the upcoming cyber security event.

Hikvision, here's your sign:

Related image

Reactions:

(9)

Undisclosed Integrator #5

In reply to Undisclosed #2

Reactions:

(4)

Undisclosed #2

In reply to Undisclosed Integrator #5

This graphic could be part of the IPVM homepage. Maybe Hik-specific, or maybe just an industry counter of days since last vuln.

Reactions:

(1)

Undisclosed Integrator #5

In reply to Undisclosed #2

Just have a page with all known manufactures and update as needed.

Reactions:

Sean Nelson

Nelly's Security

Excellent job to Hikvision for disclosing this early. This is how you handle things with transparency. We applaud you for handling things correctly and appropriately.

oh wait,we are talking about Hikvision and not Axis or Genetec or any other non-chinese company. Let me change my rhetoric real quick...

Dam you Hikvision. This was just another tool too initiate all out cyberwar on the USA so you can use your spyware to spy on us hard workin Americans and make our internet explode with botnets. You can expect to see hack map v2.0 baby!!!. The word "Hikvision" should be completely banned from the USA language for all i care!

accurate or nay for IPVM commenters?

Reactions:

(6)

(7)

(23)

(11)

Undisclosed Distributor #3

I give you 1 star for a sad attempt at trolling.

Reactions:

(6)

(2)

(3)

(9)

Undisclosed End User #4

If you "fear" that IPVM started a war against your favorite brand, let me advice 2 things:

1: Gather some arguments. Check the last 25 and 50 articles (you won't so I help you out one more time):

From 25: 6 is about Hikvision looks much, ok make it more clear

From that 6: 1 vulnerability (worth to mention), 1 product test (with a positive outcome), 3 reaction article about ban (obviously should be here), 1 article about dropping some show attendance (necessity is debatable)

From 50: 11 is about Hikvision (including the above)

From that 5: 1 market analysis, 1 analytic shoutout, 1 is about a promoted / removed leader, 2 congress ban article (obviously should be here)

To make it more clear, from 50article it was only 5 article from the ban, which is an obvious reaction about what the congress did. Where should this mentioned/covered if not IPVM? LOL

2: scroll over those articles, or if you don't find any valuable information on this site, most probably you should suspend or close your membership till your favorite manufacturer is in trouble.

And finally just an advice, this is for free.

If there is an obviously important article about a vulnerability, do not troll under, cause your hurted feelings. It makes you look childish, and I definitely think you are a serious MAN. Let others think the same.

Reactions:

(4)

(2)

(4)

Sean Nelson

Nelly's Security

From 25: 6

From 50: 11

From that 5: 1

Confused. Are you quoting IPVM bible verses?

and I definitely think you are a serious MAN

Spoken from an undisclosed woman?

Reactions:

(1)

(7)

(6)

Undisclosed End User #4

I'm really disappointed now. And funny still that you are worrying about my gender instead thinking about your missing arguments :)

Have a nice day.

Reactions:

(1)

(6)

Sean Nelson

Nelly's Security

have a good one mam!

Reactions:

(8)

(4)

Undisclosed #2

You really go to great lengths to maintain your ignorance, ma'am.

Reactions:

(1)

(3)

Sean Nelson

In reply to Undisclosed #2

Nelly's Security

No real man speaks critical of another and runs and hides behind the cloak of undisclosed. Well atleast we know that IPVM is very gender diverse.

Reactions:

(1)

(6)

Undisclosed #2

List of things Sean doesn't understand:

1) Vulnerability severities

2) How/why Undisclosed is used on IPVM

3) Likely gender of most IPVM posters

Reactions:

(4)

Undisclosed End User #4

No real man crying like a baby Sean, and running to mama to tell somebody hurt his favourite company.

On the other hand. Yes I'm a woman, and undisclose my name usually because of child like you who always taking care about my gender instead my knowledge in this industry.

So any more question about myself?

Ah, I still have only one. Where are your arguments? Or just still crying and trolling?

Reactions:

(1)

(2)

Sean Nelson

Nelly's Security

Wow, i have no idea how you knew I ran and cried to my mama, but hopefully I can become a real MAN in your books again by me admitting it?

BTW, just my opinion, but I think you should post disclosed, especially that you are a woman, because you will appear way more respectful than most of the guys on here who post critical sarcastic things about other people and hide behind the undisclosed cloak.

At any rate, you seem like you are getting emotionally distressed and this conversation is getting way off track. As far as my arguments, they are all over IPVM, but feel free to ask me any specific questions and I will be happy to answer them.

Reactions:

(1)

(6)

Undisclosed Integrator #6

I still find it funny, you didn't address the original comment. Nice troll diversion though!

Reactions:

Sean Nelson

In reply to Undisclosed Integrator #6

Nelly's Security

I addressed the one in which "MAN" was capitlized.

Which one specifically are you referring to though? Their have been so many. I'll be happy to give a thorough non-troll explanation.

Reactions:

(1)

Bas Poiesz

IPVM would be a much better read without the undisclosed button.

If you have something to say, say it. Want to share info that can't be shared? Send it to the team. That way they have a chance to check the credibility and share the info if it's valuable.

Posting anonymously has zero added value to me, it enables a group that shouldn't be enabled.

As for Undisclosed End User #4, you just decided IPVM and it's members are biased to any female responding. That's not a call for you to make on my behalf.

Reactions:

(2)

(1)

Ethan Ace

In reply to Bas Poiesz

Going to say this again, as I have said in multiple past threads: we are not going to rehash debates about the value of undisclosed posting. Further discussion on that topic is going to get deleted. Undisclosed posting is not going anywhere on IPVM.

If anyone wants to actually discuss this latest Hikvision vulnerability, VDOO, or Hikvision's response, feel free. This is descending into useless back and forth.

Reactions:

(6)

Michael Gonzalez

•Aug 21, 2018

Confidential

Reactions:

(1)

(2)

Frank Nelles

John, certification by a subscription service of a testing facility such as VDOO would be a means for North American and other country security related equipment manufacturers for cybersecurity vulnerability, as well as other defined parameters to at least be operating on that level of playing field. Having recently heard of GDPR, the General Data Protection Regulation (GDPR) (EU)2016/679, which is a regulation in EU law on data protection and privacy for all individuals in the European Union. .TUV Rheinland is a test member.

John, would you consider IPVM checking out GDPR and commenting on how that certification might be of value in NA.

Thank you for the great contribution IPVM is making for this industry.

Frank Nelles

Communications Components

Reactions:

Undisclosed Integrator #7

So Vdoo found a bug, Hikvision responded and issued a fix within the timescale.

Has there been any in the wild reports of hacks using this bug?

Reactions:

(1)

Undisclosed Manufacturer #8

In reply to Undisclosed Integrator #7

The issue is twofold. First, Hik is the biggest or near the biggest camera manufacturer. Similar to if there was a defect found in the largest car manufacturer would be headline news.

Second is the timing. Hik is constantly talking about their cyber security efforts. Yes, I know and agree that a vulnerability can affect anyone, however if a company has lots of effort to secure their products they should have few and far between vulnerabilities discovered. If the vuln was due to 3rd party modules, that is understood as these items need to be updated, etc. But here it was their own code. If a company has 6000 engineers, why are they missing these left and right? I do applaud them for publicly putting out a factual statement and updating firmware quickly, which is a step forward for them.

Also, (I know that this has been repeated before), but Hik does have government funding. You would expect more from a company that has deep pockets. You expect them to look good.

Finally, is the score. This vuln received a score of 8.9. Again, why is a company that is so focused on cyber security having time and time again high scoring vulnerabilities? (And yes, I know that other large companies that are talking about cyber have had similar, such as Axis, Dahua, etc. I fault them as well).

Reactions:

(1)

John Honovich

In reply to Undisclosed Manufacturer #8

IPVM

If a company has 6000 engineers, why are they missing these left and right?

Point of fact: Hikvision claims 10,000+:

Reactions:

(1)

(2)

Undisclosed Manufacturer #9

In reply to John Honovich

I can't imagine 50% of your workforce in R&D is sustainable in the technology sector.

Reactions:

(2)

John Honovich

In reply to Undisclosed Manufacturer #9

IPVM

Hikvision does not define what they count as "R&D" so it is hard to know if they are classifying it in the same way that Western technology companies do.

Reactions:

(2)

Undisclosed End User #4

•Aug 23, 2018

In reply to John Honovich

Hundred percent agree. I had a project where they couldn't repair obvious bugs in their CMS SW, for months. If they did something, it caused new bugs.

I can't really imagine if you have thousands of R&D colleagues this could happen... Or from an other viewpoint, if you have such amount of engineers, how they have such amount of vulnerability issues?

Reactions:

Undisclosed Manufacturer #8

•Aug 23, 2018

I also think that a lot has to do with reusing old code. You would think at some point, due to vulnerabilities, having to patch clunky code, or simply to get away from plug-ins, they would start over and make a new camera with a new ui and a new back end.

Oh well.

I know it is a lot of development and support to do that, but that is why a company hires a large staff of programmers and engineers...

Reactions:

(1)

John Honovich