Child Pornography On Sale From Hacked Hikvision Cameras Using Current Hik-Connect App

Child pornography is being sold online from hacked Hikvision cameras, with criminal sellers using Hikvision's current Hik-Connect app to distribute the pornography.

UPDATE: Telegram has terminated the channels marketing this content originally flagged by IPVM.

Our investigation found widespread sales offers for nude videos, including "cp" (child porn), "kids room", "family room", "bedroom of a young girl", "gynecological office", and many others.

Grave Concerns

This is the first case we have found of video surveillance cameras being exploited systematically in a criminal pornographic commercial enterprise, raising grave concerns about what to do about the vast number of vulnerable Hikvision and other cameras on the Internet.

The usage of Hikvision's current Hik-Connect app to distribute adds even graver concern because this app is cloud controlled by Hikvision itself. Background: IPVM's Hik-Connect 5 Cloud Services And App Tested

The closest two examples we know of are the 2021 ADT technician who abused access to customers' home surveillance systems for "sexual gratification", and a British man arrested in 2021 for selling photos of naked children from ~70 unspecified hacked IP cameras. Hacked Hikvision credentials were found for sale on Russian dark web forums in a 2022 cybersecurity firm report although pornography was not mentioned.

Hikvision Response

Hikvision told IPVM that "Hikvision knows nothing about these potential crimes" until we contacted them and that "if any part of IPVM’s reporting is true, Hikvision will enthusiastically assist law enforcement to bring those child predators to justice".

Hikvision's Corporate Vice President of Public Affairs Jeffrey He told Hikvision partners that this was a "profoundly disturbing story", emphasizing that it was "our sincerest hope that IPVM.com has fallen for a phony solicitation and that none of its allegations are true" while admitting that "Hikvision has not attempted, nor will it attempt to verify the limited information IPVM.com provided to us."

Hikvision declined to comment on the sufficiency of its efforts to fix the vast number of still vulnerable devices. Hikvision has published various fixes but, as this shows, has not done enough in publicizing or contacting impacted users to stop these types of attacks.

FBI Contacted

IPVM promptly contacted the US FBI once we recognized this involved child pornography (this report comes out of an investigation we did for Hacker Targeting 500,000 Hikvision Cameras). IPVM also connected Hikvision's Chuck Davis and Jeffrey He with the FBI, sharing more information to help the Bureau.

Hikvision told partners that it "immediately contacted several law enforcement agencies, including but not limited to the U.S. Department of Justice’s Child Exploitation and Obscenity Section; the Federal Bureau of Investigation; and the National Center for Missing and Exploited Children".

Telegram Usage

This content is being sold and shared, openly, on at least seven public Telegram channels. Telegram told IPVM its moderators are now investigating these channels and says it has "actively moderated harmful content" including "child abuse" since its creation.

Telegram has been criticized for lax content moderation, Vox reported. The US government found "a cross-country network of people sexually exploiting children" on Telegram, resulting in "at least 17 people" being charged, the Chicago Sun-Times reported in February 2023 (Telegram itself was not charged and this was not related to video surveillance).

Telegram, based in Dubai, UAE, is known for its pro-privacy proclamations, stating on its website that "we can ensure that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression".

Offers Via Telegram Channels Examined

The main method we saw sellers offer to share these hacked cameras is via QR code via Hik-Connect's Generate QR Code With Device Information. Hik-Connect enables adding device sharing and streaming without issue, per IPVM's 2023 Hik-Connect Test. The current Hik-Connect app does connect to older firmware cameras like the ones being exploited in these instances.

Seven Telegram channels, with hundreds to over 7,000 subscribers each, post snapshots from hundreds of hacked Hikvision cameras to entice people to buy them. (The public channels also post links to various private channels, but IPVM could not verify their contents.)

Numerous offers are made in these channels for viewing both children and adults nude, with one channel offering hacked 'cams' for $3 to $6 USD each (with each 'cam' including multiple channels), including:

• "family home, sometimes a young daughter comes, archive 70 days, [motion] detection"
• "family, bedroom of a young girl, [sexual act described - redacted by IPVM] every day, archive 18 days"
• "big house, young family, beautiful mom, wardrobe, archive from November 9"
• "big family, cameras around the house, rooms of parents, brothers and sisters, detection, archive 4 days"
• "room of two sisters, archive of 20 days, detection"
• "2 cameras in an Asian girl's room, sound, detection, archive 2 days"
• "women's section, gynecological office, archive 23 days"
• "wardrobe in a big house , archive 10 months, [motion] detection"
• "single nursing mother, [motion] detection, archive 1 month"
• "cosmetic procedures, sometimes depilation [waxing] and massage, archive 28 days"
• "beauty salon, various procedures, archive 1 month"
• "men's locker room in the gym, [motion] detection, archive 2 weeks"
• "women's locker room in the fitness center, sound, archive 17 days"
• "VIP booths in a strip club (8 pieces), some have motion sensor, archive for 5 months [emphasis added]

While we normally provide citations and examples for readers to verify themselves, given the criminal issues involving children, we are not sharing the names of the channels involved nor any video surveillance images from the cameras being sold.

The sales solicitations, which include offers from the last 2+ years, offer "CP" (i.e., child pornography) videos, e.g., below one channel offers 1,000 "cp" videos for 30 USD:

Another example from a different Telegram channel earlier this year offers hacked video feeds from "home" and "kids room":

Another example from this year touts a "home" with "boys room" and "girls room":

These Telegram channels have been doing this for a substantial amount of time (1 to 2 years), for example, one of the larger channels was created in June 2021.

Geographic Location of Hacked Cameras

The hacked video feeds are from many different countries, reflecting the fact that Hikvision cameras are used around the world.

Several countries are mentioned/depicted, such as Russia, Israel, Ukraine, and Vietnam, in the Telegram channels sharing this content. However, most offers do not specify where the camera is located. The Telegram channels use multiple languages including English, Spanish, Russian, Arabic, French, and Vietnamese.

IPVM contacted the US FBI because we are a US corporation. We expect the US FBI would liaise with peer agencies in other countries.

Hikvision Hik-Connect App For Distribution

These criminal sellers offer help and support by using Hik-Connect, Hikvision's cloud/ mobile app to distribute these videos. E.g. in this Telegram channel, admins offer to "resolve concerns, support or advice with the Hik-Connect app" ("resolver dudas, ayuda o a sesoria con app Hik connect"):

Another example in a different channel shows admins referencing Hik-Connect with a QR code:

The same channel also shared links for downloading Hik-Connect:

Admins in another Telegram channel also shared links for downloading Hik-Connect's app:

Sharing Videos Via Hik-Connect

Telegram groups selling child pornography repeatedly mention Hik-Connect. However, we found no evidence of a direct Hik-Connect vulnerability being used to access cameras.

Rather, our current best assessment is that hackers are adding hacked cameras to the Hik-Connect app, which will access the camera directly, and then using Hik-Connect's Generate QR Code With Device Information to share/sell these on various Telegram groups:

For example, we found one camera being shared via the HikConnect app using DDNS that pointed to a camera in Asia that Shodan lists as being a Hikvision camera.

Our theory is that the seller got admin access to the camera and then added a non-admin user that is just allowed to view video, using DDNS in an attempt to hide their IP address. This would allow the seller to retain admin access but share that access with a QR code. Because the Hik-Connect app does not use the cloud for generating the QR code, this makes it more difficult to effectively track QR code sharing. The Hik-Connect app itself is cloud controlled.

Hik-Connect Does Not Force Cloud Firmware Updates

While many cloud video surveillance providers force firmware updates on devices, Hikvision generally does not. For example, competitors such as Avigilon Alta, Meraki, Verkada, etc. auto upgrade devices that promptly patches vulnerabilities when fixed. By contrast, Hikvision's Hik-Connect allows for doing so but does not do it automatically, allowing Hikvision devices to connect via their cloud but be significantly out of date (and vulnerable).

The downside of auto firmware updates is that they can break integrations with third-party apps, which are far more often used with Hikvision cameras than cloud end-to-end providers such as Verkada.

Vulnerabilities Being Exploited?

Since there are various Hikvision vulnerabilities over the years, it is difficult for us to verify what specific ones are being exploited in these instances.

Telegram messages examined by IPVM show a hacker claiming they work with an "exploitation" that can "extract the password not guessing". However, the same hacker also boasted in other messages of owning a 'dictionary' with 1,500 common Hikvision passwords (though dictionaries of common passwords are widespread, Hikvision or otherwise).

Based on available evidence, we do not believe these criminals are hacking or exploiting a vulnerability in Hik-Connect (related, Hik-Connect 5 App / Cloud Cybersecurity Tested). Rather, the QR code sharing indicates they are using a Hik-Connect standard functionality, though with Hikvision cameras that have been hacked by other means.

The simplest way to accomplish this is exploiting "weak passwords and wide open ports", in the words of Faxociety, the hacker behind the recent ~500,000 Hikvision camera hack, though it is possible that the 2017 backdoor or 2021 critical vulnerability are also being used.

CP Is "Main Issue" Behind Warning

IPVM discovered this issue when we contacted an individual, Faxociety, who has gained attention for hacking ~500,000 exposed Hikvision cameras, warning users "your CCTV is vulnerable".

Faxociety responded to IPVM that their main motivation for this hack was to stop the sale of child pornography (i.e., CP):

CP is the main issue that motivated me to do this to CCTVs

I saw people on some forums who watch and share / sell this content or access to others and also there are many sellers of this kind of content in Telegram.

big QR codes business, one of them offered me $1000 per month to stop me doing what I'm doing. [emphasis added]

Faxociety claims some 50 sellers were "crying" to them "that I'm ruining their businesses", with one threatening "Be cautious, we've already had eyes on you. Your address, your family", per one text message.

Hikvision has not contacted Faxociety, per Faxociety.

Hikvision Response

On July 7th, Hikvision responded to IPVM's July 4th request for comment with the following verbatim response:

It is appalling and irresponsible that any organization would choose to advance its own objectives above protecting children. Hikvision knows nothing about these potential crimes. IPVM’s email was the first time the company has ever heard of anything like this. IPVM’s selfish decision to seek comment from us prior to alerting authorities is highly questionable and, in this instance, disgraceful. But if any part of IPVM’s reporting is true, Hikvision will enthusiastically assist law enforcement to bring those child predators to justice. We just hope IPVM’s lack of action has not given criminals a head start in evading justice. Trying to associate Hikvision with child pornography is just IPVM’s latest –but most desperate – tactic to try to damage our business.

IPVM responded to Hikvision that we promptly alerted the FBI shortly before we emailed Hikvision on July 4th, and the FBI promptly took action. IPVM's July 4th email to Hikvision said we "will be reporting... the FBI before publication" but did not make clear that we had already done so the day before. A screenshot of our initial June 3rd email to the FBI is copied below:

The FBI responded to IPVM within an hour, and we have and will continue to provide information as we find or authorities ask.

Additionally, Hikvision published a letter to partners, on July 7th, attributed to Hikvision's Corporate Vice President of Public Affairs Jeffrey He, in which they lead with criticisms of IPVM, including:

the numerous stubbornly biased and malicious inquiries from IPVM.com did not deserve responses. Today, we believe we have no choice but to make an exception.

IPVM.com is planning to publish a profoundly disturbing story to try to advance its own objectives at the expense of protecting vulnerable children

As we noted at the beginning of this report, Hikvision's letter said it contacted various US authorities, but it did not address concerns about Hikvision's cybersecurity and still vulnerable devices.

IPVM Response To Hikvision

IPVM's founder John Honovich responded to Hikvision, saying:

The lack of action has clearly been from Hikvision's side. These are Hikvision vulnerabilities from which Hikvision has greatly profited. Plus, Hikvision has 1,000 times more employees than IPVM and could have easily been aware of this if Hikvision tried.

We encourage Hikvision to try harder to rectify and resolve the vast number of Hikvision users impacted by Hikvision's actions (or lack therefore).

Hikvision's long-standing position is that they have issued fixes for its various significant vulnerabilities over the past decade (including default passwords, auto enabling UPnP, the 2017 backdoor, the 2021 critical vulnerability, etc.) and that it is up to the customer to update their firmware regularly.

The fact that so many Hikvision cameras continue to be hacked and even used for child pornography shows that Hikvision has not done anywhere close enough to sufficiently resolve the problems they created as they released cyber-defective products for years.

Plus, the use of Hikvision's current Hik-Connect app to distribute this exploitation raises even more severe concerns about what Hikvision will do to stop this.