Hikvision Backdoor ExploitBy: IPVM Team, Published on Sep 03, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras.
As the researcher, Monte Crypto, who disclosed the details confirmed, this is:
a backdoor that allows unauthenticated impersonation of any configured user account... the vulnerability is trivial to exploit
Key points from IPVM's analysis and testing of the exploit:
- The details prove how simple and fundamental the backdoor is.
- The exploit is already being repurposed as a 'tool', distributed online.
- A clear majority of Hikvision IP cameras remain vulnerable.
- Hikvision's heretofore disclosure significantly misled its dealer to the severity of the backdoor.
- Hikvision, again, has been silent, failing to inform and warn its dealers of this new disclosure.
Plus, IPVM has set up a vulnerable Hikvision IP camera so members can test and better understand the exploit.
We produced the following video, showing just how simple it is to utilize this exploit to retrieve an image snapshot and system information from a camera. We also show using password reset tool to take over a camera:
Inside this post, we examine how the exploit works, how it is being used, how what percentage of devices are vulnerable, and Hikvision's failure to respond to the exploit's release.
Magic String Backdoor
Hikvision included a magic string that allowed instant access to any camera, regardless of what the admin password was. All that needed was appending this string to Hikvision camera commands:
As the researcher explained in his disclosure:
Retrieve a list of all users and their roles: http://camera.ip/Security/users?auth=YWRtaW46MTEK Obtain a camera snapshot without authentication: http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK All other HikCGI calls can be impersonated in the same way, including those that add new users or flash camera firmware. Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code or render hundreds of thousands of connected devices permanently unusable with just one simple http call. And worst of all, one can download camera configuration: http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK
Any accessible Hikvision camera with affected firmware is vulnerable to complete takeover or bricking. Hikvision released a firmware fix in March 2017 though IPVM stats show 60%+ of Hikvision cameras are still vulnerable (detailed below).
DHS Worst Ranking - 10.0
DHS' ranking of this vulnerability as a 10/10 is even more understandable now that the simplicity of compromising these devices has been proven. This vulnerability is significantly more critical than other recent cyber security announcements in the security industry (e.g.: Dahua Suffers Second Major Vulnerability, ONVIF / gSOAP Vulnerability, Axis Camera Vulnerabilities From Google Researcher Analyzed), due to the ease of exploit, the number of impacted devices, and the fact that many impacted devices (e.g., 'grey market') cannot be upgradeable to patched firmware.
Hack Our Hikvision Camera
IPVM has put a vulnerable Hikvision camera online for members to experiment with. Access details are:
http://hikvisionbackdoor.dyndns.org [NOTE: will show login page with strong admin password]
However, using the backdoor string, that will not matter as you can simply bypass authentication, for example:
Get an unauthorized snapshot from the camera:
Get unauthorized device info: http://hikvisionbackdoor.dyndns.org/System/deviceInfo?auth=YWRtaW46MTEK [link no longer available] [Note: the header will say "This XML file does not appear to have any style information”, look at the device info details below that]
Planted, Accident or Incompetence?
The researcher, Monte Crypto, who has called this a backdoor consistently, says Hikvision told him that:
it was a piece of debug code inadvertently left by one of developers
However, he counters that:
It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years.
Vote / Poll
Password Reset Tool Built On This
A tool to reset user passwords (including the admin user) was released within days of the exploit announcement. Hikvision Password Reset Helper allows a user to enter an IP address for a camera, retrieve of a list of users, and selectively reset the password for any user. Examining the source code of this tool shows the "auth=YWRtaW46MTEK" string being utilized to change user passwords.
Tool Major Security Risk
This password tool can just as easily maliciously change and takeover other's cameras. Ironically, this is literally the next generation of the tool, following the previous version using Hikvision's cracked security codes.
300,000+ Estimated Hikvision Devices Publicly Vulnerable
IPVM estimates 300,000+ devices are publicly vulnerable, based on Shodan scan results and our validation testing of the vulnerabilities presence.
A Shodan scan for Hikvision cameras shows over half a million units online:
~62% of a sample of thousands of those devices tested by IPVM showed they were vulnerable. Using an example URL from the Full Disclosure announcement, image snapshots could be downloaded from affected cameras, several of which showed cameras overlooking sensitive areas, POS terminals, and other locations that could put people at risk of various data disclosure:
One camera had its name changed to "PUTIN" with the text "hacked by Russian hackers" also displayed on the image:
This backdoor was also found in OEM cameras, we tested the following cameras and found them vulnerable:
- LTS CMIP7422N-28M on firmware V5.4.0build 160921
Found Wbox camera - 0E-21BF40 -Worked on Firmware V5.3.0build 160329
Other Hikvision OEM cameras are likely vulnerable as well, potentially increasing the number of vulnerable cameras online significantly.
Hikvision Misleading Statement
Hikvision's only public communication on this, back in March 2017, significantly misled their dealers:
First, Hikvision called this a "privelege-escalating vulnerability", implying an attacker would need some minimal authorized access to the device before they could "escalate" their privileges to a higher role. This is false, as the exploit allows instant direct access to any affected camera.
Second, Hikvision claimed it was only applicable to "fairly uncommon circumstances", Shodan scans, and common sense, show that this affects vast numbers of devices, the only requirement being that the attacker has network access to the device.
Third, Hikvision claimed the exploit "may allow" attackers to "acquire or tamper with device information". Our tests, and other reports online, show this is 100% successful on affected devices and allows not just acquisition or "tampering" with device information, it allows full control of the device, user accounts, and other configuration data that can expose sensitive information, such as email addresses, and ftp server info.
During Hikvision's only communication to date, Hikvision declared:
To date [Mar 2017], Hikvision is not aware of any reports of malicious activity associated with this vulnerability.
Hikvision No Response
Since the September 12th exploit detail release, Hikvision has made no notice publicly nor to dealers about this, despite that the release included direct examples showing how to use the exploit simply, putting customers at significant risk. This continues a pattern of Hikvision failing to proactively and responsibility notify their customers of new material risks to their products.