80+ OEMs Verified Vulnerable To Hikvision Backdoor

Published Sep 22, 2017 12:09 PM

**** ** ********* *** ********, ********* ADI, **********, ***, *** ******** *****, have **** ******** ** ****** ****************** ** *** ********* ********, ******** *** *********** **** *** public ********.

**** *** ***** ** ****** **** using ****** **** *** *** ********* of *** ********. *** **** ******* found ~**% ** *** ********** ******* were **** ****, **** *** ******* 60% ***** ********* ***'* ******* ********. In *****, ** ******** ** ***** 250,000 ******* ********** ** *** ****** Internet.

**** ************* ** ************ ****** ******* it ** ****** ** ******* *** allows ********* ** **** **** *** camera ** ******** *** ***** ********, view ******, ******* *** ******, ***** it, ***.

IPVM Image

****

*** ***** ***** ***** *** **** non-technical ***** *** ********* **** ****/***** the ******** ****** ** ** *** end ** * *** ** ********** Hikvision *** *** ******* *******:

Top ****** ********

*** ********* ******, ****** **** ******* to ******, **** *** *** ** most ****, ****** ** ~**% ** the ***** *** ***** **********:

All ** ****** ********

*** ********* *** ******, ********** ** associating ***** ******* ******** ** *** query ** ******** *********, **** ********** in * ****** **** ** ****** devices **** ******* *****:

  • *******
  • ****
  • *******
  • *********
  • *******
  • *****
  • *****
  • ******
  • ******** ***** *********
  • *****
  • *********
  • *****
  • **** **********
  • ****
  • ****** ********
  • ** ********
  • ***** ********
  • ***
  • ********
  • *******
  • *********
  • ******* ********
  • **********
  • *****
  • ***
  • ******
  • ***********
  • **** *****
  • ***** ****
  • *****
  • *******
  • *****
  • *******
  • *********
  • ** ******
  • **** ****
  • *******
  • *****
  • **********
  • *****
  • ******
  • ******
  • **&*
  • ******
  • ***** (***** ******** **** ******* *********)
  • ***
  • ***
  • *****
  • ******
  • ****
  • *****’* ********
  • *********
  • *******
  • ***** **********
  • *******
  • ***
  • ******
  • **** *******
  • ****** **
  • *******
  • ********* ***
  • *** ******
  • **********
  • ***
  • ******
  • *********
  • ********
  • ****** *********
  • ********
  • ***** **********
  • *****
  • ******
  • ********
  • ****
  • *******
  • *******
  • ******
  • ***** *******
  • ************
  • *-***
  • ******* ***** **********
  • *****
  • *******
  • ***

OEMs ***** ********* ******** *****

******* ** *** ***** **** **** OEMs ******** ******** ********* ** ******** differences ** ********** ** ******* ************** strings, *** *** **** ********, *** weaknesses ****** **, *** ****** ****** all ******.

**** ****, **** ** **********, **** claimed **** **** *** ********** ***** security ******** ** *****, *** ***** this *** ** **** ** **** cases, ** **** *** **** **** they **** ********** *** *************** ******** in *********'* ******** ********.

OEM ********* ********* ****

**********, ********* ***** ********* *** ****** have * ******* **** **** ********* using *********-******* *********. **** ** ********* due ** *** ********* *******:

  • *********'* **** ************** ****** ***************, ********* "special *********" **** ***** ********* *** made ****** ** **** ** ********* (********* ***** **** *** ******** ****** Hit **** *** *****)
  • **** *** ********* ****** ** **** software *******/******* ** ***** ***, *** must **** *** ********* ** ******* updated ******** ** ****.
  • *** ***-***** **** ****** *** ***** their ******** *** ******** **** ** Hikvision, **** **** ** *** **** of *************** *** "***-***", **** ****** "ABC-Cam" ** ****** **** * ********* unit **** * ****** ***** ******.

Updated ******** ***** *** *********

**** ** *** ******** **** **** still *** ******** ******* ********. *** example, *********** **-************* ******** ** ~**% ** *** results *** ********, **** ******* ****** reporting *** **.*.* ***** **** ***** as *** ****** ********* ******** ** TrendNet's *******, ******** ** ****** ****, months ***** ********* ******** ***** *** fixed ********. **** ********* **** *** latest ******** **** **** *** *** Hikvision's *** ******** *************, ******* **** and ***** ********* ********** *** * longer ****** ** ****.

Firmware ******** ********

** ********* ***** ***** *** *** affected *****, *** ******** ****** ******** versions **** * **** ***. ***** some ** ***** ***** *** ************, and *** *** **** ******* *********, many **** ********* ******* ****** *** not ********.

Methodology ****

****'* ******* *********** ********* **:

  • ****** ** **,*** ******* **** ******* ***** *** ********* *******
  • ***** **** ****** *** ****** **** using ******** ******* (*.*.: ****** **** from *** ********* **** **** ****** [link ** ****** *********]) ** ****** vulnerability
  • *** ***** ******* ******** ** ******** marketing ****** (*.*.: **-* = *********, TV-IP* = ********, **-* = *-***, etc.)
  • ******* **** ** ****** ******
  • ******* ****** ** *********** ** **** brand ** ***** ******* ** ********* most ******

What ** ** ** **** ***** ** ** *** ****

[******] - **** ******* *** ****** after ******* ***********, ***** ** * comment **** "*********** **********#*" ** ******* that *** ******** ********* ******* ****** be **** ***********, *** ********** **** to ** ******* ***** ******** ** a *******.

** ********* *** ******* **** ******** to ********* ** **** **** ** in **** * ********* *** (** many ** ***** ****** ****** ******* over ****, ** ****** **** ******** OEMs). ** *** ** **** * Hikvision *******, *** **** ******** ******** would ** ** ******* ** **** a **** ****** *******. ******* ****, restricting ******* ****** ** *** ******, and ******* ****** ** ** * dedicated **** **** ** ***** *****, non-security ****, *** ****** **** ****** the ******* ** **********.

**** *** ** ******** ** ******** actual *************, ** **** ***** *** to ******* ** **** **** *********** even **** ***** *** *********. *** can **** **** **** ****** ** see ** ** ** ********** ** pasting *** ****** "****://*************:****/*****-****/********?****=************" **** * browser, ********* "*************" **** *** ******'* LAN ** ** *** *** ******* internally, ** **** *** *** ** or ******** ** ******* **********.

Comments (30)
UM
Undisclosed Manufacturer #1
Sep 22, 2017

Great Work, thanks Brian for your research!

(10)
UI
Undisclosed Integrator #2
Sep 22, 2017

This is great.  I'd love to see this list for Dahua as well.  

(5)
(2)
JH
John Honovich
Sep 22, 2017
IPVM

How ironic is it that TrendNet is the most widely vulnerable Hikvision OEM in this study?

Recall - FTC Approves Final Order Settling Charges Against TRENDnet, Inc., money quote:

In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.

(4)
(2)
U
Undisclosed #3
Sep 22, 2017
IPVMU Certified

But without this bug, how can we be sure the unit is really a Hik? ;)

UM
Undisclosed Manufacturer #1
Sep 22, 2017

In this case you have to wait for the next exploit to be published to be 100% sure  :-)

(1)
UE
Undisclosed End User #6
Sep 22, 2017

Simple task!

Most of the cases you could use the three first octets in the MAC address to determine the origin, most OEM's don't change this, so it's still Hikvisions.

You can find plenty of MAC / OUI sites if you asking Ms. Google nicely.

One randomly selected here: https://aruljohn.com/mac.pl

 [EDIT]

https://aruljohn.com/mac/vendor/Hikvision

And compare with the three first octets in your device MAC address.

 

 

(2)
Avatar
Brian Karas
Sep 22, 2017
IPVM

In all seriousness, you can try the same URLs, and should get a login popup instead of the camera just giving up its details for free.  If you try the URL and get a 404, it is most likely not a Hikvision camera.

 

UI
Undisclosed Integrator #4
Sep 22, 2017

Additionally, and especially if you cannot get a definitive response from your supplier, we recommend ensuring that none of those IP cameras are publicly accessible and that those IP cameras are on their own dedicated VLAN that no other local, non-security user, can access.

Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line and agreed with by IPVM, regarding the CEO of Genetec and his personal opinions. Does IPVM agree with what was published yesterday or today? I consider this a 'waffle', being a casual reader, that this story line is repeated over and over when ever Hikvision can be injected into a headline. Why not rename your site 'hikvision news by IPVM' as this is at the least 50% of your material? You might get more subscribers as hikvision is liked by so many more dealers than dis-liked.

Most industry followers know that hikvision makes the  cameras for 100+ OEMs and it does not take a rocket scientist to figure if one firmware has an issue others could quite possibly follow suite that are manufactured by the same company, this in itself is not 'news'.

 

(1)
(8)
(6)
Avatar
Brian Karas
Sep 22, 2017
IPVM

The best recommendation if you have any concerns for network security would be to simply remove these Hikvsion/OEM cameras, destroy them, and purchase something more secure. That is the only way you can be sure you are not exposed to Hikvision's security flaws, by removing them from your network entirely.

Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line 

I think you need to re-read that post and take a minute to think it through more thoroughly. Also, the 'opinions' of Genetec's CEO in regards to insider threat risk are widely held by many information security professionals.

VLANs can help reduce threats posed by placing untrustworthy devices, like Hikvision cameras, on a network, but they do not eliminate it, and should not be considered sufficient protection, nor should firewalls.

Thank you for asking for this clarification, I have updated the conclusion to directly address the fact that these units should really be removed from service entirely for best security.

(2)
UI
Undisclosed Integrator #4
Sep 22, 2017

So all IP Cameras are good to go with the exception of Hikvison per your recommendation? I must ask, have you fallen or bumped your head lately? 

(5)
(1)
Avatar
Brian Karas
Sep 22, 2017
IPVM

You are clearly highly biased towards Hikvision and refuse to evaluate Hikvision's multiple ongoing security vulnerabilities accurately. I did not say "all IP cameras are good to go", however there are a number of choices that offer significantly better track records than Hikvision, and if you are concerned about overall security then you would use these alternatives.

If you want to make a valid, reasoned argument, or put up some statistics (similar to how I did here) regarding Hikvision vs. other manufacturers, you are welcome to do so. But if you are going to entirely miss the point of these reports there is little reason to respond to your poor attempts to spin what is clearly laid out here.

(10)
(2)
U
Undisclosed
Sep 24, 2017

If you isolate weak devices on a segmented network you simply remove the "oops my gear was caught on shodan" effect.  you do not remove the vulnerability.  Anything else on that network can still attack the device.  (And it's your SECURITY NETWORK - "who would think to look there?")

Isolating weak devices does mitigate this but you're still carrying around the risk.  Do you really want to explain to your CEO that you're one of the "risk creators" they have to worry about accepting the risk for?

(3)
U
Undisclosed #5
Sep 22, 2017

I’m just here to see what Marty thinks about all this.

(8)
U
Undisclosed #3
Sep 22, 2017
IPVMU Certified

I’m just here to see what Marty thinks about all this.

I prefer responding to Marty when he posts undisclosed.  

That way its not personal.

(2)
(5)
UI
Undisclosed Integrator #9
Sep 23, 2017

Marty helped me real my addiction to the Avigilon stock blog for entertainment so I am indebted to him.   

(2)
U
Undisclosed #5
Sep 23, 2017

Marty lost a little street cred when he appeared in that Hikvision marketing video and revealed what all of us had been assuming up until this point, but really, Marty taught me that if I put my mind to it, I can accomplish anything.

I guess what I’m saying is, Marty Calhoun is my George McFly.

 

 

 

MC
Marty Calhoun
Sep 22, 2017
IPVMU Certified

Well, well thank you for the recognition. What do I think? I think it is absurd to say that ANY IP camera Hik-Dahua-Samsung-Cannon or anyone else that is made is any more vulnerable than any other. ANY camera can and could be manipulated by a human from the middle and be an issue so blaming the wonderful folks over at Hikvision is what it is, a hit grabber headline of desperation. It not Hikvisions fault that ethernet networks are designed as they are or anyones elses fault. Why dont you concede that it takes a human (A person) with malicious intent to make that Hikvision product do anything because it won't happen without actions of another and that another is not the  Hikvision camera.This is the same bullshit with the folks that hate guns, (takes a person to fire it). If you hate misspelled words the answer is to rid the world of pencils, right? or would it be best to just get rid of type "a" pencils? Same thing this is a headline grabber folks, dismiss it it as fodder.

Thats all I have to say about this so dont ask.

(10)
(2)
(8)
(2)
U
Undisclosed #5
Sep 22, 2017

Instead of pencils, can we get rid of your keyboard?

(2)
(3)
(7)
UI
Undisclosed Integrator #8
Sep 22, 2017

Keyboards don't type crazy, crazy types crazy.

(2)
(1)
(5)
MC
Marty Calhoun
Sep 24, 2017
IPVMU Certified

Can you show your cards and stop hiding behind UM 5? Can't take the heat? Scared someone will find out your true colors? What are you scared of? Make unhelpful, unprofessional, childish comments time and time again while hiding behind UM. At least I can face my detractors, have an open conversation and agree to disagree with anyone without disrespect, what about you?

 

(1)
(2)
(2)
JH
John Honovich
Sep 24, 2017
IPVM

can we get rid of your keyboard?

To #UM5, I disagree. I would encourage Marty to continue. Marty making statement that no camera is more vulnerable than others right after the details of Hikvision's backdoor disclosed is a benefit for others to hear. Why? Because it shows how hopelessly biased or uninformed about cybersecurity he is to say something like that in light of how simple and dangerous the Hikvision backdoor is.

At least I can face my detractors, have an open conversation

Be fair, Marty, you use undisclosed many times as well.

 

(8)
(1)
UE
Undisclosed End User #7
Sep 22, 2017

Marty, no, no and no.

In RECENT history, people have been able to EXPLOIT cyber security VULNERABILITES in Hik cams more often than other camera makes. This isn't FAKE NEWS.

And who really hates guns? 

(9)
U
Undisclosed
Sep 24, 2017

If you run secure connections between your camera and the VMS there isn't an immediate "man in the middle" attack.  That's why we keep telling people to run properly deployed TLS.  And yes this applies to everything not just this week's IPVM-outed camera exploit.

(1)
(1)
Avatar
Kyle Folger
Sep 23, 2017
IPVMU Certified

I don't understand all the Hikvision fans coming to defend an exploit that is so elementary once discovered. Other exploits that are found in other cameras, even if they are bad, are often very difficult to implement by anyone with a computer and simple knowledge of how to use one. I would say that this is the sole reason why I prefer buying Hikvision as opposed to through OEM. The delay or sometimes non-existence of a firmware patch is always troubling.

This is also the same reason I have never liked Digital Watchdog being able to distribute Network Optix software. When there are bug fixes it can take months to actually be released by DW. If those fixes were security related, it becomes a big deal. Thankfully, as I have mentioned in the past, I like the fact that Network Optix has been able to support us when we have had serious issues.

I still continue to use and install Hikvision cameras, but they never publicly face the internet and they are generally on a secure VLAN. The cloud services are always disabled. 

I will say that I can't stand any manufacturer enabling cloud services by default. I just checked one of my personal Hikvision cameras that was having issues. I updated the firmware and the platform access that was disabled was found enabled again.

It be amazing if one day those that do like Hikvision would actually see AND agree that Hikvision's take on security needs significant attention and that they need to find a way to make sure OEM's have updated firmware available and that those OEM's properly alert everyone of the exploits.

(10)
(5)
UI
Undisclosed Integrator #8
Sep 23, 2017

I agree strongly with the OEM vs direct statement.  While I would personally never buy Hikvision direct or indirect I would think it is better to always buy from the source rather than someone who sticks their sticker on and claims to have developed the product.  The OEM will always have dated information and lag behind on firmware, assuming that company stays in business to even issue updates down the road.  I would wager many of these OEMs don't have the resources to deal with any type of significant fallout in terms of support resources.  While there are certainly some who could weather a storm is the $10/camera savings worth the effort of vetting them out?

 

Historical example: Laptop video cards using Nvidia or ATI used to be the same - The various OEM brands would have to pay for driver updates.  The OEM would frequently (almost never) fail to do so and the video card would underperform or become incompatible with new applications as a result.  Very rarely these prompted system vulnerabilities to never be remedied.  This didn't relent until people started hacking their own drivers from the desktop versions, usually via laptopvideo2go.com, and laptops became ubiquitous.

(1)
(1)
UM
Undisclosed Manufacturer #10
Sep 24, 2017

They talk trough their wallets. Clearly some of these have their futures relying on Hikvision and for that reason they will come up with the most ridiculous outbursts of loyalty to the Chinese State owned brand. Don't forget that these defenders of the shaky products have to deal with a seemingly large client base as well. A client base that bought all those products in good faith, or in some cases I can imagine were bullied in to buying it by very overpowering statements about the good Chinese people and their wonderful products. Imagine the if they find out that they paid a premium price for a very poor product when it comes to cyber security or integrity. Remember that some advocates, or actually one in particular, stated that he quotes his Hik solutions just below the competitors much more expensive solution to maximize his margin and profits?

(2)
JH
John Honovich
Sep 24, 2017
IPVM

he quotes his Hik solutions just below the competitors much more expensive solution to maximize his margin and profits

Background: Always Choose HIKVISION.

In fairness, though, #10, you are from the Hikvision competitor that Calhoun referenced in that post with that technique.

On the other hand, I do agree that the problem that many long-time Hikvision integrators are now in. If they go back and say "hey US military, I sold you these great low cost cameras that now turn out to have a backdoor in it and was manufactured by a subsidiary of the Chinese government", they risk a variety of scary problems.

(1)
(1)
UM
Undisclosed Manufacturer #10
Sep 24, 2017

What do you mean 'in fairness' John? How is that relevant 'in fairness'? He stated he does that in every scenario he comes across no matter what the other manufacturer is many times over. My comment above isn't simply based on that one time mention in that particular post,that would be a little shall we say 'narrow minded' would'nt it?

U
Undisclosed #11
Sep 24, 2017

I'm not an integrator or installer, but have helped some friends get a camera or two up around the lake in years past. Getting calls for cameras not working...

 

I'd hate to be a company that has been putting these in non-stop for 4-5 years.

(4)
(1)
UI
Undisclosed Integrator #8
Sep 26, 2017

The sad news is that those companies that have been selling open equipment for 4-5 years will likely not be around in 4-5 more years to sell plug and play boxes if this continues.  As professionals we should bring more to the industry than being able to make long patch cables and slap a turret cam on the ceiling

(2)
U
Undisclosed #11
Sep 26, 2017

Arlo and Ring type wifi devices will soon enough eradicate those who simply pull 100ft patch cables and anchor a one size fits all camera to a wall.

(1)