80+ OEMs Verified Vulnerable To Hikvision Backdoor
By: Brian Karas, Published on Sep 22, 2017
Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the Hikvision backdoor, deployed and exploitable over the public Internet.
IPVM ran tests to verify this using public data and the signature of the backdoor. Our test results found ~40% of all vulnerable devices were from OEMs, with the balance 60% being Hikvision own's branded products. In total, we estimate at least 250,000 devices vulnerable on the public Internet.
This vulnerability is particularly severe because it is simple to exploit and allows attackers to take over the camera by changing the admin password, view images, default the device, brick it, etc.
Our video below shows how even non-technical users can literally just copy/paste the backdoor string on to the end of a URL to vulnerable Hikvision and OEM partner cameras:
Top Brands Impacted
The following brands, ranked from highest to lowest, were the Top 10 most seen, making up ~30% of the total OEM units responding:
In all seriousness, you can try the same URLs, and should get a login popup instead of the camera just giving up its details for free. If you try the URL and get a 404, it is most likely not a Hikvision camera.
Additionally, and especially if you cannot get a definitive response from your supplier, we recommend ensuring that none of those IP cameras are publicly accessible and that those IP cameras are on their own dedicated VLAN that no other local, non-security user, can access.
Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line and agreed with by IPVM, regarding the CEO of Genetec and his personal opinions. Does IPVM agree with what was published yesterday or today? I consider this a 'waffle', being a casual reader, that this story line is repeated over and over when ever Hikvision can be injected into a headline. Why not rename your site 'hikvision news by IPVM' as this is at the least 50% of your material? You might get more subscribers as hikvision is liked by so many more dealers than dis-liked.
Most industry followers know that hikvision makes the cameras for 100+ OEMs and it does not take a rocket scientist to figure if one firmware has an issue others could quite possibly follow suite that are manufactured by the same company, this in itself is not 'news'.
The best recommendation if you have any concerns for network security would be to simply remove these Hikvsion/OEM cameras, destroy them, and purchase something more secure. That is the only way you can be sure you are not exposed to Hikvision's security flaws, by removing them from your network entirely.
Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line
I think you need to re-read that post and take a minute to think it through more thoroughly. Also, the 'opinions' of Genetec's CEO in regards to insider threat risk are widely held by many information security professionals.
VLANs can help reduce threats posed by placing untrustworthy devices, like Hikvision cameras, on a network, but they do not eliminate it, and should not be considered sufficient protection, nor should firewalls.
Thank you for asking for this clarification, I have updated the conclusion to directly address the fact that these units should really be removed from service entirely for best security.
You are clearly highly biased towards Hikvision and refuse to evaluate Hikvision's multiple ongoing security vulnerabilities accurately. I did not say "all IP cameras are good to go", however there are a number of choices that offer significantly better track records than Hikvision, and if you are concerned about overall security then you would use these alternatives.
If you want to make a valid, reasoned argument, or put up some statistics (similar to how I did here) regarding Hikvision vs. other manufacturers, you are welcome to do so. But if you are going to entirely miss the point of these reports there is little reason to respond to your poor attempts to spin what is clearly laid out here.
If you isolate weak devices on a segmented network you simply remove the "oops my gear was caught on shodan" effect. you do not remove the vulnerability. Anything else on that network can still attack the device. (And it's your SECURITY NETWORK - "who would think to look there?")
Isolating weak devices does mitigate this but you're still carrying around the risk. Do you really want to explain to your CEO that you're one of the "risk creators" they have to worry about accepting the risk for?
Well, well thank you for the recognition. What do I think? I think it is absurd to say that ANY IP camera Hik-Dahua-Samsung-Cannon or anyone else that is made is any more vulnerable than any other. ANY camera can and could be manipulated by a human from the middle and be an issue so blaming the wonderful folks over at Hikvision is what it is, a hit grabber headline of desperation. It not Hikvisions fault that ethernet networks are designed as they are or anyones elses fault. Why dont you concede that it takes a human (A person) with malicious intent to make that Hikvision product do anything because it won't happen without actions of another and that another is not the Hikvision camera.This is the same bullshit with the folks that hate guns, (takes a person to fire it). If you hate misspelled words the answer is to rid the world of pencils, right? or would it be best to just get rid of type "a" pencils? Same thing this is a headline grabber folks, dismiss it it as fodder.
Can you show your cards and stop hiding behind UM 5? Can't take the heat? Scared someone will find out your true colors? What are you scared of? Make unhelpful, unprofessional, childish comments time and time again while hiding behind UM. At least I can face my detractors, have an open conversation and agree to disagree with anyone without disrespect, what about you?
To #UM5, I disagree. I would encourage Marty to continue. Marty making statement that no camera is more vulnerable than others right after the details of Hikvision's backdoor disclosed is a benefit for others to hear. Why? Because it shows how hopelessly biased or uninformed about cybersecurity he is to say something like that in light of how simple and dangerous the Hikvision backdoor is.
At least I can face my detractors, have an open conversation
Be fair, Marty, you use undisclosed many times as well.
If you run secure connections between your camera and the VMS there isn't an immediate "man in the middle" attack. That's why we keep telling people to run properly deployed TLS. And yes this applies to everything not just this week's IPVM-outed camera exploit.
I don't understand all the Hikvision fans coming to defend an exploit that is so elementary once discovered. Other exploits that are found in other cameras, even if they are bad, are often very difficult to implement by anyone with a computer and simple knowledge of how to use one. I would say that this is the sole reason why I prefer buying Hikvision as opposed to through OEM. The delay or sometimes non-existence of a firmware patch is always troubling.
This is also the same reason I have never liked Digital Watchdog being able to distribute Network Optix software. When there are bug fixes it can take months to actually be released by DW. If those fixes were security related, it becomes a big deal. Thankfully, as I have mentioned in the past, I like the fact that Network Optix has been able to support us when we have had serious issues.
I still continue to use and install Hikvision cameras, but they never publicly face the internet and they are generally on a secure VLAN. The cloud services are always disabled.
I will say that I can't stand any manufacturer enabling cloud services by default. I just checked one of my personal Hikvision cameras that was having issues. I updated the firmware and the platform access that was disabled was found enabled again.
It be amazing if one day those that do like Hikvision would actually see AND agree that Hikvision's take on security needs significant attention and that they need to find a way to make sure OEM's have updated firmware available and that those OEM's properly alert everyone of the exploits.
I agree strongly with the OEM vs direct statement. While I would personally never buy Hikvision direct or indirect I would think it is better to always buy from the source rather than someone who sticks their sticker on and claims to have developed the product. The OEM will always have dated information and lag behind on firmware, assuming that company stays in business to even issue updates down the road. I would wager many of these OEMs don't have the resources to deal with any type of significant fallout in terms of support resources. While there are certainly some who could weather a storm is the $10/camera savings worth the effort of vetting them out?
Historical example: Laptop video cards using Nvidia or ATI used to be the same - The various OEM brands would have to pay for driver updates. The OEM would frequently (almost never) fail to do so and the video card would underperform or become incompatible with new applications as a result. Very rarely these prompted system vulnerabilities to never be remedied. This didn't relent until people started hacking their own drivers from the desktop versions, usually via laptopvideo2go.com, and laptops became ubiquitous.
They talk trough their wallets. Clearly some of these have their futures relying on Hikvision and for that reason they will come up with the most ridiculous outbursts of loyalty to the Chinese State owned brand. Don't forget that these defenders of the shaky products have to deal with a seemingly large client base as well. A client base that bought all those products in good faith, or in some cases I can imagine were bullied in to buying it by very overpowering statements about the good Chinese people and their wonderful products. Imagine the if they find out that they paid a premium price for a very poor product when it comes to cyber security or integrity. Remember that some advocates, or actually one in particular, stated that he quotes his Hik solutions just below the competitors much more expensive solution to maximize his margin and profits?
In fairness, though, #10, you are from the Hikvision competitor that Calhoun referenced in that post with that technique.
On the other hand, I do agree that the problem that many long-time Hikvision integrators are now in. If they go back and say "hey US military, I sold you these great low cost cameras that now turn out to have a backdoor in it and was manufactured by a subsidiary of the Chinese government", they risk a variety of scary problems.
What do you mean 'in fairness' John? How is that relevant 'in fairness'? He stated he does that in every scenario he comes across no matter what the other manufacturer is many times over. My comment above isn't simply based on that one time mention in that particular post,that would be a little shall we say 'narrow minded' would'nt it?
The sad news is that those companies that have been selling open equipment for 4-5 years will likely not be around in 4-5 more years to sell plug and play boxes if this continues. As professionals we should bring more to the industry than being able to make long patch cables and slap a turret cam on the ceiling