Hikvision IP Camera Critical Vulnerability 2018 Disclosed

By IPVM Team, Published Aug 16, 2018, 11:18am EDT

The same day that the US government passed a prohibition on Hikvision cameras, Hikvision disclosed a critical vulnerability for its IP cameras.

However, while the US government is concerned about the PRC using Chinese government-owned Hikvision for cyberattacks, this vulnerability is clearly not related to the Chinese government.

On the other hand, it is a critical vulnerability and the potential for damage is high. With Hikvision's continued recommendation to port forward and its mass OEMing, this means a vast number of products, both Hikvision branded and via OEMs such as Interlogix, LTS, Anixer/Northern, Panasonic/Advidia, etc. will be impacted.

In this note, we review the vulnerability disclosure and the potential impact.

Vulnerability ********

*** ************* *** ********** by ******* ***********, *** ** ******* a ******* ** **** and ******* *** ************ cybersecurity (*** **** **** *******).

********* -********* ******** ******** ****** on **** *************, ****'* ******** **** ** Hikvision's *********** ******-****-**** ******. ** ********* ********* the *************:

* ****** ******** ************* in *** *** ****** of **** ********* ** cameras ****** ** ******** to **** * ********* crafted ******* ** ******** devices. *** ** *** insufficient ***** **********, * successful ******* *** ******* memory *** **** **arbitrary **** ********* ** ***** *** *******. [Emphasis Added]

*** **** ****** ** most ********** ** ***** of ******. ********** *** vulnerability ****** ******* ** either **** **** *** device ** ***** *** camera.

*** **** **** ***** is * ******** *.* / **.*.

Models ******** *** ***

**** ** ****** ****** are ******** *** **** are ***, ********* ** Hikvision.

********** / ******** ****** (**** *********'* ******):

  • *********** ****** (**-*******, ********** called “***** **** *.***”)
  • ***** **** (**-**********)
  • ***** ****** *********** ***** Dome/Bullet (**-*******)
  • ***** *** ***** ****** PTZs (**-****/*/*/* *** **-****/*/*/*)

*** ********** / *** impacted ****** *******:

***** ***** ****** ****** (before ***** **** ***, DS-2CD2XXXF), *** ***** ****** models (**-*******), ******* (**-*******), DeepinView (**-*******), ****** (**-****/***/******), thermal (**-******)

****: ********* *** *** issued * **** ** not ********** *******. ** have ******* **** **** to **** ******* *** users. ** *** **** is ********** ** **********, let ** **** ** the ******** *** ** will ******.

No ********* ******* *** / ****** ** ****

********* ******* ** *** to ******* **** **** be ******** ***** **** year.** **** *********:

********* ******* ** *** Hikvision ************* **** ** published **** *** ** days *** *********, ******** enough **** *** ********.

**** ********* ***** ******* time *** ******** *** given *********'* ********* ******* and ******** ****, ****, if *** **** ******* will *** ** ******** by ****. **** *** technical ******* *** ********, the **** ******* ******* taking ********* ** *** various ********* *** *** IP ******* **** **** not **** *******.

Positive *** ********* - ***** ************

********* ****** ** ********* for ********** **** *****. Hikvision ***** **** ****** until ****'* ** *** period *** **** ** delay *** ** ***. However, ********* ********* ** significantly ***** ** ****'* actual **********.

Comments (33)

Did they do this for PR....trying to copy Genetec's disclosure??

Agree
Disagree
Informative
Unhelpful
Funny

Well, the difference with Hikvision is that they had to because they knew VDOO was going to in a few months. With Genetec, since it was their own hired pen tester, they could have never disclosed it without much risk of an outsider doing so.

What would be impressive if Hikvision disclosed what critical vulnerabilities Rapid7, Cisco and their other hired cybersecurity firms found.

Agree: 4
Disagree
Informative
Unhelpful
Funny

Whatever reason they did for, its good to see changes happening from silence/hiding to talking/disclosure.

Whatever I personally think of Hikvision, I say same things as with Genetec: That's how it should be done! (HIK, but maybe little more coordination with VDOO first) ;-)

Manufactures, Who's next? =]

 

Agree: 5
Disagree
Informative
Unhelpful
Funny

Can't say I am very surprised by this. Despite all their claims about making cybersecurity a priority, Hikvision simply has too much legacy of poor code in their devices. It is highly probable that there are dozens of similar exploits buried in their various firmware and software, just waiting to be discovered.

Anticipating how the talking-head Chuck Davis tries to spin this "myth" in the upcoming cyber security event.

Hikvision, here's your sign:

Related image

Agree
Disagree
Informative
Unhelpful
Funny: 9

 

Agree
Disagree
Informative
Unhelpful
Funny: 4

This graphic could be part of the IPVM homepage. Maybe Hik-specific, or maybe just an industry counter of days since last vuln.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Just have a page with all known manufactures and update as needed. 

Agree
Disagree
Informative
Unhelpful
Funny

Excellent job to Hikvision for disclosing this early. This is how you handle things with transparency. We applaud you for handling things correctly and appropriately. 

oh wait,we are talking about Hikvision and not Axis or Genetec or any other non-chinese company. Let me change my rhetoric real quick...

Dam you Hikvision. This was just another tool too initiate all out cyberwar on the USA so you can use your spyware to spy on us hard workin Americans and make our internet explode with botnets. You can expect to see hack map v2.0 baby!!!. The word "Hikvision" should be completely banned from the USA language for all i care! 

accurate or nay for IPVM commenters?

Agree: 6
Disagree: 7
Informative
Unhelpful: 23
Funny: 11

I give you 1 star for a sad attempt at trolling.

Agree: 6
Disagree: 2
Informative
Unhelpful: 3
Funny: 9

If you "fear" that IPVM started a war against your favorite brand, let me advice 2 things:

1: Gather some arguments. Check the last 25 and 50 articles (you won't so I help you out one more time):

From 25: 6 is about Hikvision looks much, ok make it more clear

From that 6: 1 vulnerability (worth to mention), 1 product test (with a positive outcome), 3 reaction article about ban (obviously should be here), 1 article about dropping some show attendance (necessity is debatable)

From 50: 11 is about Hikvision (including the above)

From that 5: 1 market analysis, 1 analytic shoutout, 1 is about a promoted / removed leader, 2 congress ban article (obviously should be here)

To make it more clear, from 50article it was only 5 article from the ban, which is an obvious reaction about what the congress did. Where should this mentioned/covered if not IPVM? LOL

2: scroll over those articles, or if you don't find any valuable information on this site, most probably you should suspend or close your membership till your favorite manufacturer is in trouble.

And finally just an advice, this is for free.

If there is an obviously important article about a vulnerability, do not troll under, cause your hurted feelings. It makes you look childish, and I definitely think you are a serious MAN. Let others think the same.

Agree: 4
Disagree
Informative: 2
Unhelpful: 2
Funny: 4

From 25: 6

From 50: 11

From that 5: 1

Confused. Are you quoting IPVM bible verses?

and I definitely think you are a serious MAN

Spoken from an undisclosed woman?

 

 

Agree: 1
Disagree
Informative
Unhelpful: 7
Funny: 6

I'm really disappointed now. And funny still that you are worrying about my gender instead thinking about your missing arguments :)

Have a nice day.

Agree
Disagree
Informative
Unhelpful: 1
Funny: 6

have a good one mam!

Agree
Disagree
Informative
Unhelpful: 8
Funny: 4

You really go to great lengths to maintain your ignorance, ma'am.

 

Agree
Disagree
Informative: 1
Unhelpful: 3
Funny

No real man speaks critical of another and runs and hides behind the cloak of undisclosed. Well atleast we know that IPVM is very gender diverse.

Agree: 1
Disagree
Informative
Unhelpful: 6
Funny

List of things Sean doesn't understand:

1) Vulnerability severities

2) How/why Undisclosed is used on IPVM

3) Likely gender of most IPVM posters

 

Agree
Disagree
Informative
Unhelpful
Funny: 4

No real man crying like a baby Sean, and running to mama to tell somebody hurt his favourite company.

On the other hand. Yes I'm a woman, and undisclose my name usually because of child like you who always taking care about my gender instead my knowledge in this industry.

So any more question about myself?

Ah, I still have only one. Where are your arguments? Or just still crying and trolling?

 

Agree: 1
Disagree
Informative
Unhelpful: 2
Funny: 2

Wow, i have no idea how you knew I ran and cried to my mama, but hopefully I can become a real MAN in your books again by me admitting it?

BTW, just my opinion, but I think you should post disclosed, especially that you are a woman, because you will appear way more respectful than most of the guys on here who post critical sarcastic things about other people and hide behind the undisclosed cloak.

At any rate, you seem like you are getting emotionally distressed and this conversation is getting way off track. As far as my arguments, they are all over IPVM, but feel free to ask me any specific questions and I will be happy to answer them. 

 

Agree: 1
Disagree
Informative
Unhelpful: 6
Funny

I still find it funny, you didn't address the original comment.  Nice troll diversion though!

Agree
Disagree
Informative
Unhelpful
Funny

I addressed the one in which "MAN" was capitlized.

Which one specifically are you referring to though? Their have been so many. I'll be happy to give a thorough non-troll explanation.

Agree
Disagree
Informative
Unhelpful: 1
Funny

IPVM would be a much better read without the undisclosed button.

If you have something to say, say it. Want to share info that can't be shared? Send it to the team. That way they have a chance to check the credibility and share the info if it's valuable.

Posting anonymously has zero added value to me, it enables a group that shouldn't be enabled.

As for Undisclosed End User #4, you just decided IPVM and it's members are biased to any female responding. That's not a call for you to make on my behalf.

Agree: 2
Disagree: 1
Informative
Unhelpful
Funny

Going to say this again, as I have said in multiple past threads: we are not going to rehash debates about the value of undisclosed posting. Further discussion on that topic is going to get deleted. Undisclosed posting is not going anywhere on IPVM.

If anyone wants to actually discuss this latest Hikvision vulnerability, VDOO, or Hikvision's response, feel free. This is descending into useless back and forth.

Agree: 6
Disagree
Informative
Unhelpful
Funny

Agree
Disagree
Informative
Unhelpful: 1
Funny: 2

 John, certification by a subscription service of a testing facility such as VDOO would be a means for North American and other country security related equipment manufacturers for cybersecurity vulnerability, as well as other defined parameters to at least be operating on that level of playing field.  Having recently heard of GDPR, the General Data Protection Regulation (GDPR) (EU)2016/679, which is a regulation in EU law on data protection and privacy for all individuals in the  European Union.  .TUV Rheinland is a test member.

John, would you consider IPVM checking out GDPR and commenting on how that certification might be of value in NA.

Thank you for the great contribution IPVM is making for this industry.

Frank Nelles

Communications Components

Agree
Disagree
Informative
Unhelpful
Funny

So Vdoo found a bug, Hikvision responded and issued a fix within the timescale.

Has there been any in the wild reports of hacks using this bug?

Agree
Disagree
Informative
Unhelpful
Funny: 1

The issue is twofold.  First, Hik is the biggest or near the biggest camera manufacturer.  Similar to if there was a defect found in the largest car manufacturer would be headline news. 

Second is the timing.  Hik is constantly talking about their cyber security efforts.  Yes, I know and agree that a vulnerability can affect anyone, however if a company has lots of effort to secure their products they should have few and far between vulnerabilities discovered.  If the vuln was due to 3rd party modules, that is understood as these items need to be updated, etc.  But here it was their own code.  If a company has 6000 engineers, why are they missing these left and right?  I do applaud them for publicly putting out a factual statement and updating firmware quickly, which is a step forward for them.

Also, (I know that this has been repeated before), but Hik does have government funding.  You would expect more from a company that has deep pockets.  You expect them to look good.  

 

Finally, is the score.  This vuln received a score of 8.9.  Again, why is a company that is so focused on cyber security having time and time again high scoring vulnerabilities?  (And yes, I know that other large companies that are talking about cyber have had similar, such as Axis, Dahua, etc.  I fault them as well).

Agree: 1
Disagree
Informative
Unhelpful
Funny

If a company has 6000 engineers, why are they missing these left and right? 

Point of fact: Hikvision claims 10,000+:

Agree: 1
Disagree
Informative
Unhelpful
Funny: 2

I can't imagine 50% of your workforce in R&D is sustainable in the technology sector.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Hikvision does not define what they count as "R&D" so it is hard to know if they are classifying it in the same way that Western technology companies do.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Hundred percent agree. I had a project where they couldn't repair obvious bugs in their CMS SW, for months. If they did something, it caused new bugs.

I can't really imagine if you have thousands of R&D colleagues this could happen... Or from an other viewpoint, if you have such amount of engineers, how they have such amount of vulnerability issues?

Agree
Disagree
Informative
Unhelpful
Funny

I also think that a lot has to do with reusing old code. You would think at some point, due to vulnerabilities, having to patch clunky code, or simply to get away from plug-ins, they would start over and make a new camera with a new ui and a new back end. 

Oh well. 

I know it is a lot of development and support to do that, but that is why a company hires a large staff of programmers and engineers... 

Agree
Disagree
Informative: 1
Unhelpful
Funny

Has there been any in the wild reports of hacks using this bug?

I made this point in the Sony thread here and I'll reiterate. Serious hackers are not in the business of publicly touting their hacks, so it is not a reasonable way to judge a vulnerability.

The bigger real risk is when VDOO announces it in 90 days. Hikvision is a well known big target with lots of port-forwarded, publicly accessible devices, which means the likelihood is very high that many devices will get hacked later this year.

Agree
Disagree
Informative
Unhelpful
Funny

Update: Hikvision UK sent a reminder newsletter about updating firmware as VDOO is scheduled to release full details soon:

Agree
Disagree
Informative: 2
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,101 reports and 941 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports