Hikvision IP Camera Critical Vulnerability 2018 Disclosed

By: IPVM Team, Published on Aug 16, 2018

The same day that the US government passed a prohibition on Hikvision cameras, Hikvision disclosed a critical vulnerability for its IP cameras.

However, while the US government is concerned about the PRC using Chinese government-owned Hikvision for cyberattacks, this vulnerability is clearly not related to the Chinese government.

On the other hand, it is a critical vulnerability and the potential for damage is high. With Hikvision's continued recommendation to port forward and its mass OEMing, this means a vast number of products, both Hikvision branded and via OEMs such as Interlogix, LTS, Anixer/Northern, Panasonic/Advidia, etc. will be impacted.

In this note, we review the vulnerability disclosure and the potential impact.

Vulnerability ********

*** ************* *** ********** by ******* ***********, *** ** ******* a ******* ** **** and ******* *** ************ cybersecurity (*** **** **** *******).

********* -********* ******** ******** ****** on **** *************, ****'* ******** **** ** Hikvision's *********** ******-****-**** ******. ** ********* ********* the *************:

* ****** ******** ************* in *** *** ****** of **** ********* ** cameras ****** ** ******** to **** * ********* crafted ******* ** ******** devices. *** ** *** insufficient ***** **********, * successful ******* *** ******* memory *** **** **arbitrary **** ********* ** ***** *** *******. [Emphasis Added]

*** **** ****** ** most ********** ** ***** of ******. ********** *** vulnerability ****** ******* ** either **** **** *** device ** ***** *** camera.

*** **** **** ***** is * ******** *.* / **.*.

Models ******** *** ***

**** ** ****** ****** are ******** *** **** are ***, ********* ** Hikvision.

********** / ******** ****** (**** *********'* ******):

  • *********** ****** (**-*******, ********** called “***** **** *.***”)
  • ***** **** (**-**********)
  • ***** ****** *********** ***** Dome/Bullet (**-*******)
  • ***** *** ***** ****** PTZs (**-****/*/*/* *** **-****/*/*/*)

*** ********** / *** impacted ****** *******:

***** ***** ****** ****** (before ***** **** ***, DS-2CD2XXXF), *** ***** ****** models (**-*******), ******* (**-*******), DeepinView (**-*******), ****** (**-****/***/******), thermal (**-******)

****: ********* *** *** issued * **** ** not ********** *******. ** have ******* **** **** to **** ******* *** users. ** *** **** is ********** ** **********, let ** **** ** the ******** *** ** will ******.

No ********* ******* *** / ****** ** ****

********* ******* ** *** to ******* **** **** be ******** ***** **** year.** **** *********:

********* ******* ** *** Hikvision ************* **** ** published **** *** ** days *** *********, ******** enough **** *** ********.

**** ********* ***** ******* time *** ******** *** given *********'* ********* ******* and ******** ****, ****, if *** **** ******* will *** ** ******** by ****. **** *** technical ******* *** ********, the **** ******* ******* taking ********* ** *** various ********* *** *** IP ******* **** **** not **** *******.

Positive *** ********* - ***** ************

********* ****** ** ********* for ********** **** *****. Hikvision ***** **** ****** until ****'* ** *** period *** **** ** delay *** ** ***. However, ********* ********* ** significantly ***** ** ****'* actual **********.

Comments (33)

Did they do this for PR....trying to copy Genetec's disclosure??

Well, the difference with Hikvision is that they had to because they knew VDOO was going to in a few months. With Genetec, since it was their own hired pen tester, they could have never disclosed it without much risk of an outsider doing so.

What would be impressive if Hikvision disclosed what critical vulnerabilities Rapid7, Cisco and their other hired cybersecurity firms found.

Whatever reason they did for, its good to see changes happening from silence/hiding to talking/disclosure.

Whatever I personally think of Hikvision, I say same things as with Genetec: That's how it should be done! (HIK, but maybe little more coordination with VDOO first) ;-)

Manufactures, Who's next? =]

 

Can't say I am very surprised by this. Despite all their claims about making cybersecurity a priority, Hikvision simply has too much legacy of poor code in their devices. It is highly probable that there are dozens of similar exploits buried in their various firmware and software, just waiting to be discovered.

Anticipating how the talking-head Chuck Davis tries to spin this "myth" in the upcoming cyber security event.

Hikvision, here's your sign:

Related image

 

This graphic could be part of the IPVM homepage. Maybe Hik-specific, or maybe just an industry counter of days since last vuln.

Just have a page with all known manufactures and update as needed. 

Excellent job to Hikvision for disclosing this early. This is how you handle things with transparency. We applaud you for handling things correctly and appropriately. 

oh wait,we are talking about Hikvision and not Axis or Genetec or any other non-chinese company. Let me change my rhetoric real quick...

Dam you Hikvision. This was just another tool too initiate all out cyberwar on the USA so you can use your spyware to spy on us hard workin Americans and make our internet explode with botnets. You can expect to see hack map v2.0 baby!!!. The word "Hikvision" should be completely banned from the USA language for all i care! 

accurate or nay for IPVM commenters?

I give you 1 star for a sad attempt at trolling.

If you "fear" that IPVM started a war against your favorite brand, let me advice 2 things:

1: Gather some arguments. Check the last 25 and 50 articles (you won't so I help you out one more time):

From 25: 6 is about Hikvision looks much, ok make it more clear

From that 6: 1 vulnerability (worth to mention), 1 product test (with a positive outcome), 3 reaction article about ban (obviously should be here), 1 article about dropping some show attendance (necessity is debatable)

From 50: 11 is about Hikvision (including the above)

From that 5: 1 market analysis, 1 analytic shoutout, 1 is about a promoted / removed leader, 2 congress ban article (obviously should be here)

To make it more clear, from 50article it was only 5 article from the ban, which is an obvious reaction about what the congress did. Where should this mentioned/covered if not IPVM? LOL

2: scroll over those articles, or if you don't find any valuable information on this site, most probably you should suspend or close your membership till your favorite manufacturer is in trouble.

And finally just an advice, this is for free.

If there is an obviously important article about a vulnerability, do not troll under, cause your hurted feelings. It makes you look childish, and I definitely think you are a serious MAN. Let others think the same.

From 25: 6

From 50: 11

From that 5: 1

Confused. Are you quoting IPVM bible verses?

and I definitely think you are a serious MAN

Spoken from an undisclosed woman?

 

 

I'm really disappointed now. And funny still that you are worrying about my gender instead thinking about your missing arguments :)

Have a nice day.

have a good one mam!

You really go to great lengths to maintain your ignorance, ma'am.

 

No real man speaks critical of another and runs and hides behind the cloak of undisclosed. Well atleast we know that IPVM is very gender diverse.

List of things Sean doesn't understand:

1) Vulnerability severities

2) How/why Undisclosed is used on IPVM

3) Likely gender of most IPVM posters

 

No real man crying like a baby Sean, and running to mama to tell somebody hurt his favourite company.

On the other hand. Yes I'm a woman, and undisclose my name usually because of child like you who always taking care about my gender instead my knowledge in this industry.

So any more question about myself?

Ah, I still have only one. Where are your arguments? Or just still crying and trolling?

 

Wow, i have no idea how you knew I ran and cried to my mama, but hopefully I can become a real MAN in your books again by me admitting it?

BTW, just my opinion, but I think you should post disclosed, especially that you are a woman, because you will appear way more respectful than most of the guys on here who post critical sarcastic things about other people and hide behind the undisclosed cloak.

At any rate, you seem like you are getting emotionally distressed and this conversation is getting way off track. As far as my arguments, they are all over IPVM, but feel free to ask me any specific questions and I will be happy to answer them. 

 

I still find it funny, you didn't address the original comment.  Nice troll diversion though!

I addressed the one in which "MAN" was capitlized.

Which one specifically are you referring to though? Their have been so many. I'll be happy to give a thorough non-troll explanation.

IPVM would be a much better read without the undisclosed button.

If you have something to say, say it. Want to share info that can't be shared? Send it to the team. That way they have a chance to check the credibility and share the info if it's valuable.

Posting anonymously has zero added value to me, it enables a group that shouldn't be enabled.

As for Undisclosed End User #4, you just decided IPVM and it's members are biased to any female responding. That's not a call for you to make on my behalf.

Going to say this again, as I have said in multiple past threads: we are not going to rehash debates about the value of undisclosed posting. Further discussion on that topic is going to get deleted. Undisclosed posting is not going anywhere on IPVM.

If anyone wants to actually discuss this latest Hikvision vulnerability, VDOO, or Hikvision's response, feel free. This is descending into useless back and forth.

 John, certification by a subscription service of a testing facility such as VDOO would be a means for North American and other country security related equipment manufacturers for cybersecurity vulnerability, as well as other defined parameters to at least be operating on that level of playing field.  Having recently heard of GDPR, the General Data Protection Regulation (GDPR) (EU)2016/679, which is a regulation in EU law on data protection and privacy for all individuals in the  European Union.  .TUV Rheinland is a test member.

John, would you consider IPVM checking out GDPR and commenting on how that certification might be of value in NA.

Thank you for the great contribution IPVM is making for this industry.

Frank Nelles

Communications Components

So Vdoo found a bug, Hikvision responded and issued a fix within the timescale.

Has there been any in the wild reports of hacks using this bug?

The issue is twofold.  First, Hik is the biggest or near the biggest camera manufacturer.  Similar to if there was a defect found in the largest car manufacturer would be headline news. 

Second is the timing.  Hik is constantly talking about their cyber security efforts.  Yes, I know and agree that a vulnerability can affect anyone, however if a company has lots of effort to secure their products they should have few and far between vulnerabilities discovered.  If the vuln was due to 3rd party modules, that is understood as these items need to be updated, etc.  But here it was their own code.  If a company has 6000 engineers, why are they missing these left and right?  I do applaud them for publicly putting out a factual statement and updating firmware quickly, which is a step forward for them.

Also, (I know that this has been repeated before), but Hik does have government funding.  You would expect more from a company that has deep pockets.  You expect them to look good.  

 

Finally, is the score.  This vuln received a score of 8.9.  Again, why is a company that is so focused on cyber security having time and time again high scoring vulnerabilities?  (And yes, I know that other large companies that are talking about cyber have had similar, such as Axis, Dahua, etc.  I fault them as well).

If a company has 6000 engineers, why are they missing these left and right? 

Point of fact: Hikvision claims 10,000+:

I can't imagine 50% of your workforce in R&D is sustainable in the technology sector.

Hikvision does not define what they count as "R&D" so it is hard to know if they are classifying it in the same way that Western technology companies do.

Hundred percent agree. I had a project where they couldn't repair obvious bugs in their CMS SW, for months. If they did something, it caused new bugs.

I can't really imagine if you have thousands of R&D colleagues this could happen... Or from an other viewpoint, if you have such amount of engineers, how they have such amount of vulnerability issues?

I also think that a lot has to do with reusing old code. You would think at some point, due to vulnerabilities, having to patch clunky code, or simply to get away from plug-ins, they would start over and make a new camera with a new ui and a new back end. 

Oh well. 

I know it is a lot of development and support to do that, but that is why a company hires a large staff of programmers and engineers... 

Has there been any in the wild reports of hacks using this bug?

I made this point in the Sony thread here and I'll reiterate. Serious hackers are not in the business of publicly touting their hacks, so it is not a reasonable way to judge a vulnerability.

The bigger real risk is when VDOO announces it in 90 days. Hikvision is a well known big target with lots of port-forwarded, publicly accessible devices, which means the likelihood is very high that many devices will get hacked later this year.

Update: Hikvision UK sent a reminder newsletter about updating firmware as VDOO is scheduled to release full details soon:

Read this IPVM report for free.

This article is part of IPVM's 6,541 reports, 882 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
Hikvision Global News Reports Directory on Aug 13, 2020
Hikvision has received the most global news reporting of any video...
Colombia's President Promotes Bad Hikvision Fever Camera Setup on Jun 17, 2020
Colombia's President Iván Duque has promoted a haphazard Hikvision fever...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
Hikvision Put on US DoD "Communist Chinese Military Companies" List, Faces Risk of Presidential Sanctions on Jun 26, 2020
The US DoD has put Hikvision on a list of "Communist Chinese Military...
Huawei HiSilicon Shortage Impacts Surveillance Manufacturers on Aug 14, 2020
Huawei acknowledged problems and challenges for its HiSilicon chip business,...
US Passes Uyghur Human Rights Law Condemning Mass Surveillance on Jun 18, 2020
The US government has passed the Uyghur Human Rights Policy Act of 2020,...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Dahua and Hikvision Fever Cameras Endanger French and Scottish Nursing Homes on Jun 09, 2020
Dahua and Hikvision fever cameras are being used at, respectively, French and...
School District Admits Not Following FDA Guidelines With 144, No Blackbody, Hikvision Fever Cameras on Aug 21, 2020
The Baldwin County School District has admitted it is not following FDA...
Uniview H1 2020 Financials Examined on Sep 08, 2020
While Dahua and Hikvision, helped by fever camera sales, are recovering from...
Faulty Hikvision Cali Colombia Fever Camera Implementation on Jul 20, 2020
The mayor of one of Colombia's largest cities has promoted a faulty Hikvision...
IPVM Editorial Staff on Aug 01, 2020
IPVM has the largest and most experienced editorial team covering video...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...