Vulnerability ********
*** ************* *** ********** by ******* ***********, *** ** ******* a ******* ** **** and ******* *** ************ cybersecurity (*** **** **** *******).
********* -********* ******** ******** ****** on **** *************, ****'* ******** **** ** Hikvision's *********** ******-****-**** ******. ** ********* ********* the *************:
* ****** ******** ************* in *** *** ****** of **** ********* ** cameras ****** ** ******** to **** * ********* crafted ******* ** ******** devices. *** ** *** insufficient ***** **********, * successful ******* *** ******* memory *** **** **arbitrary **** ********* ** ***** *** *******. [Emphasis Added]
*** **** ****** ** most ********** ** ***** of ******. ********** *** vulnerability ****** ******* ** either **** **** *** device ** ***** *** camera.
*** **** **** ***** is * ******** *.* / **.*.
Models ******** *** ***
**** ** ****** ****** are ******** *** **** are ***, ********* ** Hikvision.
********** / ******** ****** (**** *********'* ******):
- *********** ****** (**-*******, ********** called “***** **** *.***”)
- ***** **** (**-**********)
- ***** ****** *********** ***** Dome/Bullet (**-*******)
- ***** *** ***** ****** PTZs (**-****/*/*/* *** **-****/*/*/*)
*** ********** / *** impacted ****** *******:
***** ***** ****** ****** (before ***** **** ***, DS-2CD2XXXF), *** ***** ****** models (**-*******), ******* (**-*******), DeepinView (**-*******), ****** (**-****/***/******), thermal (**-******)
****: ********* *** *** issued * **** ** not ********** *******. ** have ******* **** **** to **** ******* *** users. ** *** **** is ********** ** **********, let ** **** ** the ******** *** ** will ******.
No ********* ******* *** / ****** ** ****
********* ******* ** *** to ******* **** **** be ******** ***** **** year.** **** *********:
********* ******* ** *** Hikvision ************* **** ** published **** *** ** days *** *********, ******** enough **** *** ********.
**** ********* ***** ******* time *** ******** *** given *********'* ********* ******* and ******** ****, ****, if *** **** ******* will *** ** ******** by ****. **** *** technical ******* *** ********, the **** ******* ******* taking ********* ** *** various ********* *** *** IP ******* **** **** not **** *******.
Positive *** ********* - ***** ************
********* ****** ** ********* for ********** **** *****. Hikvision ***** **** ****** until ****'* ** *** period *** **** ** delay *** ** ***. However, ********* ********* ** significantly ***** ** ****'* actual **********.
Comments (33)
Undisclosed Manufacturer #1
Did they do this for PR....trying to copy Genetec's disclosure??
Create New Topic
Undisclosed #2
Can't say I am very surprised by this. Despite all their claims about making cybersecurity a priority, Hikvision simply has too much legacy of poor code in their devices. It is highly probable that there are dozens of similar exploits buried in their various firmware and software, just waiting to be discovered.
Anticipating how the talking-head Chuck Davis tries to spin this "myth" in the upcoming cyber security event.
Hikvision, here's your sign:
Create New Topic
Sean Nelson
08/16/18 04:32pm
Excellent job to Hikvision for disclosing this early. This is how you handle things with transparency. We applaud you for handling things correctly and appropriately.
oh wait,we are talking about Hikvision and not Axis or Genetec or any other non-chinese company. Let me change my rhetoric real quick...
Dam you Hikvision. This was just another tool too initiate all out cyberwar on the USA so you can use your spyware to spy on us hard workin Americans and make our internet explode with botnets. You can expect to see hack map v2.0 baby!!!. The word "Hikvision" should be completely banned from the USA language for all i care!
accurate or nay for IPVM commenters?
Create New Topic
Michael Gonzalez
08/21/18 01:00am
Create New Topic
Frank Nelles
John, certification by a subscription service of a testing facility such as VDOO would be a means for North American and other country security related equipment manufacturers for cybersecurity vulnerability, as well as other defined parameters to at least be operating on that level of playing field. Having recently heard of GDPR, the General Data Protection Regulation (GDPR) (EU)2016/679, which is a regulation in EU law on data protection and privacy for all individuals in the European Union. .TUV Rheinland is a test member.
John, would you consider IPVM checking out GDPR and commenting on how that certification might be of value in NA.
Thank you for the great contribution IPVM is making for this industry.
Frank Nelles
Communications Components
Create New Topic
Undisclosed Integrator #7
So Vdoo found a bug, Hikvision responded and issued a fix within the timescale.
Has there been any in the wild reports of hacks using this bug?
Create New Topic
John Honovich
Update: Hikvision UK sent a reminder newsletter about updating firmware as VDOO is scheduled to release full details soon:
Create New Topic