Hikvision IP Camera Critical Vulnerability 2018 Disclosed

By: IPVM Team, Published on Aug 16, 2018

The same day that the US government passed a prohibition on Hikvision cameras, Hikvision disclosed a critical vulnerability for its IP cameras.

However, while the US government is concerned about the PRC using Chinese government-owned Hikvision for cyberattacks, this vulnerability is clearly not related to the Chinese government.

On the other hand, it is a critical vulnerability and the potential for damage is high. With Hikvision's continued recommendation to port forward and its mass OEMing, this means a vast number of products, both Hikvision branded and via OEMs such as Interlogix, LTS, Anixer/Northern, Panasonic/Advidia, etc. will be impacted.

In this note, we review the vulnerability disclosure and the potential impact.

Vulnerability ********

*** ************* *** ********** by ******* ***********, *** ** ******* a ******* ** **** and ******* *** ************ cybersecurity (*** **** **** *******).

********* -********* ******** ******** ****** on **** *************, ****'* ******** **** ** Hikvision's *********** ******-****-**** ******. ** ********* ********* the *************:

* ****** ******** ************* in *** *** ****** of **** ********* ** cameras ****** ** ******** to **** * ********* crafted ******* ** ******** devices. *** ** *** insufficient ***** **********, * successful ******* *** ******* memory *** **** **arbitrary **** ********* ** ***** *** *******. [Emphasis Added]

*** **** ****** ** most ********** ** ***** of ******. ********** *** vulnerability ****** ******* ** either **** **** *** device ** ***** *** camera.

*** **** **** ***** is * ******** *.* / **.*.

Models ******** *** ***

**** ** ****** ****** are ******** *** **** are ***, ********* ** Hikvision.

********** / ******** ****** (**** *********'* ******):

*********** ****** (**-*******, ********** called “***** **** *.***”)
***** **** (**-**********)
***** ****** *********** ***** Dome/Bullet (**-*******)
***** *** ***** ****** PTZs (**-****/*/*/* *** **-****/*/*/*)

*** ********** / *** impacted ****** *******:

***** ***** ****** ****** (before ***** **** ***, DS-2CD2XXXF), *** ***** ****** models (**-*******), ******* (**-*******), DeepinView (**-*******), ****** (**-****/***/******), thermal (**-******)

****: ********* *** *** issued * **** ** not ********** *******. ** have ******* **** **** to **** ******* *** users. ** *** **** is ********** ** **********, let ** **** ** the ******** *** ** will ******.

No ********* ******* *** / ****** ** ****

********* ******* ** *** to ******* **** **** be ******** ***** **** year.** **** *********:

********* ******* ** *** Hikvision ************* **** ** published **** *** ** days *** *********, ******** enough **** *** ********.

**** ********* ***** ******* time *** ******** *** given *********'* ********* ******* and ******** ****, ****, if *** **** ******* will *** ** ******** by ****. **** *** technical ******* *** ********, the **** ******* ******* taking ********* ** *** various ********* *** *** IP ******* **** **** not **** *******.

Positive *** ********* - ***** ************

********* ****** ** ********* for ********** **** *****. Hikvision ***** **** ****** until ****'* ** *** period *** **** ** delay *** ** ***. However, ********* ********* ** significantly ***** ** ****'* actual **********.

Comments (33)

Undisclosed Manufacturer #1

08/16/18 03:29pm

Did they do this for PR....trying to copy Genetec's disclosure??

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 08/16/18 03:41pm

Well, the difference with Hikvision is that they had to because they knew VDOO was going to in a few months. With Genetec, since it was their own hired pen tester, they could have never disclosed it without much risk of an outsider doing so.

What would be impressive if Hikvision disclosed what critical vulnerabilities Rapid7, Cisco and their other hired cybersecurity firms found.

bashis mcw

In reply to Undisclosed Manufacturer #1 | 08/16/18 05:58pm

Whatever reason they did for, its good to see changes happening from silence/hiding to talking/disclosure.

Whatever I personally think of Hikvision, I say same things as with Genetec: That's how it should be done! (HIK, but maybe little more coordination with VDOO first) ;-)

Manufactures, Who's next? =]

Undisclosed #2

08/16/18 04:04pm

Can't say I am very surprised by this. Despite all their claims about making cybersecurity a priority, Hikvision simply has too much legacy of poor code in their devices. It is highly probable that there are dozens of similar exploits buried in their various firmware and software, just waiting to be discovered.

Anticipating how the talking-head Chuck Davis tries to spin this "myth" in the upcoming cyber security event.

Hikvision, here's your sign:

Related image

Undisclosed Integrator #5

In reply to Undisclosed #2 | 08/17/18 01:56pm

Undisclosed #2

In reply to Undisclosed Integrator #5 | 08/17/18 02:05pm

This graphic could be part of the IPVM homepage. Maybe Hik-specific, or maybe just an industry counter of days since last vuln.

Undisclosed Integrator #5

In reply to Undisclosed #2 | 08/17/18 02:10pm

Just have a page with all known manufactures and update as needed.

Sean Nelson

Nelly's Security
08/16/18 04:32pm

Excellent job to Hikvision for disclosing this early. This is how you handle things with transparency. We applaud you for handling things correctly and appropriately.

oh wait,we are talking about Hikvision and not Axis or Genetec or any other non-chinese company. Let me change my rhetoric real quick...

Dam you Hikvision. This was just another tool too initiate all out cyberwar on the USA so you can use your spyware to spy on us hard workin Americans and make our internet explode with botnets. You can expect to see hack map v2.0 baby!!!. The word "Hikvision" should be completely banned from the USA language for all i care!

accurate or nay for IPVM commenters?

Undisclosed Distributor #3

In reply to Sean Nelson | 08/16/18 07:22pm

I give you 1 star for a sad attempt at trolling.

Undisclosed End User #4

In reply to Sean Nelson | 08/17/18 07:18am

If you "fear" that IPVM started a war against your favorite brand, let me advice 2 things:

1: Gather some arguments. Check the last 25 and 50 articles (you won't so I help you out one more time):

From 25: 6 is about Hikvision looks much, ok make it more clear

From that 6: 1 vulnerability (worth to mention), 1 product test (with a positive outcome), 3 reaction article about ban (obviously should be here), 1 article about dropping some show attendance (necessity is debatable)

From 50: 11 is about Hikvision (including the above)

From that 5: 1 market analysis, 1 analytic shoutout, 1 is about a promoted / removed leader, 2 congress ban article (obviously should be here)

To make it more clear, from 50article it was only 5 article from the ban, which is an obvious reaction about what the congress did. Where should this mentioned/covered if not IPVM? LOL

2: scroll over those articles, or if you don't find any valuable information on this site, most probably you should suspend or close your membership till your favorite manufacturer is in trouble.

And finally just an advice, this is for free.

If there is an obviously important article about a vulnerability, do not troll under, cause your hurted feelings. It makes you look childish, and I definitely think you are a serious MAN. Let others think the same.

Sean Nelson

Nelly's Security
In reply to Undisclosed End User #4 | 08/17/18 01:11pm

From 25: 6

From 50: 11

From that 5: 1

Confused. Are you quoting IPVM bible verses?

and I definitely think you are a serious MAN

Spoken from an undisclosed woman?

Undisclosed End User #4

In reply to Sean Nelson | 08/17/18 01:20pm

I'm really disappointed now. And funny still that you are worrying about my gender instead thinking about your missing arguments :)

Have a nice day.

Sean Nelson

Nelly's Security
In reply to Undisclosed End User #4 | 08/17/18 01:30pm

have a good one mam!

Undisclosed #2

In reply to Sean Nelson | 08/17/18 02:08pm

You really go to great lengths to maintain your ignorance, ma'am.

Sean Nelson

Nelly's Security
In reply to Undisclosed #2 | 08/17/18 02:16pm

No real man speaks critical of another and runs and hides behind the cloak of undisclosed. Well atleast we know that IPVM is very gender diverse.

Undisclosed #2

In reply to Sean Nelson | 08/17/18 02:19pm

List of things Sean doesn't understand:

1) Vulnerability severities

2) How/why Undisclosed is used on IPVM

3) Likely gender of most IPVM posters

Undisclosed End User #4

In reply to Sean Nelson | 08/17/18 02:23pm

No real man crying like a baby Sean, and running to mama to tell somebody hurt his favourite company.

On the other hand. Yes I'm a woman, and undisclose my name usually because of child like you who always taking care about my gender instead my knowledge in this industry.

So any more question about myself?

Ah, I still have only one. Where are your arguments? Or just still crying and trolling?

Sean Nelson

Nelly's Security
In reply to Undisclosed End User #4 | 08/17/18 02:55pm

Wow, i have no idea how you knew I ran and cried to my mama, but hopefully I can become a real MAN in your books again by me admitting it?

BTW, just my opinion, but I think you should post disclosed, especially that you are a woman, because you will appear way more respectful than most of the guys on here who post critical sarcastic things about other people and hide behind the undisclosed cloak.

At any rate, you seem like you are getting emotionally distressed and this conversation is getting way off track. As far as my arguments, they are all over IPVM, but feel free to ask me any specific questions and I will be happy to answer them.

Undisclosed Integrator #6

In reply to Sean Nelson | 08/17/18 07:01pm

I still find it funny, you didn't address the original comment. Nice troll diversion though!

Sean Nelson

Nelly's Security
In reply to Undisclosed Integrator #6 | 08/17/18 07:41pm

I addressed the one in which "MAN" was capitlized.

Which one specifically are you referring to though? Their have been so many. I'll be happy to give a thorough non-troll explanation.

Jonathan de Chateau

In reply to Sean Nelson | 08/17/18 07:53pm

IPVM would be a much better read without the undisclosed button.

If you have something to say, say it. Want to share info that can't be shared? Send it to the team. That way they have a chance to check the credibility and share the info if it's valuable.

Posting anonymously has zero added value to me, it enables a group that shouldn't be enabled.

As for Undisclosed End User #4, you just decided IPVM and it's members are biased to any female responding. That's not a call for you to make on my behalf.

Ethan Ace

IPVM | In reply to Jonathan de Chateau | 08/17/18 08:30pm

Going to say this again, as I have said in multiple past threads: we are not going to rehash debates about the value of undisclosed posting. Further discussion on that topic is going to get deleted. Undisclosed posting is not going anywhere on IPVM.

If anyone wants to actually discuss this latest Hikvision vulnerability, VDOO, or Hikvision's response, feel free. This is descending into useless back and forth.

Michael Gonzalez

Integrated Security Technologies, Inc.
08/21/18 01:00am

Frank Nelles

08/22/18 12:13am

John, certification by a subscription service of a testing facility such as VDOO would be a means for North American and other country security related equipment manufacturers for cybersecurity vulnerability, as well as other defined parameters to at least be operating on that level of playing field. Having recently heard of GDPR, the General Data Protection Regulation (GDPR) (EU)2016/679, which is a regulation in EU law on data protection and privacy for all individuals in the European Union. .TUV Rheinland is a test member.

John, would you consider IPVM checking out GDPR and commenting on how that certification might be of value in NA.

Thank you for the great contribution IPVM is making for this industry.

Frank Nelles

Communications Components

Undisclosed Integrator #7

08/22/18 04:39am

So Vdoo found a bug, Hikvision responded and issued a fix within the timescale.

Has there been any in the wild reports of hacks using this bug?

Undisclosed Manufacturer #8

In reply to Undisclosed Integrator #7 | 08/22/18 11:47am

The issue is twofold. First, Hik is the biggest or near the biggest camera manufacturer. Similar to if there was a defect found in the largest car manufacturer would be headline news.

Second is the timing. Hik is constantly talking about their cyber security efforts. Yes, I know and agree that a vulnerability can affect anyone, however if a company has lots of effort to secure their products they should have few and far between vulnerabilities discovered. If the vuln was due to 3rd party modules, that is understood as these items need to be updated, etc. But here it was their own code. If a company has 6000 engineers, why are they missing these left and right? I do applaud them for publicly putting out a factual statement and updating firmware quickly, which is a step forward for them.

Also, (I know that this has been repeated before), but Hik does have government funding. You would expect more from a company that has deep pockets. You expect them to look good.

Finally, is the score. This vuln received a score of 8.9. Again, why is a company that is so focused on cyber security having time and time again high scoring vulnerabilities? (And yes, I know that other large companies that are talking about cyber have had similar, such as Axis, Dahua, etc. I fault them as well).

John Honovich

IPVM | In reply to Undisclosed Manufacturer #8 | 08/22/18 11:50am

If a company has 6000 engineers, why are they missing these left and right?

Point of fact: Hikvision claims 10,000+:

Undisclosed Manufacturer #9

In reply to John Honovich | 08/22/18 04:13pm

I can't imagine 50% of your workforce in R&D is sustainable in the technology sector.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #9 | 08/22/18 04:19pm

Hikvision does not define what they count as "R&D" so it is hard to know if they are classifying it in the same way that Western technology companies do.

Undisclosed End User #4

In reply to John Honovich | 08/23/18 07:18am

Hundred percent agree. I had a project where they couldn't repair obvious bugs in their CMS SW, for months. If they did something, it caused new bugs.

I can't really imagine if you have thousands of R&D colleagues this could happen... Or from an other viewpoint, if you have such amount of engineers, how they have such amount of vulnerability issues?

Undisclosed Manufacturer #8

In reply to Undisclosed End User #4 | 08/23/18 11:34am

I also think that a lot has to do with reusing old code. You would think at some point, due to vulnerabilities, having to patch clunky code, or simply to get away from plug-ins, they would start over and make a new camera with a new ui and a new back end.

Oh well.

I know it is a lot of development and support to do that, but that is why a company hires a large staff of programmers and engineers...

John Honovich

IPVM | In reply to Undisclosed Integrator #7 | 08/22/18 03:12pm

Has there been any in the wild reports of hacks using this bug?

I made this point in the Sony thread here and I'll reiterate. Serious hackers are not in the business of publicly touting their hacks, so it is not a reasonable way to judge a vulnerability.

The bigger real risk is when VDOO announces it in 90 days. Hikvision is a well known big target with lots of port-forwarded, publicly accessible devices, which means the likelihood is very high that many devices will get hacked later this year.

John Honovich

IPVM | 10/09/18 08:02pm

Update: Hikvision UK sent a reminder newsletter about updating firmware as VDOO is scheduled to release full details soon:

Read this IPVM report for free.

This article is part of IPVM's 6,541 reports, 882 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.