Hikvision IP Camera Critical Vulnerability 2018 Disclosed

Well, the difference with Hikvision is that they had to because they knew VDOO was going to in a few months. With Genetec, since it was their own hired pen tester, they could have never disclosed it without much risk of an outsider doing so.

What would be impressive if Hikvision disclosed what critical vulnerabilities Rapid7, Cisco and their other hired cybersecurity firms found.

If you "fear" that IPVM started a war against your favorite brand, let me advice 2 things:

1: Gather some arguments. Check the last 25 and 50 articles (you won't so I help you out one more time):

From 25: 6 is about Hikvision looks much, ok make it more clear

From that 6: 1 vulnerability (worth to mention), 1 product test (with a positive outcome), 3 reaction article about ban (obviously should be here), 1 article about dropping some show attendance (necessity is debatable)

From 50: 11 is about Hikvision (including the above)

From that 5: 1 market analysis, 1 analytic shoutout, 1 is about a promoted / removed leader, 2 congress ban article (obviously should be here)

To make it more clear, from 50article it was only 5 article from the ban, which is an obvious reaction about what the congress did. Where should this mentioned/covered if not IPVM? LOL

2: scroll over those articles, or if you don't find any valuable information on this site, most probably you should suspend or close your membership till your favorite manufacturer is in trouble.

And finally just an advice, this is for free.

If there is an obviously important article about a vulnerability, do not troll under, cause your hurted feelings. It makes you look childish, and I definitely think you are a serious MAN. Let others think the same.

The issue is twofold.  First, Hik is the biggest or near the biggest camera manufacturer.  Similar to if there was a defect found in the largest car manufacturer would be headline news. 

Second is the timing.  Hik is constantly talking about their cyber security efforts.  Yes, I know and agree that a vulnerability can affect anyone, however if a company has lots of effort to secure their products they should have few and far between vulnerabilities discovered.  If the vuln was due to 3rd party modules, that is understood as these items need to be updated, etc.  But here it was their own code.  If a company has 6000 engineers, why are they missing these left and right?  I do applaud them for publicly putting out a factual statement and updating firmware quickly, which is a step forward for them.

Also, (I know that this has been repeated before), but Hik does have government funding.  You would expect more from a company that has deep pockets.  You expect them to look good.  

Finally, is the score.  This vuln received a score of 8.9.  Again, why is a company that is so focused on cyber security having time and time again high scoring vulnerabilities?  (And yes, I know that other large companies that are talking about cyber have had similar, such as Axis, Dahua, etc.  I fault them as well).

Has there been any in the wild reports of hacks using this bug?

I made this point in the Sony thread here and I'll reiterate. Serious hackers are not in the business of publicly touting their hacks, so it is not a reasonable way to judge a vulnerability.

The bigger real risk is when VDOO announces it in 90 days. Hikvision is a well known big target with lots of port-forwarded, publicly accessible devices, which means the likelihood is very high that many devices will get hacked later this year.