Hikvision Vulnerability Permits Wi-Fi Attack

CH
Conor Healy
Published Nov 28, 2017 22:36 PM

Hikvision acknowledged a Wi-Fi cyber security vulnerability on November 27, 2017. No special passwords, text strings, or programming knowledge are required. Any attacker within Wi-Fi range of the impacted cameras can exploit this.

IPVM spoke with the researcher who discovered and reported this vulnerability. We examine the limitations, exploit potential, affected products, and Hikvision's problems in responding to the vulnerability.

Limited ****** *********

**** ************* ** ******* ** **-** ******* where *** **** *** *** ********** Wi-Fi ********, ********** *** ******** *******. This ****** ** ** * ********** small ****** ** ********** *****, ** **-** cameras, ** ******* *** *** **** popular, *** ***** ***** **-** ******* are ****** ** ********* **-**. 

Exploit ********

*** ************* ** **** ***** ******* *** set, ** *******, ** ******* * wireless ******* ****** "*******", **** ** password. An ******** *** ****** * **** ******* **** **** "davinci" *** * ********** ******* **** automatically ******* ** **, ******** *** attacker ** ******* ** *** ******. According ** *** **********, *** ********** camera **** ** ****** **** * TI ******* ******* *** ** ******** that **** ** ****** *** ****** of *** *************.

********* ****** **** *** ********* ***** are ********:

**-**********-***, **-**********-***, **-**********-**, **-**********-**, **-********-***, **-********-***, **-*******-**, DS-2CD2432F-IW

*** ********* ******* ***** ** ******* of *** ** ******** *** *** the **-** ******* ****** **** ******* settings ** * *** ** **** access ** ** ******** *******:

Firewalls ***********

******* *** ******** ******** **** *** unused Wi-Fi ******* ********* ** *** ******, any ******** ********, ****, ** ***** methods **** ** ****** ******** *********** on *** ******** **** ** *** network ***** *** ** ******* ** the Wi-Fi **** ** *** ******, ******* it **** ** ******.

Exploit *********

********** ** *** ********** (**** ******) on *********, **** ** ***** ***** ******* with ******** **** **** ******** ********* the Wi-Fi ********* **** *** ***** **** (up ** *.*.*), *** **** *** ********** to *** ********* ******** *******, ****** *** ******* ********* **** high *** ***** ** ***** ******* with ******* **-** ********.

*** *********** *** *** ******** ** be ** **-** ***** ** *** unit, *** **** *** **** **** with ******* **-** ********, ***** **** vulnerability less ****** **** *********'* ******** *************. ** **, *******, * *********** ********* on *********'* **** ** **** ******** with **** ******* ********. 

Hikvision ***** ******** ******* ************

***** ********* ********** *********** ** ****** vulnerabilities, *** *** * ******** ***** address *** ***** *******, ******** **** months:

*** ********** ******* **** ******* ********* Hikvision's ********, ** **** * ******, and ******** ******* ******** ** *** a ******** ** **** **********, ***** as **** ** *** ************* ********** post:

***** ******* ******* ******** **** ***** Hikvision *** ********* ******* ** *** actively promoting*********'* ***** ******** *******, ********* ****** ** ****** ******** and ******** *********** ******* [**** ** longer *********], ***** ****** **** ********** this ***** ************* ** ***** ***. ************, *********'* ***** *** **** ** ***** Security *** **** *** *******, ******* *** role ** ************* **** **** ****** the ******* ******* ********.

Positive ******** **** ***** *****

*** ********** ****** **** *** ******** from ********* ********** **** **** *** cyber ******** **** ***** ***** [**** ** longer *********], **** ** ***** ** be ******* *** ******** ********** ** addressing *** *********. ** **** ***** was * **** **** *** *********, and ***** ********* ** **** ** improve *********'* ******* ***** ******** ************** and ************* ********** ******* *********** **** as ***** ******** ************** ******** *******

Hikvision ** ********* ************ ** *****

******* ************* *** ****** ** ******* 3rd, *** ****** ******* ******** *********, as **** ** *********** *********** ** close **** *************, ********* *** *** proactive notify ***** ****** *** ************* *** disclosed ******** ** **** **********.

Special ******** ****** ***

********* *** *** ******* ** ****'* request *** ********** ****** ** *** vulnerability **********. *******, **** **** * ***** ***** our ***** ** *********, *** ******* released * "******* ********", ******* *** subject **** *** ***** **** **** their ******* ******** ******** * ***** ago ** *** **** ****** ******* ********* *************.:

~** ******* *****, ********* **-**** *** Bulletin **** * ********* ******* **** *** intro:

** *** ********, ******* ** ********** details ** *** ************* *****, ********* starts ** ******* ***** **** ****** disable ****** ********, ****** **** *** technically ********** **** *** ******** ********* ** many ** *** ******** *****.

** * ******* ******** ****** (***) ********* **** ********, ***** *** advised ** ** ** "*********** ****" document, **** ** ****** ********:

***, *** *** ******* ******** ******, ************ updating ****** ******** ***/** ********* **-** (for ***** **** ******** *** ****** to ******* ****).

***** *** "****** ********" ******* ***** misclassified ** * ***** *****, *********'* errors ** ********* *** ************* ******** the ******* ****** ** ***** ***** responses **** **** ****** ***** **** the ************* ***** ** ******** *********, and ******** **. *** ********* **** responsive ** ***** *** ************* ********* email *******, *** *** * ************* response *** ************ ******* ** *****, they ***** **** *** ***** ****** of ******* "********* *** ********" ******* of ******* ** ******* ** *** researcher *** ******* *******-******** *************.

Continued ********* *********** ******

**** ************* ** ** ********* *****, **** should ** ********** ** ******** *********** processes ** ******** ***** ******** *****. Similarly,*********'* ****** *********** ******** ** ************ ****** *************, *** *** ******** ******** *************, ***** ******, *** **** ***** of *************** **** **** **** *** result ** **** ******** ****** ** implementation, ** ******* **** ** *** company ** ************ ***** ******** ******** to ***** ******* ** *** ********. 

Communication ************ ******

********* ***** **** ****** ************* **** *******, more ********* *** **** ********* ************* on ***************. 

Comments (15)
SS
Scott Sheldrake
Nov 28, 2017

We are seeing the HIKVision mini PTZ DS-2DE2103-DE3/W and HIK DS-2DE3304W-DE hacked remotely (OSD names changed to HACKED) despite having a strong password.  Not sure if this is related to the same vulnerability.

HIKVision does not have firmware updates on their tech portal (xx3304xx not listed), or the website (404 broken link) or on their unofficial FTP site.  Tech support doesn't know, they just point you at the tech portal which does not have the camera listed.  The one they say should work doesn't work.

How can HIKVision expect us to protect end users from hacking when they do not even give us firmware??

This is absolutely insane.

(1)
(1)
(1)
Avatar
Brian Karas
Nov 28, 2017
IPVM
In reply to Scott Sheldrake

Scott -

What are you describing sounds like the cameras are being hit by the Hikvision Backdoor Exploit, which allows someone to access or change camera settings regardless of the admin password strength/complexity. Basically, with this backdoor, Hikvision provides a way for attackers to circumvent strong passwords.

For what its worth, you are not alone. An analysis I did over the Thanksgiving weekend shows there are likely thousands of cameras that have had the name changed to "HACKED". Also, there are 10's of thousands of cameras with this vulnerability reachable on the internet. I have not determined how/why the ones that are being hacked to show "HACKED" are selected relative to the fairly large overall number of vulnerable cameras.

Here is a map of where I have located nearly 1,000 cameras (based on geo IP lookup, so some points could be off) showing "HACKED" for the camera name. You can see they are heavily concentrated in the US, and Europe:

(3)
U
Undisclosed #1
Nov 29, 2017
In reply to Brian Karas

Question:  If Hiks explosive growth over the last few years is primarily due to big deals within China (i.e. they have far more cameras installed in China than anywhere else), how come all the vulnerable cameras appear to be in N America and Europe?

(1)
Avatar
Brian Karas
Nov 29, 2017
IPVM
In reply to Undisclosed #1

These are not just vulnerable cameras, they are vulnerable cameras that have been hacked to display the English-language text "HACKED" (or "Hacked", or case-insensitive variants).

There may be cameras in China that display the Chinese equivalent of "HACKED", but my check was not looking for alternate languages/spellings, etc.

 

(1)
U
Undisclosed #1
Nov 29, 2017
In reply to Brian Karas

that makes sense...  : )

U
Undisclosed #1
Nov 29, 2017
In reply to Brian Karas

why so few in Australia then, do you think?

Avatar
Brian Karas
Nov 29, 2017
IPVM
In reply to Undisclosed #1

Because Shodan has very very few Hikvision devices in their database, as far as I can tell. 

U
Undisclosed #1
Nov 29, 2017
In reply to Brian Karas

very very few Australian devices?  or total devices?

my point is... if the reason Chinese Hik cameras don't show up on your search for devices reporting as HACKED (when there are more of them there than anywhere) is because your search was limited to the English version of the word HACKED, then why are there not more HACKED devices showing up in Australia?  Since I would assume most of their systems were based in English?

Avatar
Brian Karas
Nov 29, 2017
IPVM
In reply to Undisclosed #1

why are there not more HACKED devices showing up in Australia?

Because the shodan database has very few IPs for Hikvision cameras in Australia. I do not know if that is because Hikvision has low market penetration there, because Shodan simply does not scan IPs in Australia, if Australians have better firewalls, or something else. 

If the IPs are not in shodan, which is where I pull lists of publicly accessible cameras from, then I can not scan them.

 

(1)
Avatar
Karsten Kirchhof
Jan 04, 2018
In reply to Brian Karas

Hi Brian,

you published an interactive map for USA.

Could you pls also publish some similar map for Europe?

 

BR,

Karsten

UM
Undisclosed Manufacturer #2
Nov 29, 2017

This may be farther reaching than you think because for a long time, to get sound “S” you had to get the WiFi version “W”. The models were often “IWS”. 

I know with near certainty the customers using them for audio never touched the WiFi default settings. 

(1)
(2)
U
Undisclosed #3
Dec 04, 2017

Another Hikvision hack !!! What a shock.

JH
John Honovich
Dec 21, 2017
IPVM

Update: A day after IPVM criticized Hikvision for its notice that erroneously stated no action was required:

In a Product Advisory Notice (PAN) Hikvision also released, users are advised it is an "Information Only" document, with no action required:

Yet, the PAN clearly requires action, recommending updating device firmware and/or disabling Wi-Fi (for units with firmware new enough to support this).

Hikvision released a corrected notice:

(2)
UM
Undisclosed Manufacturer #4
Dec 21, 2017
In reply to John Honovich

Why should Hikvision worry about quality control and copy editing when you're willing to do it for them for free? 

(2)
(4)
UM
Undisclosed Manufacturer #2
Dec 21, 2017
In reply to John Honovich

The incompetence is maddening. 

(2)