Hikvision Vulnerability Permits Wi-Fi Attack

By Brian Karas, Published Nov 28, 2017, 05:36pm EST

Hikvision acknowledged a Wi-Fi cyber security vulnerability on November 27, 2017. No special passwords, text strings, or programming knowledge are required. Any attacker within Wi-Fi range of the impacted cameras can exploit this.

IPVM spoke with the researcher who discovered and reported this vulnerability. We examine the limitations, exploit potential, affected products, and Hikvision's problems in responding to the vulnerability.

Limited ****** *********

**** ************* ** ******* to Wi-Fi ******* ***** *** user *** *** ********** Wi-Fi ********, ********** *** Ethernet *******. **** ****** it ** * ********** small ****** ** ********** units, ** **-** *******, ** general *** *** **** popular, *** ***** ***** Wi-Fi ******* *** ****** to ********* **-**. 

Exploit ********

*** ************* ** **** ***** cameras *** ***, ** default, ** ******* * wireless ******* ****** "*******", with ** ********. ** ******** *** create a **** ******* **** **** "davinci" *** * ********** cameras **** ************* ******* to **, ******** *** attacker ** ******* ** the ******. ********* ** the **********, *** ********** camera **** ** ****** used * ** ******* chipset *** ** ******** that **** ** ****** the ****** ** *** vulnerability.

********* ****** **** *** following ***** *** ********:

**-**********-***, **-**********-***, **-**********-**, **-**********-**, **-********-***, DS-2CD2132F-IWS, **-*******-**, **-********-**

*** ********* ******* ***** an ******* ** *** an ******** *** *** the **-** ******* ****** with ******* ******** ** a *** ** **** access ** ** ******** network:

Firewalls ***********

******* *** ******** ******** over *** ****** **-** ******* interface ** *** ******, any ******** ********, ****, or ***** ******* **** to ****** ******** *********** on *** ******** **** of *** ******* ***** not ** ******* ** the Wi-Fi **** ** *** camera, ******* ** **** to ******.

Exploit *********

********** ** *** ********** (user ******) ** *********, **** ** ***** units ******* **** ******** that **** ******** ********* the Wi-Fi ********* **** *** being **** (** ** 5.4.5), *** **** *** ********** to *** ********* ******** *******, ****** *** ******* potential **** **** *** users ** ***** ******* with ******* **-** ********.

*** *********** *** *** attacker ** ** ** Wi-Fi ***** ** *** unit, *** **** *** unit **** **** ******* Wi-Fi ********, ***** **** vulnerability less ****** **** *********'* ******** *************. ** **, *******, * significant ********* ** *********'* part ** **** ******** with **** ******* ********. 

Hikvision ***** ******** ******* ************

***** ********* ********** *********** to ****** ***************, *** has * ******** ***** address *** ***** *******, response **** ******:

*** ********** ******* **** despite ********* *********'* ********, it **** * ******, and ******** ******* ******** to *** * ******** to **** **********, ***** as **** ** *** vulnerability ********** ****:

***** ******* ******* ******** came ***** ********* *** President ******* ** *** actively promoting*********'* ***** ******** *******, ********* ****** ** hiring ******** *** ******** penetration ******* [**** ** longer *********], ***** ****** have ********** **** ***** vulnerability ** ***** ***. ************, *********'* ***** *** **** of ***** ******** *** **** *** *******, leaving *** **** ** cybersecurity **** **** ****** the ******* ******* ********.

Positive ******** **** ***** *****

*** ********** ****** **** his ******** **** ********* ultimately **** **** *** cyber ******** **** ***** ***** [link ** ****** *********], whom ** ***** ** be ******* *** ******** interested ** ********** *** discovery. ** **** ***** was * **** **** for *********, *** ***** hopefully ** **** ** improve *********'* ******* ***** security ************** *** ************* management ******* *********** **** as ***** ******** ************** ******** *******

Hikvision ** ********* ************ ** *****

******* ************* *** ****** on ******* ***, *** having ******* ******** *********, as **** ** *********** workarounds ** ***** **** vulnerability, ********* *** *** proactive notify ***** ****** *** vulnerability *** ********* ******** by **** **********.

Special ******** ****** ***

********* *** *** ******* to ****'* ******* *** additional ****** ** *** vulnerability **********. *******, **** **** 3 ***** ***** *** ***** to *********, *** ******* released * "******* ********", reusing *** ******* **** and ***** **** **** their ******* ******** ******** 2 ***** *** ** the **** ****** ******* ********* Investigation.:

~** ******* *****, ********* re-sent *** ******** **** a corrected ******* **** *** intro:

** *** ********, ******* of ********** ******* ** the ************* *****, ********* starts ** ******* ***** they ****** ******* ****** features, ****** **** *** technically ********** **** *** firmware ********* ** **** ** the ******** *****.

** * ******* ******** ****** (***) ********* **** ********, users *** ******* ** is ** "*********** ****" document, **** ** ****** required:

***, *** *** ******* ******** action, ************ ******** ****** firmware ***/** ********* **-** (for ***** **** ******** new ****** ** ******* this).

***** *** "****** ********" section ***** ************* ** a ***** *****, *********'* errors ** ********* *** notifications ******** *** ******* rushed ** ***** ***** responses **** **** ****** aware **** *** ************* would ** ******** *********, and ******** **. *** Hikvision **** ********** ** their *** ************* ********* email *******, *** *** a ************* ******** *** notification ******* ** *****, they ***** **** *** their ****** ** ******* "education *** ********" ******* of ******* ** ******* to *** ********** *** issuing *******-******** *************.

Continued ********* *********** ******

**** ************* ** ** avoidable *****, **** ****** ** discovered ** ******** *********** processes ** ******** ***** security *****. *********,*********'* ****** *********** ******** in ************ ****** *************, *** *** ******** ******** *************, ***** ******, *** also ***** ** *************** that **** **** *** result ** **** ******** design ** **************, ** choices **** ** *** company ** ************ ***** security ******** ** ***** aspects ** *** ********. 

Communication ************ ******

********* ***** **** ****** significantly with *******, **** ********* and **** ********* ************* on ***************. 

Comments (15)

Scott Sheldrake

11/28/17 11:15pm

We are seeing the HIKVision mini PTZ DS-2DE2103-DE3/W and HIK DS-2DE3304W-DE hacked remotely (OSD names changed to HACKED) despite having a strong password.  Not sure if this is related to the same vulnerability.

HIKVision does not have firmware updates on their tech portal (xx3304xx not listed), or the website (404 broken link) or on their unofficial FTP site.  Tech support doesn't know, they just point you at the tech portal which does not have the camera listed.  The one they say should work doesn't work.

How can HIKVision expect us to protect end users from hacking when they do not even give us firmware??

This is absolutely insane.

Avatar

Brian Karas

IPVM | In reply to Scott Sheldrake | 11/28/17 11:38pm

Scott -

What are you describing sounds like the cameras are being hit by the Hikvision Backdoor Exploit, which allows someone to access or change camera settings regardless of the admin password strength/complexity. Basically, with this backdoor, Hikvision provides a way for attackers to circumvent strong passwords.

For what its worth, you are not alone. An analysis I did over the Thanksgiving weekend shows there are likely thousands of cameras that have had the name changed to "HACKED". Also, there are 10's of thousands of cameras with this vulnerability reachable on the internet. I have not determined how/why the ones that are being hacked to show "HACKED" are selected relative to the fairly large overall number of vulnerable cameras.

Here is a map of where I have located nearly 1,000 cameras (based on geo IP lookup, so some points could be off) showing "HACKED" for the camera name. You can see they are heavily concentrated in the US, and Europe:

Undisclosed #1

In reply to Brian Karas | 11/29/17 12:09am

Question:  If Hiks explosive growth over the last few years is primarily due to big deals within China (i.e. they have far more cameras installed in China than anywhere else), how come all the vulnerable cameras appear to be in N America and Europe?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 11/29/17 12:13am

These are not just vulnerable cameras, they are vulnerable cameras that have been hacked to display the English-language text "HACKED" (or "Hacked", or case-insensitive variants).

There may be cameras in China that display the Chinese equivalent of "HACKED", but my check was not looking for alternate languages/spellings, etc.

 

Undisclosed #1

In reply to Brian Karas | 11/29/17 12:14am

that makes sense...  : )

Undisclosed #1

In reply to Brian Karas | 11/29/17 12:17am

why so few in Australia then, do you think?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 11/29/17 01:04am

Because Shodan has very very few Hikvision devices in their database, as far as I can tell. 

Undisclosed #1

In reply to Brian Karas | 11/29/17 02:21am

very very few Australian devices?  or total devices?

my point is... if the reason Chinese Hik cameras don't show up on your search for devices reporting as HACKED (when there are more of them there than anywhere) is because your search was limited to the English version of the word HACKED, then why are there not more HACKED devices showing up in Australia?  Since I would assume most of their systems were based in English?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 11/29/17 11:30am

why are there not more HACKED devices showing up in Australia?

Because the shodan database has very few IPs for Hikvision cameras in Australia. I do not know if that is because Hikvision has low market penetration there, because Shodan simply does not scan IPs in Australia, if Australians have better firewalls, or something else. 

If the IPs are not in shodan, which is where I pull lists of publicly accessible cameras from, then I can not scan them.

 

Avatar

Karsten Kirchhof

In reply to Brian Karas | 01/04/18 03:23pm

Hi Brian,

you published an interactive map for USA.

Could you pls also publish some similar map for Europe?

 

BR,

Karsten

Undisclosed Manufacturer #2

11/29/17 12:05pm

This may be farther reaching than you think because for a long time, to get sound “S” you had to get the WiFi version “W”. The models were often “IWS”. 

I know with near certainty the customers using them for audio never touched the WiFi default settings. 

Undisclosed #3

12/04/17 01:19pm

Another Hikvision hack !!! What a shock.

John Honovich

IPVM | 12/21/17 08:02pm

Update: A day after IPVM criticized Hikvision for its notice that erroneously stated no action was required:

In a Product Advisory Notice (PAN) Hikvision also released, users are advised it is an "Information Only" document, with no action required:

Yet, the PAN clearly requires action, recommending updating device firmware and/or disabling Wi-Fi (for units with firmware new enough to support this).

Hikvision released a corrected notice:

Undisclosed Integrator #4

In reply to John Honovich | 12/21/17 08:13pm

Why should Hikvision worry about quality control and copy editing when you're willing to do it for them for free? 

Undisclosed Manufacturer #2

In reply to John Honovich | 12/21/17 08:47pm

The incompetence is maddening. 

Read this IPVM report for free.

This article is part of IPVM's 6,731 reports, 908 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports