Hikvision Hik-Connect 5 App / JWT Vulnerabilities Analyzed
IPVM discovered a critical vulnerability in the Hikvision Hik-Connect cloud that allowed unauthorized access to Hik-Connect user's accounts by simply listening on network traffic for logs sent unencrypted from the Hik-Connect app to the Hikvision cloud that included sensitive information such as critical authorization tokens.
Within this report, based on IPVM network traffic analysis, we provide a detailed description of the discovered vulnerability, insight into the video encryption password, and demonstrate forged requests to Hikvision Cloud, resulting in the sharing of the victim's camera with the attacker.
Furthermore, see the report Hik-Connect 5 App/Cloud Cybersecurity Tested, which led to the discovery of this vulnerability and includes other cybersecurity aspects.
Executive *******
**** ********** * ******** ************* ** Hikvision's ***-******* ***** ************* **** ******** in *** *** ******* *********** **** from *** ***-******* *** ** *** Hik-Connect *****. **** ******* ** ******** to *********** * ********** **** ******* their ********* *** ******* ******** ** their ****** ***** *** ********* ***** services.
**** ******** ******* ******* ******* *** app *** *** *****, ******* **** these *** ****** ******* *** ****'* JSON *** ***** (***) **** ** "user_login, **************, **********, **********". **** ******** data ** ********* ** *** ***-******* application *** **** *********** ** *********. The **** *** **** ******* **********, as **** *** *********** ***** **** instead ** *****, ***** ** ************ concerning **** ***** ****** **-** ********.
**** ************ **** ************* ** ******* a ****** **** * ****** *******, detailing *** ***** *** ***** ********** password ********, ***** *** ****** ** Hikvision *****.
The ********* ***-******* *************
******* *** ************ ** ******* ******* sent **** *** ***-******* *** *** filtering *** ********* ******* ** *********** show **** *******, ** ***** ******* unencrypted *** ************ ******* ******** ** the ***-******* *****.
*** ******* ** ********** ** *** log ************ ** *** ***-******* ***** made ** ********** ** ************ ******* network ******* **********. ******** *** **** JSON *** ***** (***) *** *** always ******** ** ***-******* ****, **** could ** ***** **** "****************", **** **:
- **********
- **************
- **********
- **********
*** **** *** ***** (***) ** the ****-********** **** **** ***** ** easily ******** ** ********* *** *** JSON **** "*********" ** "*******", ** ************ *****.
JSON *** ***** (***) *******
***** * **** **** ** ** the ***-******* ***, ***** ********** ******* will ******* *** ***. **** ****** the **** ** ****** ******, ********, and ********* ****** ********* ***** ********** by *** *****.
********** *********** ***** *** **** *** Token (***) **** ** *** ***-******* app *** ** ******** ********** ** *** ***.**. **** ******** ******* **** ** user **, ******** ****, ***** ****, and ****** ****. ***** ** *** information ******* **** *** ***.
** ***'** ********** ** ******* **** knowledge ***** **** *** ****** (****),***.** ****** * **** **** *********** introductory ****.
IP ****** ******* ****** ********
*** ****** ******** ******** * ******* approach ** *** ********, *** ******* to ******* ******* ******* ******** ********. For ******* ** ****** **-** ********, where *** ****** ** ******** ***** intercepting *** ******** **** *** ***** (JWT).
** *********** *** *** ******* ********* Hik-Connect **** *** ***** (***) **** someone **********, **** **** ******** * scenario ***** *** ******'* *** *** already **** ***********.
******* *** *** ** **** ***** repeater *************, **** **** ******** **** how ** ******** ***** ******** ******** on ****** ** *** ****** ******* their ********* *** **** ***** ****** to ***** ******* **** *** ********'* Hik-Connect *******.
*** ******'* ***-******* *** ****** ****** sharing.
** ******** ***** *** ***** *********, the ********* ***-******* ***** ******** *** JSON *** ***** (***) ***** ** the "*********"** *** **** *******.
*** ******** ***** **** ***** *** victim's ********* ****** **** ***** ******* using *** ******'* ****** ******, ***** was **** ************ ** *** *********** logs *** ********* ***** ** ** linked ** *** ******, *** **** share *** ****** **** *** ********'* account ***** *** ********'* ***** *******.
***** ********* ***-******* ***** ******* **** the ******* ** ********** *** ********* by *** ******, ** ************ ** confirmation ******* *** **** ** *** victim ********* *** ****** ****** **** the ********'* *******.
*******, *** ****** ***** ***** ****** see **** *** ****** ** ******.
** ******** ********* *** "******* *******", *** ****** ***** **** **** the ********'* ******* ***** ******* *** the ******* **** **** **** ****** with ****.
**** ******* *** ****** *******, *** attacker **** ******* * ************ ** new *******.
*** ******** **** ***** ** ***** on "**** ***" *** **** "******".
**** *** ******** ****** ** "******", *** ******** ***** ****** ** the ***** *** ***** ******** ** the ******'* ******.
Hikvision ***** *** ***** ********** ******** *******
* ******* *********** ************* ******** *********** whether *** ***** *** ***** ********** password *** **** ** *** ********* Hik-Connect *****.
*** ******** ** *** ******** ******** that *** ******** **, ** ****, stored ** *** ********* ***-******* *****, and ** **** ********* ** **** matter *****.
** **** ****** * *** ******** within *** ********* ****** *** ******* a ******* ** *** ******** *** viewing ********.
**** *** ******** **** *** ***** (JWT), ** **** *** ********** ** utilize **** *****'* ******** ******** ** submit * ******* **** ******** *** type ** **** ****** ** *** account *** *** ******** ******** ** the ********* ***-******* *****.
********** **** ************* ** ********* ** the **** *** "*********", ******** ** ***** *** ********* its *******, ** ***** **** *** key ********* *** ******** ********* **** after ********** * ******* ***** ** the ****** *** ****** *** ****** to ******* ***-******* *******.
*** ***** **** ** ** *** JSON *** "**********," ***** ** * **** ************** of *** ********.
** *** ********* **** ***** *******, we **** ****** *** ***** ********** password **** *** *** ******** "************" ** *** *** "***********."
**** ** ******* *** ******* *** more **** ** ******** *** **** related ** *** *******, ** ******* a ****** ** *** **** *****.
*** **** ** ***, ***** ******** two ********** *** **** ************ ** the ********. **** **** *** ** easily ********, ** *********** *****.
** * ****** ** **** ******, when *** ****** ******* ** ****** the **** *****, *** ***-******* *** will ****** *** *** *** ********** password ***** *** ****** ******** ** longer *******.
** ******, ***** **** **** ***********, we ***** ******* *** ********* **** against * ******** ** ******* ***** twice **** *** ** ********** * brute-force****** **** *******.*** *********** **** ********* ** *** camera ** ******** ** *********** **** we **** ** **** ****.
*** ******** **** ** ******* * - ** **********, ** * *********** of ********* *** ********* ******* *** digits.
** ********,***** ** **** **********, ***** ***** *** **** ******** from ******* (* **********) ** ** several ***** (** **********), ********* ** the **** **** ** *** ******** being ****.
Versions ****
- **-*********-**: **.*.** ***** ******
- ********* ***-*******
- ********* *** *****: *.*.*.****
- ****** **** *****: *.*.*.****