Hik-Connect 5 App / JWT Vulnerabilities Analyzed
IPVM discovered a critical vulnerability in the Hikvision Hik-Connect cloud that allowed unauthorized access to Hik-Connect user's accounts by simply listening on network traffic for logs sent unencrypted from the Hik-Connect app to the Hikvision cloud that included sensitive information such as critical authorization tokens.
Within this report, based on IPVM network traffic analysis, we provide a detailed description of the discovered vulnerability, insight into the video encryption password, and demonstrate forged requests to Hikvision Cloud, resulting in the sharing of the victim's camera with the attacker.
Furthermore, see the report Hik-Connect 5 App/Cloud Cybersecurity Tested, which led to the discovery of this vulnerability and includes other cybersecurity aspects.
Executive *******
**** ********** * ******** ************* ** Hikvision's ***-******* ***** ************* **** ******** in *** *** ******* *********** **** from *** ***-******* *** ** *** Hik-Connect *****. **** ******* ** ******** to *********** * ********** **** ******* their ********* *** ******* ******** ** their ****** ***** *** ********* ***** services.
**** ******** ******* ******* ******* *** app *** *** *****, ******* **** these *** ****** ******* *** ****'* JSON *** ***** (***) **** ** "user_login, **************, **********, **********". **** ******** data ** ********* ** *** ***-******* application *** **** *********** ** *********. The **** *** **** ******* **********, as **** *** *********** ***** **** instead ** *****, ***** ** ************ concerning **** ***** ****** **-** ********.
**** ************ **** ************* ** ******* a ****** **** * ****** *******, detailing *** ***** *** ***** ********** password ********, ***** *** ****** ** Hikvision *****.
The ********* ***-******* *************
******* *** ************ ** ******* ******* sent **** *** ***-******* *** *** filtering *** ********* ******* ** *********** show **** *******, ** ***** ******* unencrypted *** ************ ******* ******** ** the ***-******* *****.
*** ******* ** ********** ** *** log ************ ** *** ***-******* ***** made ** ********** ** ************ ******* network ******* **********. ******** *** **** JSON *** ***** (***) *** *** always ******** ** ***-******* ****, **** could ** ***** **** "****************", **** **:
- **********
- **************
- **********
- **********
*** **** *** ***** (***) ** the ****-********** **** **** ***** ** easily ******** ** ********* *** *** JSON **** "*********" ** "*******", ** ************ *****.
JSON *** ***** (***) *******
***** * **** **** ** ** the ***-******* ***, ***** ********** ******* will ******* *** ***. **** ****** the **** ** ****** ******, ********, and ********* ****** ********* ***** ********** by *** *****.
********** *********** ***** *** **** *** Token (***) **** ** *** ***-******* app *** ** ******** ********** ** *** ***.**. **** ******** ******* **** ** user **, ******** ****, ***** ****, and ****** ****. ***** ** *** information ******* **** *** ***.
** ***'** ********** ** ******* **** knowledge ***** **** *** ****** (****),***.** ****** * **** **** *********** introductory ****.
IP ****** ******* ****** ********
*** ****** ******** ******** * ******* approach ** *** ********, *** ******* to ******* ******* ******* ******** ********. For ******* ** ****** **-** ********, where *** ****** ** ******** ***** intercepting *** ******** **** *** ***** (JWT).
** *********** *** *** ******* ********* Hik-Connect **** *** ***** (***) **** someone **********, **** **** ******** * scenario ***** *** ******'* *** *** already **** ***********.
******* *** *** ** **** ***** repeater *************, **** **** ******** **** how ** ******** ***** ******** ******** on ****** ** *** ****** ******* their ********* *** **** ***** ****** to ***** ******* **** *** ********'* Hik-Connect *******.
*** ******'* ***-******* *** ****** ****** sharing.
** ******** ***** *** ***** *********, the ********* ***-******* ***** ******** *** JSON *** ***** (***) ***** ** the "*********"** *** **** *******.
*** ******** ***** **** ***** *** victim's ********* ****** **** ***** ******* using *** ******'* ****** ******, ***** was **** ************ ** *** *********** logs *** ********* ***** ** ** linked ** *** ******, *** **** share *** ****** **** *** ********'* account ***** *** ********'* ***** *******.
***** ********* ***-******* ***** ******* **** the ******* ** ********** *** ********* by *** ******, ** ************ ** confirmation ******* *** **** ** *** victim ********* *** ****** ****** **** the ********'* *******.
*******, *** ****** ***** ***** ****** see **** *** ****** ** ******.
** ******** ********* *** "******* *******", *** ****** ***** **** **** the ********'* ******* ***** ******* *** the ******* **** **** **** ****** with ****.
**** ******* *** ****** *******, *** attacker **** ******* * ************ ** new *******.
*** ******** **** ***** ** ***** on "**** ***" *** **** "******".
**** *** ******** ****** ** "******", *** ******** ***** ****** ** the ***** *** ***** ******** ** the ******'* ******.
Hikvision ***** *** ***** ********** ******** *******
* ******* *********** ************* ******** *********** whether *** ***** *** ***** ********** password *** **** ** *** ********* Hik-Connect *****.
*** ******** ** *** ******** ******** that *** ******** **, ** ****, stored ** *** ********* ***-******* *****, and ** **** ********* ** **** matter *****.
** **** ****** * *** ******** within *** ********* ****** *** ******* a ******* ** *** ******** *** viewing ********.
**** *** ******** **** *** ***** (JWT), ** **** *** ********** ** utilize **** *****'* ******** ******** ** submit * ******* **** ******** *** type ** **** ****** ** *** account *** *** ******** ******** ** the ********* ***-******* *****.
********** **** ************* ** ********* ** the **** *** "*********", ******** ** ***** *** ********* its *******, ** ***** **** *** key ********* *** ******** ********* **** after ********** * ******* ***** ** the ****** *** ****** *** ****** to ******* ***-******* *******.
*** ***** **** ** ** *** JSON *** "**********," ***** ** * **** ************** of *** ********.
** *** ********* **** ***** *******, we **** ****** *** ***** ********** password **** *** *** ******** "************" ** *** *** "***********."
**** ** ******* *** ******* *** more **** ** ******** *** **** related ** *** *******, ** ******* a ****** ** *** **** *****.
*** **** ** ***, ***** ******** two ********** *** **** ************ ** the ********. **** **** *** ** easily ********, ** *********** *****.
** * ****** ** **** ******, when *** ****** ******* ** ****** the **** *****, *** ***-******* *** will ****** *** *** *** ********** password ***** *** ****** ******** ** longer *******.
** ******, ***** **** **** ***********, we ***** ******* *** ********* **** against * ******** ** ******* ***** twice **** *** ** ********** * brute-force****** **** *******.*** *********** **** ********* ** *** camera ** ******** ** *********** **** we **** ** **** ****.
*** ******** **** ** ******* * - ** **********, ** * *********** of ********* *** ********* ******* *** digits.
** ********,***** ** **** **********, ***** ***** *** **** ******** from ******* (* **********) ** ** several ***** (** **********), ********* ** the **** **** ** *** ******** being ****.
Versions ****
- **-*********-**: **.*.** ***** ******
- ********* ***-*******
- ********* *** *****: *.*.*.****
- ****** **** *****: *.*.*.****