Hikvision Cloud / QR Codes Enables Livestreaming Child Pornography Explained
Many mistakenly believe that child pornography being sold online from hacked Hikvision cameras was only due to "old" vulnerabilities. Far more concerning, it is Hikvision's own current cloud software and QR code functionality that enables criminals to livestream child pornography.
While child pornography distribution is especially heinous, IPVM has found that hackers are more broadly using Hik-Connect QR codes to spy on all sorts of Hikvision end users.
IPVM already has existing Research both testing the Hik-Connect app and testing Hik-Connect's cybersecurity.
Now in this new IPVM testing, we examine how Hikvision generates QR codes, how simple they are to share with other users, the fundamental security risks involved, and what we recommend for users and Hikvision to do to stop their systems from being exploited.
QR **** **********
*** ** **** ******** ********* ****** is ********* **** **** **** *** accustomed ** **** ***** ************ *******.
*** **** ****** ******** ** **** there ** * ** **** ** the ****** *** *** ***** **** to ******* ** *** *****, *********** the ****** **** * ******** ******** account.
**** ******** ** *********** *** ********, you ** **** *** ***** ****** and ** ********* * ** **** that *** ** ****** ** ******* to *** ******.
********
*** ***** ***** ********* *** **** is ********* *** *** ***** ********:
Executive *******
*********'* ****** ** ******** * ** code ** ****** ******* ** *** current ***-******* *** ****** ********* ** quickly *** ****** ***** ********* ********* cameras ** **** **** *** ************ users, ******** **** ** ***** **** and ******** *****. *** ************ ****** is ********* ******* ** *** ****** owner/victim ******* ***** *** ** ************* that *** ****** *** **** ****** because *** ******** ** ***** ** administrator ******* ** ***** *** ** code.
******** ******* ***** **** *** ** code ****** **** *** ********** *****, ******* *** ** **** *** be ********* ********, ** ****** ********* to ******** * **** ******* ***** access ** *** ******. **********, ********* required * ************ **** **** *** printed ** * ******** ***** ** the ****** *** ***** *** ** changed.
Hik-Connect *** ****** ******* ******* **-**** *********
***** ********* ******** * ******* *** adding ******* ** ***-*******, *** ***** complex ****** **** * **-**** ****, which *** ** **** ** *** up ** ** ******* **** * single ****. **** ** ******* ** Hikvision's ********* ** *** *******:
********* ******* ********* *************** ** ******** access *** ****** ******** **** ** administrator ******* *** **** *** * non-admin **** **** ** **** ******* to **** *****, ******** *** ****** to ****** ***** ****** *** ***** that ****** **** * ** ****.
**** **** *** ***-******* ********** *** ** ****. ***-******* ******** ** *********** *** QR ****, **** * ******** **** of *** **** *** ** ** 365 ****:
***** ** *** *******, ** ******** 10+ ** ***** *** ** ********* (within ~*-* *******), *** ******* **************** blocked ** **** ******** ****. **** enables ********* ** **** ****** ** the **** ******* ******** ** *****. Below ** * **** ** ** codes ****** **** *** **** *******, within * **-****** ******:
*** ********* **** ***** ***** *** quick ** ** ** ******** * QR ****, *** *** *** ********* can *** / ********** *** ** codes, ***** *** ******* ***** *** Hik-Connect ***, ***** ***** ****** ** live *** ******** ***** **** ****:
Users ******** ** ******** ************ ** **** *******
***** *** ***-******* *** ** ***** controlled, *** ***-******* *** ********* *** QR **** ******* *** **** *** use ** *** *** ***** ** Hik-Connect's ***** *******. **** ***** ** difficult ** ***** ****** ******* *** end ***** ** ********* *******.
***** ** ** ****/******* ** *** Hik-Connect *** **** ********** ** *** camera ** ***** ******:
*******, ** *** ****** ** *** using ***-*******, ** **** ** **** are *** ***** ***-******* *********, **** would ****** ***** *** *** "*******", or ** ***** ** ****/***** ****** they **. ***** ** ** *** notification **** *** ****** *** **** shared **** ******* ****. **** ** a **** *** *** *** "*******" message, **** *** *** **** **** what ** *****.
****, ** **** *** ************ ******* the ****** ******* * ***-******* ***** (e.g., * ******* ** * *********, business ***** *** *******, ***.), **** "Sharing" **** ***** ******** ** ******* and ***** *** ***** ******* *** those *****.
******, ** * ********* **** ***** to ***** *** ***** **** *** camera *** ****** ****, *** **** is *** ******* **** ********** *** infrequent *****. ** *** ***** *****, IPVM ***** *** *** ** ****** this ***** *** ***-******* ***:
******* ****** ***** * **** *** verify ** ** **** ***** "*****," they *** *********** **** * **** of ********** *** *** ****** *******:
Stop ******** ** **** ******* ***********
*** **** ********* ************** ** ******* the ******* ** *** ********* ** update ***-******* ** ** ****** ******** QR ***** *** *******.
***** **** ***** ****** ********* ******** for ********** *****, ***-******* ******* ****** 2 ***** ******* *** ****** *******; manually ****** ******* ** *******/****/********, *** local ******* ******** *** ****** ********* devices.
Old ****** ******** ***** ************ ****
******* ******* ** ********* ***** ********** **** **** ** **** ********, Hikvision **** ******** ******** * "****** Verification ****" **** *** **** ******* on * ******** ***** ** *** device:
*********, **** ***-******* *******, ********* ****** this ** * "****** **********/********** ***" which *** ** ****** ** *** web ********* *** **** ******* **** the ***:
******* ********* *** ******* ************* ****** remotely ** ********* ********* *******, **** are **** ** *** *** *** without ****** ******** ******.
******* ** *** ************** ** ******** QR **** *******, **** ***** ****** create ********** ******** *** ********** ***** but ***** ************* ******** *** **** of ************ *******.
App ************ **** ****** ** ******
***** ***-******* ****** *** ****** "*******" in *** ***, ** **** *** pop ** ** *** ************ **** the ****** *** **** ******, ** it **** **** ****** ******, ***** notifications, ***. ***** ** **** ** email ** *** ************ **** * device *** **** ******.
*** **** **** ******** *** ***** link *** * ***-** ******* ** logging **** ***-*******:
***-******* ****** ******** ** *** ************ to *** ************* ***** **** *** camera *** **** ******. *******, **** would *** **** ***** **** *** not ***** ***-*******, ****** ***** ****** cover * *********** ******* ** *********** or ***** ******** ********* *****.
Require ***** ********** - *****-****** ************** / **** *******
** ******** ** ******* ******** *******, requiring ***** ********** *** *** ****** devices **** ***-******* ***** ***** ***** to ****** *****-****** ************** *** ******* local *** ** ******. **** ****** mitigate ************ ****** ***/** ** ***** provide ****** **** ******* *********** **** could ** ******** ** ***** ** Hikvision *******.
****,
***, *** ******** / ******* ****** is ***** ****:***** *********** ** **** **** ****** Hikvision ******* ***** ******* ***-******* ***
****,******** ********** ******** ********* ***** ***********, No ******** **** *********
***, ** ******, ***** ** ****** of ******** **** *** **** ***** on *** ***** **** ****. *** the ******** ****** -***** *********** ** **** **** ****** Hikvision ******* ***** ******* ***-******* ***. ** ******* ******** ****** ** marketing ****** **** ******* ***-*******, *** example ** *****:
*'* ******* **** ** *********** ** Hik's **** (***). *** **** **** has **** **** ******, *** **** will ****** ****** ***** **** **** may ******* ***** *******. ***** *** SO **** ******* **** *** ********* and ******* *** **** **** ***** it.
**** **** *** ** **?
*) ** ** ******** ****** ***: "hacked ***** *******" ** "****** ********" if *** **** ***** *** ******* to ****
*) ********* **** ** *** ** admin ******** ** * ****** ** any ***** **** ****** ********* ** file *******, *** *******: *) * video ******, *) * *******, *) A ***** **** *****, *) ***** as * ******* *******
*) ***** *** ***** ** ******* images *** *** **** *** ***** of *** ****** **** *** **** it
*) ****** **** ********* *** ***** it *** ** **** *** ***** porn
***** ** *** ** **** *** child ****
**** ** *** **** ** *****? There's * ******* *********** **** **** **** ********* ***** pornography *** ** ** * *** years** **** **** ***.
***** **** ******** **** ** ********,******** ******** *** ******** *** ******* them*** **** **** *** **** *** criminals **** ************* ***** ***-*******, ** just ***** ** ****** *** **** to ****** **. **** **** **** sense?
***** "****** *** *** ** *** hundreds ** ************ ****, ** *** have *** ***** ********, *** *** share ******* *******" ** **** ********?
****'* * **** ********. ****** *** admin ******** ** *** *** ** hack / ***** ****** ** * system.
****'* ********* **** ** **** *** criminals *** ***** ***-******* ** ******* their ************ / *****. **** ******** is **********. ** ***** ***-******* *** QR *****, **** ** *** ***** admin ****** *** **** ******* (*********** turn ** ** ***) *** *** access ** **** ** **** **** send *** *** **** ********* *** settings.
**** **** ****?
** ** * ****** *********** * webserver, *** ***, ** *** ***** of ******, **** *** **** *** and ** *** *** ****** *** then **** ** ** * *** device **** **** *** **********? ******* calling **** "*** *** **** *** uses ********, *******, *** *******, *** IoT *******" *** *** ***** **** is *** *******'* *****.
"*** *** **** *** **** ********, cameras, *** *******, *** *** *******" and *** ***** **** ** *** company's *****.
*****, **** ** * ******** ******* issue ***, *** **** *****, ** is * ******** *******'* *****, ***** they *** ********* *** ***** *** company's ***** ************** *** *** *** distribution.
* ******* **** * ***** ****** here ** **** *** ******* **** the ****** ** *** ***** ****, they **** ********* ** ******** *** homes **** ********.
***** ******** **** *** ** **** to ***** **** *** ** ******** used ** ***** ******* ******** ******* elsewhere, **** ** *** *** **** as **** *** ******** ****.
************, ***** *** **** ************ ** Hikvision **** ** *** **** *** ongoing ***** ******** ******. **'** ******* about *+ ***** ** ***** ***** security ****** ***** ********** *** ********* on ********* *******. ***** *** ****** can ************* **** * *************, ********* has ************ ************ **** ***** ******** is *** * *** ******* *** them. **** **** ******** ****** *** development ********* **** ********** ***** *******, such ** **** ** **** ** remote ******, ***** ***** ********.
** ** ************** **** ********** *** DIYers *** *** ***** ********** *** risks *** ******, *** ** ****-**** security ************ ****** ** ***** ** recommending ********* ** **** *****. ** would ** *** ********** ** ******* a ****** *** ******* ******** ***** ***** ****** *********** ***** ****. ****, ***** *** won't *** ***, *** ****'* *** good ******.
* ***** *** ** ** ******* scanning ** ****** *******, *** * am ***** **** ***** *** ***** manufacturers **** ** *** **** ****** to *** *******. ** **** **** of ******** **** ** ***** *************?
**, **** ** *********. ***** *** 2 *********** **********. *** **** ****** approach ** **** ***** ** * QR **** ** *** ****** *** one ***** **** ** ******* ** the *****, *********** *** ****** **** 1 ******** ******** *******.
**** ******** ** *********** *** ********, you ** **** *** ***** ****** and ** ********* * ** **** that *** ** ****** ** ******* to *** ******. ** **** ****** and ***** **** ****** *********,****** *-****** ****, ************ ** ******, ** **** * ***.
**'** ***** * ******* ** *** report ** ****** ********** ***** * different **** ** ** *****:
** *******, *****, ******, ** ********* QR ***** ********** * ******* ** or ******* **** **** ******** *** device ** *** *****. *** ** is **** *** ******** *** ******** the ***** ***********. *** **** ** generating **-****** *** ** ***** **** are **** ******.
**** *********'* ******** ******* ******* *** remote ****** **** *** ******? *** example, **** ** ***** **** **** users ** **** *** ***** ************ (or **** **** ** ******* ********) and ******* ** ****** *********?
** **** *********, *** **** ** backwards. **** ********* *** **** *** cloud ****** ******* * ** **** or ** ** ********* **** *** use ** ******* ******** ******* *** cloud. *** ******* **** **** * username *** * ********.
** *** ***** **** ****** ** being ******, *** ****** *** ***********.
**** *** ** ***** **** ** different, ** **** *** ****** (*** mobile ***) ****** *** ** *********** generate ******** **** ** ** ***** for ****** ******. *** ***** ***** who *** ****** *** ** **** about ****, ** **** *** ********* off ******.
***, ******* ** ***'* **** ***** record ** ***** *** **** ***************, the ******* **** * ***** **** of ******* ********* *** **** *** place ***** ***** ** *** ******* of *** **** **** ****** ***** devices.
** *** ******** ***** ***** *****, they ***** ********* **** ***** ******* are *** **** *** ***** *** that **** *** *** ********* ** people *** ****/**** ***** *****, *** thus **** ****** ***** *** ***. Mandate **** *** ** ****. **** a *** ** **** ** ******* is ******. *** *********** ********* ** block **** ****** ******* * ********** area, ** ******* **-**************. ** *********.*******, they **** ***** *** *****. ** is ******* *********** *** ********** ********. Deny *** *****. **** ******** **** everything ******** ****** ****.
*********** ** ** ******* **** ***** people *** ***** *** **** **** or *** ******** ** *** ***********, in ***** ** ******* ***** *** ethical ********... ********** * **** ***** supported ******* ******* ******* ** *** bedrooms ** ***** ********, ****** ** as ** ******** ** *** *****'* privacy. * ***** ** ** * bad ****** *** ****** ** ****** on ***** ******** ** ********* ***** parenting ******. **** ** * **** area, *** ** **** ********** **** no ******* ****** ***** **** ** installation.
** **** ** ***; ******* ** the ******** ** ********, ******* **/* & * ******* *** *** **** it ********* **** ** ***** ********* logins ****** *** *****. *** **** areas *** ******** ****** & ** still **** ****** ******** ***** **** saying "**'* **** *****, **'* **** smoke!"
** ***** **** ** **** ** rely ** *** ****** ********* ** argue *** ****** *** *** ********!? After ***, **** **** **** ******* this ******* ****** *** * ****** of *****. **** **?
"** **** ***'* *** ** ** the ******** ***', **** *** ***'* have ** *****."* ***** ***** "** ****, * can ****** **** ****** ******* ** now..."
********** * **** ***** ********* ******* putting ******* ** *** ******** ** their ********...
********** * ***** *** ********-********* ******* in *** **** *** * *** idea ***** ****. ***** **** *****'* another ******* ** ***** ***** * vulnerability, ****, ** ***** ******** ******** exposing *********. ** ****** **** *** centuries ******* ******* ******* ** *** home; ** *** ***** ** ** today.
**** ** ********* *** ** *** this ***** *** **** **** ** iVMS-4500. ** ***** ******** * ** code *** * ****** **** ***** bypass *** ************** *** ***** * third ***** ****** ****** ** *** live *** ******** *******; ********* ********** a '**** *** *****' **** ** action.
*** ***** *** ** ** ********* building ********* *** *****, *****, *** drugs. *** ********* *** ********** ** be ******* *** **** ** ************ persons. *** **** **** ** **** them ******* ** **** ** ***** they ***** ** **** *** ***** they ******'*, *** ** ***** ** having ** ****** ***** *********** ** a ******.
** ***** *** ******** ** *** that **** *** ******* ********? *** before *** ***, ** **** ******.