Hikvision Critical Cloud Vulnerability Disclosed

By IPVM Team, Published on Apr 25, 2018

Security researchers Vangelis Stykas [link no longer available] and George Lavdanis [link no longer available] discovered a vulnerability in Hikvision's HikConnect cloud service that:

just by knowing the email,phone or username they used while registering, after that you can view the live feed of the cam/DVR, manipulate the DVR, change that user’s email/phone and password and effectively lock the user out

The researchers detail the process and the issues in this post. Hikvision HQ has acknowledged the vulnerability and released a fix.

Inside this note, we examine what the issue was, compare it to 2017's Hikvision IP Camera backdoor and explain why this one was a coding error and not anything to do with Hikvision's Chinese government ownership.

HikConnect **********

********** ** *********'* ****** cloud **********/****** *******. ** has ******* *** * number ** *****, ***** in ***** ** *****, and ***** ***** ******** ************* *** found ** ***** ********* DDNS ******************* ************ *********, ********* *** **** promoting **********.

**** **********, * ****** connection ** **** **** one's ********* ******* (*********, cameras, ***.) ** *********'* cloud *******. ** ** so, *** ******* * HikConnect *******. **** ****, the ********* ****** ** remotely ********** ***** *** cloud *******.

Vulnerability *********

*** ************* ** ******** since ** ****** **** access ** ******* ********* to **********. *** *********** found * *** ******:

(*) **** **** **** to ****** * ****** that **** **** *** logged ** ** ** changing *** **** ** on *** ****** *** their *******, ** **** note:

***** ******** *** *** user ** **** *** first ***** ****** ** the ****** ***** ** AS_UserID ***…****, ** *** see *** ***** *******.

(*) ***** *****'* '******' feature **** **** **** to ***** ***** "***** or *****" ** *** the **** ** *** then ****** *** ******:

** ***** **** ***** you **** * **** as * ****** *** can ***** *** *** you *** * ******* which **** *** *** (wanted) **** **!

**** **** *** **** user **, **** ***** return ** **** (*) and ****** **** ******** person's ******.

3 *** ***

*** ********** **** **** Hikvision ***** *** ************* within * **** ** them ******* ********* *** vulnerability ******. ********* **** they *** "*** ***** of *** ****** ** malicious ***" ** *** vulnerability.

***** ********* *** *** explain *** **** ***** it, ****** ********* ** IPVM **** ***** ********* the *************, *** ******** guess ** **** **** are ******** *** ****** server ****, ****** **** simply ******** *** **** ID ** ** ********.

Not ******* ********** *******

***** ***** *** *********** concerns ***** *********'* ******* government *********, **** ** certainly *** * ****** in ****. ***** **** is * ***** *******, Hikvision *** **** ****** to *** ******* *** any ****** *********. ** they **** ** ****** those *******, **** ** not **** *** '********', they ****** *** ****** directly. **** ** *** unique ** *********, ** that ** * *********** design ******** ** ***** services (******* ******* ** Hikvision). *******, ***** *** Chinese's **********'* *********, *** concerns *** **** ***********.

Compared ** **** ********

*******-**** *********** ***** ** **************, in **** ** ******** direct ***** ****** ** devices **** * ****** command ******. **** *************, by ********, ******** ********* issues. ** *** ***** hand, *** ******** ******** having ******* ****** ** the ****** (***** ** the ****** *** *** exposed ** *** ******** would ** *******). **** HikConnect, *** ************* *** be ******** ****** *** device *********.

Risks ** ***** ********

************, ************ ************* **** recommended **** **********, ***** has *** *********** ******** of ****** ******* ******* to ****** *******. ***** services *** **** ****** that, ** *** ****** that **** ******* **** forwarding (******, ****,********* ********* ** ********* port ***************** ********** **** **********'* ***********/*****).

*******, ** **** ******** shows, ***** ******** **** their *** *****, ** creating * ****** ***** of ******* / *************. Instead ** ****** ******* IP ********* ****** *** world, ** ******** ***** concentrate *** ******* ** a ****** ****** *** get ****** ** ******** of ********* ** *******. Stykas *** ******** *** white *** *********** *** responsibly ******** ****. ****** could ** ***** *** found **** ************* *** used ** ** ******* devices.

Comments (12)

John Honovich

IPVM | 04/25/18 01:45pm

This morning, 2 emails featuring Hikvision USA about the same time.

Special Bulletin:

And another sale:

Certainly, today's timing is coincidental but also fitting.

Undisclosed #1

In reply to John Honovich | 04/25/18 01:50pm

If I pay standard prices can I get something that is not full of security holes? Would gladly even pay a bit extra for that.

Undisclosed Distributor #2

In reply to Undisclosed #1 | 04/25/18 01:59pm

No.  All is "holy".

 

 

:)

Avatar

Michael Gonzalez

Integrated Security Technologies, Inc.
04/26/18 01:57am

Seems to me that cloud and security are a contradiction in terms, kind of like Hikvision and security for that matter.

Nathan Causby

IPVMU Certified | In reply to Michael Gonzalez | 04/26/18 12:31pm

I felt the heat from that one.

John Honovich

IPVM | 04/26/18 10:47am

CSO Online article: Critical Hikvision flaw could be remotely exploited to hijack cameras, DVRs and accounts

Ryan O'Daniel

IPVMU Certified | In reply to John Honovich | 04/27/18 01:49pm

The picture displaying the "HACKED" cameras is a Dahua NVR, not Hikvision.

John Honovich

IPVM | In reply to Ryan O'Daniel | 04/27/18 02:07pm

Yes, the CSO's article's picture is incorrect.

We actually emailed CSO Online when they first used the incorrect picture/labeling last fall:

They never responded to us.

Avatar

Tim Pickles

Mitie Fire & Security Systems
In reply to John Honovich | 04/27/18 03:49pm

Wonder why they never responded John? Seems that when a deliberate defamatory action is perpetrated, it’s just ok not to be held to account. 

John Honovich

IPVM | In reply to Tim Pickles | 04/27/18 07:05pm

Tim,

Also we actually tweeted this at / to CSO Online, see below:

Again, I think they should fix it and that they did not is definitely a mark against them.

On the other hand, as for defamation, there are plenty of Hikvision cameras that were hacked and labeled 'hacked' so it is not as if the fundamental point was bogus, just the example they used. 

Avatar

Tim Pickles

Mitie Fire & Security Systems
In reply to John Honovich | 04/27/18 08:11pm

I don’t disagree John, but however this is dressed up and peddled it IS defamation and they should be held to account for it.

it is either an error of uneducated stupid editors, or a calculated misrepresentation - but either way it is a wrong and defaming and certainly worthy of deeper scripting of the entire article based upun the truth that the publisher, aside from being ignorant, is also exceeding irresponsible.

You are focussed on holding publishers to account for similar articles, the fact they have purpose ignored you demonstrates their ignorance and arrogance. If you so it John, I will - they have willfully and knowingly published an wholly inaccurate and defamatory article - and not sought to correct it, thus proving their malicious intent. But hey - let’s blame Hikvision because it’s obviously their fault and that of the Chinese ownership.

Im left wondering what else these liars publish in the name of “responsible” journalism - CNN and Fox BS all over again......

 

bashis mcw

04/26/18 03:56pm

Good find!

Continue the research and include also other vendors, I'm sure you will find more.

 

Read this IPVM report for free.

This article is part of IPVM's 6,584 reports, 886 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS,...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Hikvision Illicitly Uses Back To The Future In Marketing on Jul 03, 2020
NBCUniversal told IPVM that Hikvision UK's ongoing coronavirus marketing...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
Startup Rhombus Presents Cloud Managed Physical Security on Sep 02, 2020
Rhombus Systems, a closed camera, analytics and cloud VMS alternative to...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...

Recent Reports

Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic presented its i-PRO X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...
Best Manufacturer Technical Support 2020 on Oct 16, 2020
5 manufacturers stood out as providing the best technical support to ~200...
Microsoft Azure Presents Live Video Analytics on Oct 15, 2020
Microsoft Azure presented its Live Video Analytics offering at the September...
Worst Manufacturer Technical Support 2020 on Oct 15, 2020
4 manufacturers stood out as providing the worst technical support to ~200...
Clorox Announces, Then Pulls, Fever Camera on Oct 15, 2020
For almost one week, Clorox was marketing fever cameras. The booming...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Directory of 209 "Fever" Camera Suppliers on Oct 14, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Avigilon UMD / UAD Tested on Oct 14, 2020
Avigilon's Unusual Activity Detection and Unusual Motion Detection claim to...
Longse Promoting Hikvision Partner Fullhan Chip Based Cameras on Oct 14, 2020
With Huawei HiSilicon production being shut down at TSMC, camera...
Meridian & Goodview (BEMS Relabeller) Temperature Screening Tested on Oct 13, 2020
A lot of temperature tablets look exactly alike and that is because they use...
Monitoring Alarm Systems From Home - Innovation or Danger? on Oct 13, 2020
Remote monitoring by alarm companies since COVID-19 is bringing cost savings...