Hikvision Critical Cloud Vulnerability Disclosed

By: IPVM Team, Published on Apr 25, 2018

Security researchers Vangelis Stykas [link no longer available] and George Lavdanis [link no longer available] discovered a vulnerability in Hikvision's HikConnect cloud service that:

just by knowing the email,phone or username they used while registering, after that you can view the live feed of the cam/DVR, manipulate the DVR, change that user’s email/phone and password and effectively lock the user out

The researchers detail the process and the issues in this post. Hikvision HQ has acknowledged the vulnerability and released a fix.

Inside this note, we examine what the issue was, compare it to 2017's Hikvision IP Camera backdoor and explain why this one was a coding error and not anything to do with Hikvision's Chinese government ownership.

******** *********** ******** ****** [link ** ****** *********] and ****** ******** [**** no ****** *********] ********** a ************* ** *********'* HikConnect ***** ******* ****:

**** ** ******* *** email,phone ** ******** **** used ***** ***********, ***** that *** *** **** the **** **** ** the ***/***, ********** *** DVR, ****** **** ****’* email/phone *** ******** *** effectively **** *** **** out

************** ****** *** ******* and *** ****** ** this ****. ********* ** *************** *** ************* *** released * ***.

****** **** ****, ** examine **** *** ***** was, ******* ** ******'* ********* ** ****** backdoor*** ******* *** **** one *** * ****** error *** *** ******** to ** *************'* ******* ********** *********.

[***************]

HikConnect **********

********** ** *********'* ****** cloud **********/****** *******. ** has ******* *** * number ** *****, ***** in ***** ** *****, and ***** ***** ******** ************* *** found ** ***** ********* DDNS ******************* ************ *********, ********* *** **** promoting **********.

**** **********, * ****** connection ** **** **** one's ********* ******* (*********, cameras, ***.) ** *********'* cloud *******. ** ** so, *** ******* * HikConnect *******. **** ****, the ********* ****** ** remotely ********** ***** *** cloud *******.

Vulnerability *********

*** ************* ** ******** since ** ****** **** access ** ******* ********* to **********. *** *********** found * *** ******:

(*) **** **** **** to ****** * ****** that **** **** *** logged ** ** ** changing *** **** ** on *** ****** *** their *******, ** **** note:

***** ******** *** *** user ** **** *** first ***** ****** ** the ****** ***** ** AS_UserID ***…****, ** *** see *** ***** *******.

(*) ***** *****'* '******' feature **** **** **** to ***** ***** "***** or *****" ** *** the **** ** *** then ****** *** ******:

** ***** **** ***** you **** * **** as * ****** *** can ***** *** *** you *** * ******* which **** *** *** (wanted) **** **!

**** **** *** **** user **, **** ***** return ** **** (*) and ****** **** ******** person's ******.

3 *** ***

*** ********** **** **** Hikvision ***** *** ************* within * **** ** them ******* ********* *** vulnerability ******. ********* **** they *** "*** ***** of *** ****** ** malicious ***" ** *** vulnerability.

***** ********* *** *** explain *** **** ***** it, ****** ********* ** IPVM **** ***** ********* the *************, *** ******** guess ** **** **** are ******** *** ****** server ****, ****** **** simply ******** *** **** ID ** ** ********.

Not ******* ********** *******

***** ***** *** *********** concerns ***** *********'* ******* government *********, **** ** certainly *** * ****** in ****. ***** **** is * ***** *******, Hikvision *** **** ****** to *** ******* *** any ****** *********. ** they **** ** ****** those *******, **** ** not **** *** '********', they ****** *** ****** directly. **** ** *** unique ** *********, ** that ** * *********** design ******** ** ***** services (******* ******* ** Hikvision). *******, ***** *** Chinese's **********'* *********, *** concerns *** **** ***********.

Compared ** **** ********

*******-**** *********** ***** ** **************, in **** ** ******** direct ***** ****** ** devices **** * ****** command ******. **** *************, by ********, ******** ********* issues. ** *** ***** hand, *** ******** ******** having ******* ****** ** the ****** (***** ** the ****** *** *** exposed ** *** ******** would ** *******). **** HikConnect, *** ************* *** be ******** ****** *** device *********.

Risks ** ***** ********

************, ************ ************* **** recommended **** **********, ***** has *** *********** ******** of ****** ******* ******* to ****** *******. ***** services *** **** ****** that, ** *** ****** that **** ******* **** forwarding (******, ****,********* ********* ** ********* port ***************** ********** **** **********'* ***********/*****).

*******, ** **** ******** shows, ***** ******** **** their *** *****, ** creating * ****** ***** of ******* / *************. Instead ** ****** ******* IP ********* ****** *** world, ** ******** ***** concentrate *** ******* ** a ****** ****** *** get ****** ** ******** of ********* ** *******. Stykas *** ******** *** white *** *********** *** responsibly ******** ****. ****** could ** ***** *** found **** ************* *** used ** ** ******* devices.

Comments (12)

This morning, 2 emails featuring Hikvision USA about the same time.

Special Bulletin:

And another sale:

Certainly, today's timing is coincidental but also fitting.

If I pay standard prices can I get something that is not full of security holes? Would gladly even pay a bit extra for that.

No.  All is "holy".

 

 

:)

Seems to me that cloud and security are a contradiction in terms, kind of like Hikvision and security for that matter.

I felt the heat from that one.

The picture displaying the "HACKED" cameras is a Dahua NVR, not Hikvision.

Yes, the CSO's article's picture is incorrect.

We actually emailed CSO Online when they first used the incorrect picture/labeling last fall:

They never responded to us.

Wonder why they never responded John? Seems that when a deliberate defamatory action is perpetrated, it’s just ok not to be held to account. 

Tim,

Also we actually tweeted this at / to CSO Online, see below:

Again, I think they should fix it and that they did not is definitely a mark against them.

On the other hand, as for defamation, there are plenty of Hikvision cameras that were hacked and labeled 'hacked' so it is not as if the fundamental point was bogus, just the example they used. 

I don’t disagree John, but however this is dressed up and peddled it IS defamation and they should be held to account for it.

it is either an error of uneducated stupid editors, or a calculated misrepresentation - but either way it is a wrong and defaming and certainly worthy of deeper scripting of the entire article based upun the truth that the publisher, aside from being ignorant, is also exceeding irresponsible.

You are focussed on holding publishers to account for similar articles, the fact they have purpose ignored you demonstrates their ignorance and arrogance. If you so it John, I will - they have willfully and knowingly published an wholly inaccurate and defamatory article - and not sought to correct it, thus proving their malicious intent. But hey - let’s blame Hikvision because it’s obviously their fault and that of the Chinese ownership.

Im left wondering what else these liars publish in the name of “responsible” journalism - CNN and Fox BS all over again......

 

Good find!

Continue the research and include also other vendors, I'm sure you will find more.

 

Login to read this IPVM report.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Anyvision Layoffs on Mar 19, 2020
Anyvision has conducted a layoff, citing the impact of coronavirus, joining a...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
"Fever Camera" Online Show June 2020 - On-Demand Recordings on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show....
Genetec Drops Support for Dahua and Hikvision on Jun 01, 2020
Genetec has dropped support for Dahua and Hikvision, citing US blacklisting...
Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...
Seek Scan Thermal Temperature Screening System Tested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Density Presents Occupancy Monitoring For Coronavirus Protection on May 22, 2020
Density presented its cloud-based occupancy sensor to deal with Coronavirus...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI,...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...

Recent Reports

Huawei HiSilicon Shortage Impacts Surveillance Manufacturers on Aug 14, 2020
Huawei acknowledged problems and challenges for its HiSilicon chip business,...
Final Rule Does Not Expand Hikvision Dahua Blacklist on Aug 14, 2020
The final White House rule (200.216) has been added and contrary to the...
Taiwan Lilin NDAA Compliant Cameras Tested on Aug 13, 2020
Taiwan-based manufacturer Lilin is taking direct aim at Dahua and Hikvision...
White House Expands Dahua Hikvision Blacklist To Federal Funding [Final Rule Reverses] on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
Actual Coronavirus Testing Options Examined on Aug 13, 2020
Fever cameras have emerged as an indirect and flawed way to test for...
Video Analytics Online Show September 2020 Opened - Axis, Avigilon, Bosch, BriefCam, Genetec, Milestone + 30 More on Aug 12, 2020
IPVM's sixth online show will feature 35+ Video Analytics companies...
The German Company Powering Many China Temperature Tablets (Heimann) on Aug 12, 2020
Many fever tablet suppliers market German-made Heimann thermal sensors while...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Access Control Course Fall 2020 - Register Now on Aug 12, 2020
IPVM offers the most comprehensive access control course in the industry....
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...