This morning, 2 emails featuring Hikvision USA about the same time.
Special Bulletin:
And another sale:
Certainly, today's timing is coincidental but also fitting.
Hikvision Critical Cloud Vulnerability Disclosed
Published Apr 25, 2018 13:36 PM
Security researchers Vangelis Stykas [link no longer available] and George Lavdanis [link no longer available] discovered a vulnerability in Hikvision's HikConnect cloud service that:
just by knowing the email,phone or username they used while registering, after that you can view the live feed of the cam/DVR, manipulate the DVR, change that user’s email/phone and password and effectively lock the user out
The researchers detail the process and the issues in this post. Hikvision HQ has acknowledged the vulnerability and released a fix.
Inside this note, we examine what the issue was, compare it to 2017's Hikvision IP Camera backdoor and explain why this one was a coding error and not anything to do with Hikvision's Chinese government ownership.
HikConnect **********
********** ** *********'* ****** ***** **********/****** service. ** *** ******* *** * number ** *****, ***** ** ***** as *****, *** ***** ***** ******** ************* *** ***** ** their ********* **** ******************* ************ *********, ********* *** **** ********* **********.
**** **********, * ****** ********** ** made **** ***'* ********* ******* (*********, cameras, ***.) ** *********'* ***** *******. To ** **, *** ******* * HikConnect *******. **** ****, *** ********* device ** ******** ********** ***** *** cloud *******.
Vulnerability *********
*** ************* ** ******** ***** ** allows **** ****** ** ******* ********* to **********. *** *********** ***** * key ******:
(*) **** **** **** ** ****** a ****** **** **** **** *** logged ** ** ** ******** *** user ** ** *** ****** *** their *******, ** **** ****:
***** ******** *** *** **** ** used *** ***** ***** ****** ** the ****** ***** ** ********* ***…****, we *** *** *** ***** *******.
(*) ***** *****'* '******' ******* **** were **** ** ***** ***** "***** or *****" ** *** *** **** ID *** **** ****** *** ******:
** ***** **** ***** *** **** a **** ** * ****** *** can ***** *** *** *** *** a ******* ***** **** *** *** (wanted) **** **!
**** **** *** **** **** **, they ***** ****** ** **** (*) and ****** **** ******** ******'* ******.
3 *** ***
*** ********** **** **** ********* ***** the ************* ****** * **** ** them ******* ********* *** ************* ******. Hikvision **** **** *** "*** ***** of *** ****** ** ********* ***" of *** *************.
***** ********* *** *** ******* *** they ***** **, ****** ********* ** IPVM **** ***** ********* *** *************, his ******** ***** ** **** **** are ******** *** ****** ****** ****, rather **** ****** ******** *** **** ID ** ** ********.
Not ******* ********** *******
***** ***** *** *********** ******** ***** Hikvision's ******* ********** *********, **** ** certainly *** * ****** ** ****. Since **** ** * ***** *******, Hikvision *** **** ****** ** *** account *** *** ****** *********. ** they **** ** ****** ***** *******, they ** *** **** *** '********', they ****** *** ****** ********. **** is *** ****** ** *********, ** that ** * *********** ****** ******** of ***** ******** (******* ******* ** Hikvision). *******, ***** *** *******'* **********'* practices, *** ******** *** **** ***********.
Compared ** **** ********
*******-**** *********** ***** ** **************, ** **** it ******** ****** ***** ****** ** devices **** * ****** ******* ******. This *************, ** ********, ******** ********* issues. ** *** ***** ****, *** backdoor ******** ****** ******* ****** ** the ****** (***** ** *** ****** was *** ******* ** *** ******** would ** *******). **** **********, *** vulnerability *** ** ******** ****** *** device *********.
Risks ** ***** ********
************, ************ ************* **** *********** **** forwarding, ***** *** *** *********** ******** of ****** ******* ******* ** ****** attacks. ***** ******** *** **** ****** that, ** *** ****** **** **** replace **** ********** (******, ****,********* ********* ** ********* **** ***************** ********** **** **********'* ***********/*****).
*******, ** **** ******** *****, ***** services **** ***** *** *****, ** creating * ****** ***** ** ******* / *************. ******* ** ****** ******* IP ********* ****** *** *****, ** attacker ***** *********** *** ******* ** a ****** ****** *** *** ****** to ******** ** ********* ** *******. Stykas *** ******** *** ***** *** researchers *** *********** ******** ****. ****** could ** ***** *** ***** **** vulnerability *** **** ** ** ******* devices.
Comments (12)
JH
John Honovich
Apr 25, 2018U
Undisclosed #1
Apr 25, 2018If I pay standard prices can I get something that is not full of security holes? Would gladly even pay a bit extra for that.
UD
Undisclosed Distributor #2
Apr 25, 2018
Michael Gonzalez
Apr 26, 2018Seems to me that cloud and security are a contradiction in terms, kind of like Hikvision and security for that matter.
NC
Nathan Causby
Apr 26, 2018JH
John Honovich
Apr 26, 2018RO
Ryan O'Daniel
Apr 27, 2018JH
John Honovich
Apr 27, 2018Yes, the CSO's article's picture is incorrect.
We actually emailed CSO Online when they first used the incorrect picture/labeling last fall:
They never responded to us.
Tim Pickles
Apr 27, 2018Wonder why they never responded John? Seems that when a deliberate defamatory action is perpetrated, it’s just ok not to be held to account.
JH
John Honovich
Apr 27, 2018Tim,
Also we actually tweeted this at / to CSO Online, see below:
@CSOonline @PrivacyFanatic your story falsely claims hikvision, when it was dahua, e.g., the screenshot you show https://t.co/cnHRvj6kC8 1/2
— IPVM (@ipvideo) September 29, 2017
Again, I think they should fix it and that they did not is definitely a mark against them.
On the other hand, as for defamation, there are plenty of Hikvision cameras that were hacked and labeled 'hacked' so it is not as if the fundamental point was bogus, just the example they used.
Tim Pickles
Apr 27, 2018I don’t disagree John, but however this is dressed up and peddled it IS defamation and they should be held to account for it.
it is either an error of uneducated stupid editors, or a calculated misrepresentation - but either way it is a wrong and defaming and certainly worthy of deeper scripting of the entire article based upun the truth that the publisher, aside from being ignorant, is also exceeding irresponsible.
You are focussed on holding publishers to account for similar articles, the fact they have purpose ignored you demonstrates their ignorance and arrogance. If you so it John, I will - they have willfully and knowingly published an wholly inaccurate and defamatory article - and not sought to correct it, thus proving their malicious intent. But hey - let’s blame Hikvision because it’s obviously their fault and that of the Chinese ownership.
Im left wondering what else these liars publish in the name of “responsible” journalism - CNN and Fox BS all over again......
bm
bashis mcw
Apr 26, 2018Good find!
Continue the research and include also other vendors, I'm sure you will find more.