Do they have any estimates on if/when they will have a patch for this? To me that's the bigger issue. All devices will have a vulnerability at some point - it's how quickly and easily they can be patched that matters (in my opinion)
Hikvision Has "Highest Level of Critical Vulnerability," Impacting 100+ Million Devices
Hikvision has admitted a 9.8 vulnerability that is "the highest level of critical vulnerability—a zero-click unauthenticated remote code execution" per the researcher, Watchful_IP, who discovered this. IPVM estimates it impacts 100+ million devices.
While Watchful_IP assessed this is "definitely NOT" a "Chinese Government-mandated backdoor," PRC government-created and -controlled Hikvision poses great risk to users around the world as its government backing has driven it to become the most widely used video surveillance manufacturer globally.
Cybersecurity concerns are a long-standing issue for Hikvision, e.g., it was US government federally banned by the 2019 NDAA and the US government is planning to ban FCC authorizations for Hikvision, so this admission comes at a critical time for the company.
How It Works
The researcher describes it as simple to exploit:
Only access to the http(s) server port (typically 80/443) is needed. No username or password needed nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself.
Neither Hikvision nor the researcher is releasing a full Proof of Concept, but Hikvision describes it as the result of "send[ing] a specially crafted message".
A CVE has been reserved (CVE-2021-36260), but no information has yet to be published yet. [Update 9/22/2021: the CVE has been filled]
PRC Government Has Vulnerability Information For Weeks
The PRC government has had this vulnerability information as all PRC companies are mandated by PRC law to provide vulnerabilities to the government since September 1 (CORRECTION: this post initially said the government had the info for "months", however, the PRC law went into effect September 1, 2021):
The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days
Watchful_IP says that Hikvision confirmed reproducing the vulnerability on June 23, 2021, so even assuming the PRC government did not have this for years, the PRC government has had it for weeks at least.
This is a powerful way for adversaries, including the PRC government, to access networks around the world that would be undetectable by the Hikvision device's own logging.
Update Bashis Has Found And Reproduced On His Own
Bashis has found the vulnerability on his own and reproduced it. Bashis is the cybersecurity researcher who discovered numerous Dahua and other video surveillance manufacturer vulnerabilities. The fact that he was able to figure it out so quickly indicates that other experts, including governments and black hat hackers, will likely be able to do so as well. Bashis is not releasing the details.
Root Access to Attack Internal Devices or DDoS
This vulnerability provides total control of the underlying 'computer' in these devices with unrestricted root shell access, per Watchful_IP:
This permits an attacker to gain full control of device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.
This means, as the researcher called out, that the vulnerability can be used to "access and attack" internal networks as well as launch denial of service attacks across the Internet.
Vast Array of Models Impacted
The vulnerability affects a vast array of Hikvision devices, hundreds of models, primarily cameras, with Hikvision listing 80+ groupings. The total number of models, though, is even far greater. For example, three of the groupings are of the broadly used DS-2CVxxx1, DS-2CVxxx5, DS-2CVxxx6, (screencap attached) that covers hundreds of models alone. Additionally, Hiwatch generally is impacted (e.g., HWI-xxxx) as well as many, many others. Review the list of impacted models.
Firmware to Fix Available
For models that Hikvision has confirmed to be impacted, new firmware to fix the vulnerability is available.
OEMs Impacted
Because Hikvision has OEMed so widely (see the Hikvision OEM Directory), this will impact dozens or perhaps hundreds of brands around the world.
Worse, Hikvision OEM partners often try to keep hidden their relationship with Hikvision, so many OEMs will not acknowledge this and many buyers will never realize.
100+ Million Devices
We estimate 100+ million devices globally are impacted by this vulnerability making it, by far, the biggest vulnerability to ever hit video surveillance. The combination of its critical nature (9.8 / "zero-click unauthenticated remote code execution") and Hikvision's massive market size make this risk unprecedented.
For background, back in 2016, Hikvision said they manufactured "more than 55M cameras" and the annual output has grown substantially since. Hikvision has therefore shipped a few hundred million cameras and tens of millions of recorders during the time frame the vulnerability covers.
2017 Hikvision Backdoor Comparison
This is the worst Hikvision vulnerability since Hikvision's backdoor was discovered in 2017 where Hikvision included a magic (ostensibly secret) string that allowed anyone with that string to perform admin operations, without having the device's admin credentials.
Dahua 2021 Comparison
Just a few weeks ago, Dahua disclosed its own new critical vulnerabilities. However, Hikvision's vulnerability is worse as the new Dahua ones 'just' allow for admin access with Hikvision's give complete root access.
Hikvision CSO "Debunks"
Just three days before Hikvision admitted this critical vulnerability, Hikvision's EMEA CSO posted a blog post about why vulnerabilities are not the same as backdoors:
Port Forwarding Still Recommended
Hikvision's cybersecurity "Best Practices" continues to recommend using port forwarding which puts those devices at the highest risk of being hacked.
This "best practice" was written after Hikvision's 2017 backdoor was discovered and widely exploited and is still the head "best practice" on Hikvision's site today.
In it, while Hikvision warns about the risks of port forwarding, they tell users that if they want 'quick and steady' remote access to their Hikvision devices (and most do), that they "may have to choose" port forward:
If P2P or VPN solutions fail to meet the needs of users, who want to have a quick and steady access to the specified port service of the device through the Internet, users may have to choose the traditional 'port forwarding' scheme.
IPVM has long warned about Hikvision's tactics here, e.g., Hikvision Hardening Guide Recommends Port Forwarding and P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding.
Don't Expose, Says Watchful_IP
Watchful_IP, contrary to Hikvision and in line with actual cybersecurity professionals, recommends not to port forward, saying:
I’d recommend you do not expose any IoT device to the Internet no matter who it is made by
Unfortunately, so many Hikvision users do so because Hikvision continues to recommend doing it for "quick and steady access" to their devices.
FCC Risk
This will hurt Hikvision and its 90+ partners' petitions the US government that claim Hikvision is not a security threat. Beyond the threat of being a PRC-government-controlled entity, this new massive vulnerability will raise fresh concerns about Hikvision's (lack of) security.
GDPR Risk
Hikvision's EMEA CSO, in last week's blog post, argued that end-users, not manufacturers, are responsible under GDPR:
the end-users who buy these cameras are responsible for the data/video footage they generate. They are, in other words, the data custodians who process the data and are in control of the video footage, which is required to be kept private by law (under the GDPR). Secret access to video footage on these devices is impossible without the consent of the end-user.
The final line is simply factually false because, as Hikvision's newest vulnerability reveals, secret access to Hikvision devices is quite possible, either by intent or failure of Hikvision's R&D, compounded by Hikvision's continued recommended use of port forwarding.
Failure for Hikvision
This critical vulnerability, discovered by an independent researcher, is a failure for Hikvision. The massive company that reports nearly $10 billion USD annual revenue and alleges 20,000 R&D engineers has faced incredible scrutiny for years over its cybersecurity and either choose to allow or could not find this vulnerability that a single researcher found.
Given that Hikvision buried this disclosure over a weekend, Hikvision likely hopes the public will ignore this. How this impacts the company's global scrutiny remains to be seen.
Firmware is available for Hikvision's own models, as Hikvision has known about this for, at least, 89 days. We have not seen any notices yet from Hikvision's vast array of OEM partners.
All devices will have a vulnerability at some point
No, rarely do devices have 9.8 / "zero click unauthenticated remote code execution". The severity of this is very rare.
Combine Hikvision's PR strategy to bury the disclosure, an extremely rare vulnerability, a massive impacted base and a minimal approach to getting users to protect themselves against this.
I'm no Hikvision fan - and yes they are probably the worst in the industry and maybe even in any industry.
However, we are kidding ourselves if we think that there is some manufacturer that has perfect code with no security vulnerabilities. I just don't want us to think that if Hikvision goes away then all of our cybersecurity concerns are fixed.
if we think that there is some manufacturer that has perfect code with no security vulnerabilities
No one is thinking that. You need to acknowledge the difference in seriousness of vulnerabilities, that's for example, why there is a scoring system. If this was a 4.0 or 5.0, etc., this would not even be a story. It's a 9.8. It's very dangerous and quite statistically rare.
It's like you smoked pot when you were 18 and Bob beat up an old lady yesterday. It would be weird and unfair to say "Well, you are both criminals." This is what you are doing here.
I'm not trying to do that - I guess I need to work on my wording. In my defense I did say
they are probably the worst in the industry and maybe even in any industry.
and I would say this particular situation is worse than beating up an old lady - probably more like Bernie Madoff taking lots of old people's retirement and crippling thousands of peoples' futures.
I agree that there are differences in severity and frequencies. Hikvision seems to be the worst in both.
they are probably the worst in the industry and maybe even in any industry.
still not as bad as Phillips hue… they published new signed firmware with a copy of the private key used to sign the firmware included in the download!
the certificate was ‘baked in’ so all those devices are still completely vulnerable!
what’s worse is that they use UPNP by default so all that are still working are still public facing!
at least the Hikvision cameras, that are installed via the NVR PoE ports are not directly accessible (unless virtual host has been enabled!)
at least the Hikvision cameras, that are installed via the NVR PoE ports are not directly accessible (unless virtual host has been enabled
My understanding is that the virtual host option is not available in the latest versions?
"It's like you smoked pot when you were 18 and Bob beat up an old lady yesterday. It would be weird and unfair to say "Well, you are both criminals." This is what you are doing here."
It isn't weird, it's true.
it's how quickly and easily they can be patched that matters
Good point.
How long do you think it would take to patch a few million exposed devices?
While S Korea and Taiwan are NATO countries, that doesn't preclude any other manufacturer from crafting back doors or having vulnerabilities in their code and product. Are any other manufacturers really that more secure? Cybersecurity, software and firmware are a train wreck. It's costing us way too much time and money to try and keep networks secure, systems operating yet still be usable and serviceable. There has to be a better way.
Are any other manufacturers really that more secure?
Yes, Avigilon, Axis, Hanwha, etc. all have way better cybersecurity track records.
Yes John, but some of those are **still** shipping with default credentials! Administrator with a blank password! Root…
these really do need to be called out (this is not necessarily the post stream to do that)
Hanwha ships with no default credential. Complex password creation is required on bootup.
So does Hikvision and Dahua…
read between the lines for the others…
Are any other manufacturers really that more secure?
Yes.
At this point I would struggle to think of any product that has been demonstrated to be continuously LESS secure than Hikvision in terms of what would typically be classified as "professional" equipment sold by dealers. XM might be the closest contender, but I think they lean a little more towards the consumer side, or at a minimum through an ODM channel where the final firmware is compiled by the brand selling it, and therefore that brand has more control over the final release and its security.
Not sure if that is in response to Hikvision holding the title for most insecure, or that Dahua should be runner-up instead of XM.
While S Korea and Taiwan are NATO countries
Not that it matter for the point you are making, but no, they are not: NATO - Member countries
South Korea is a NATO partner country, but due to the political realities Taiwan is not: NATO - Partners
Are they both friendly countries which many democratic countries have a political and military corporation with? Absolutely.
While S Korea and Taiwan are NATO countries
To be clear, you're implying South Korea and Taiwan are part of the North Atlantic Treaty Organization?
No, we cleared this up earlier. I used NATO rather than friendly to the United States and I believe there is another term that is more correct.
Would be interesting to find out how many people took advantage of the Hikvision Source Code Transparency Center to audit the source code. From the vulnerability details posted, this sounds like something that would be a decent chunk of code to implement, as it is not a buffer overflow exploit, or something that utilizes unintended consequences of standard code. If there is a mechanism to get a root shell, that is going to require code that should not be that hard to spot if you have actual source code transparency.
So, did nobody utilize the SCTC, was the code related to this exploit not in code that was audited, or did those persons reviewing the source code not do a thorough review? Knowing these answers (which we likely never will) would really provide a lot of interesting context.
Hikvision has never disclosed / discussed usage of their 'transparency center', though, at the time, they made it clear that they would have to physically be in Hikvision's office to look, which limits time and number of people who would even try:
Hikvision has never disclosed / discussed usage of their 'transparency center'
Yes, general information about it has been conspicuously absent from their marketing since its announcement. I would be very surprised if it has ever been used, or even internally maintained in a state of readiness.
Huawei’s UK source code and firmware examination facility has been heavily used
Hackvision - say no more.
…Hikvision describes it as the result of "send[ing] a specially crafted message".
”hoochiemama”
Some of the better aged quotes from the FCC commentary:
HikVision has protected our clients over the past 5 plus years with zero cyber attacks.
And though they have had a couple breaches in the past, they updated their procedures and have not been any significant ones within the last 3-4 years…
They actually are more secure and require more password and security measures to enable them than their US branded counterparts.
There has never been one instance that I can recall over the last 15 years I’ve been in this industry, in regards to a security or privacy issue with a Hikvision product.
In a Casino video is very sensitive and Hikvision has all the protocols to make sure we have no security breach. Most surveillance systems are subject to a data breach no matter what you could do to prevent access to the video data, but the robust security structure in the Hikvision products limits the chance of any data breach.
In all these years, we have never had any report of security breach and all IT, cyber-security, and PCI Compliance tests and audits have passed.
All camera systems are secured by a closed network, in order to get inside the network and intruder would need 1) The IP Address 2) The port Number 3) The user ID and 4) The password…
or just
5) specially crafted message…
It's really hard to take those folks seriously. I just don't get how they're (apparently) blind to their bias.
Great work by IPVM to let us know so fast. I just updated a bunch of DS-7616NI-I2s, no problem. However, we have some older DS-7616NI-E2s that are not upgradeable so waiting to see what comes out of HIK.
"However, we have some older DS-7616NI-E2s that are not upgradeable so waiting to see what comes out of HIK."
Replace them with something else...
This is a good start, or should I say HIKcup?
By default HIK DVRs and Cameras use port 8000 for server port and 80 for web port. Does anyone know which port exposes the vulnerability?
If it's port 80 that's easy to turn off, the HIK client and mobile app run on port 8000.
If it's port 80 then a lot of people are in a lot of trouble..
If it's just the web server port HIK users can just disable port forwarding rules on port 80 and call it a day.
If a vulnerability is found on the server port (8000) then HIK is in some serious trouble.
Disabling port 80 remote access doesn't eliminate the issue. If someone inside the network, such as a pc, etc is infected it can then leverage the Hik exploit. It is foolish to think that just changing a firewall rule solves this. If the cameras are on he main network, it must be fixed.
If you're already inside the network then you don't need to use your local access to find a local HIK camera and use the vulnerability to get inside the network. You're already inside the network!
You're already inside the network!
A compromised device could be used as a jump box or as a way to achieve persistence. Putting all defense on the outside of the network and going "oh well" if something penetrates is not a good strategy.
“Disabling port 80 remote access doesn't eliminate the issue.”
True but it reduces the likelihood and ease of attack significantly.
much in the same way we lock our cars when on the drive reduces the likelihood of them being stolen when compared to leaving the keys in them!
It would require a more determined attacker with different skills than an easy win for a script kiddie - remove the low hanging fruit ;)
If it isn't good practice to put IP cameras on a production network then why even have network cameras?
If it isn't good practice to put IP cameras on a production network then why even have network cameras?
signed - Todd Rockoff
Todd Rockoff was the head of the HDCCTV Alliance back in the day... and his entire focus - as the head of such an analog technology group - was to tell everyone how IP cameras suck.
your comment sounded like something he would say so I made that joke.
here is a link from 2013
"Do people really put any IP camera on a production network?"
Yes. Which network would you like to see the network cameras on? Perhaps, the lab network, security network (hmm sounds reasonable), honeypot to no where network?
"Disabling port 80 remote access doesn't eliminate the issue. If someone inside the network, such as a pc, etc is infected it can then leverage the Hik exploit. It is foolish to think that just changing a firewall rule solves this. If the cameras are on he main network, it must be fixed. "
Just spitballing; make better camera choices..
IPVM has submitted its comment to the FCC. We are sharing it here because (1) it's related and (2) this report is getting a lot of traffic today so we want people to be aware of it and if they have responses, questions, objections, etc., please share:
poor Chuck D... : (
Davis has been quiet on this so far, he is posting on LinkedIn today but not about Hikvision:
Meanwhile Hikvision USA has posted nothing on LinkedIn today while Hikvision UK and Ireland have posted 5 items on Linkedin, none of them related to this critical vulnerability:
Likewise, HIkvision Europe multiple LinkedIn posts today, none on the vulnerability but ironically posting about attending a 'cyberprevention' expo:
This will hurt Hikvision and its 80+ partners' petitions the US government
Updated to "90+" as that post will shortly be updated to include 95+ pro-Hikvision comments.
This is bad for all users… period! No one can deny that !
Is it as bad as the Cisco 13 hard coded credentials that had been in the code for up to 10 years before Cisco ‘found’ then in a code review! During that time we know that affected switches were installed in critical infrastructure and a good proportion of Fortune 500 companies.
now I know that John will be trying to suggest I’m a proponent…. I’m a cyber researcher so I’m calling out Hikvision that this is bad.
What’s unclear is how exploitable this actually is in practice. I’ve already fired up my kali Linux box and dropped it on a segregated network to have a play ;)
Watch this space!
honeypots already deployed to see if it is being actively exploited in the wild!
John will be trying to suggest I’m a proponent…. I’m a cyber researcher so I’m calling out Hikvision that this is bad.
Question - what have you been hearing from Hikvision about this? We are not seeing much public efforts from them to get the word out on this to make sure users upgrade. Are they actively going to dealers directly with this?
There are certainly details and advisories circulating in non-US markets. You know that I cannot send this to you yet (to do so would be breaching a no-contact-with-media standard clause in my contract as the email has been received through the company’s email account and is traceable), but maybe another partner can?
would be breaching a no-contact-with-media standard clause in my contract
Is this actually a thing? I am asking seriously as this is the first I have heard of such a clause.
Yes very common…
I think you reference it as the reason for us being able to post undisclosed…
Im happy to contribute where I can, but still need to earn my beans to feed the wife…
I think you reference it as the reason for us being able to post undisclosed…
No, to clarify, I have never heard it being put into a contract. Typically, it is an informal or separate rule but not generally written into a contract. It certainly might be put into contracts but that's the first I've heard of it like that. Thanks!
I’ll email you an excerpt…
it’s a common way to gag employees so that the media can be managed via the marketing/or PR team!
I think Hikvision UK might also have added it after you called out the late Phil Wring for supporting his employer
Hi John, company policies have the same force as contract for regular employees and contract employees. Doesn't need your cursive signature in blue ink to be legally binding. HR Dept's job is to distribute these policies and ensure employees consent and know that consent is a requirement for continued employment. Violation of company policy is always potentially punishable by not just termination but also legal recourse. It is very common for any large company to have a PR Dept and for policy to specify that only PR Dept is allowed to contact the media or even to publicly comment on the company. This is why "Undisclosed" posts on IPVM are necessary for folks at large companies to have free discussion here without looking over their shoulder or hiring counsel.
This varies widely by state.
Violation of company policy is always potentially punishable
Well is it always, or always potentially? I always potentially may get in a wreck everytime I drive a car or I always potentially will win the lottery with every ticket I purchase.
"This varies widely by state.
Violation of company policy is always potentially punishable
Well is it always, or always potentially? I always potentially may get in a wreck everytime I drive a car or I always potentially will win the lottery with every ticket I purchase"
Masterful wordsmithing. I may have used "always potentially" before and if not will incorporate it into a future argument or two.
UK partners were emailed on Sat 18th September.
I believe that there are some firmware patches but I’m not sure which models are covered.
does anyone have a complete affected-devices list?
Assume all models until proven not. I got root access on my own device, while researching on totally different firmware and version.
There is a list being circulated of models and fw versions affected.
I’m trying to obtain it in the public domain if anyone has a link?
This is Hikvision's notice with models listed: Security Notification - Command Injection Vulnerability in Some Hikvision products | Security Advisory | Hikvision
Is there another list than that?
Btw, how is your honeypot detecting the exploit? The researcher says the Hikvision device does not log anything with this vulnerability.
There is another list with all the model numbers rather that part code groups.
The honeypots are configured to log all inbound and outbound transactions (port mirroring on the switch)
there is increased activity received (TCP connects and drops) but absolutely nothing I can see that is malicious (at this stage)
It feels like it’s a discovery phase, ready to deploy when the weaponised exploit code is completed!
@bashis is there anything you can add to help me identify a signature?
U9, defiantly - if I can know it's for legit usage, contact me on email: mcw at noemail.eu (and not with gmail or similar junk)
@U9, Or even better, relay via IPVM/John, then I have no questions to ask as I trust IPVM.
UI9, nothing heard - nothing shared, guess you have started to see interesting things in your honeypots, no?
Hi Bashis
sorry been busy with some big jobs.
there is absolutely nothing interesting going on, just random connections trying to connect and explore ports.
my supposition is that the bad-actors are still building a list ready to exploit autonomously later…
Seeing some activity on port 65527 IIRC. Unlikely to be linked IMO - any thoughts
Hi UI9,
After spending some more time on this, I don't think think this would be any major issue IMO.
There is few limitations, such as limited characters for the command injection, need to reach writable place, nothing found that could be used to upload to device nor for reverse shell - even if you could launch ssh access, you need to punch hole in firewall to reach the sshd listener.
Got access to my friends places w/ VPN (yup, we use such things) to reach NVR and IPC's, and got only command injection to one IPC, but no ssh access as the NVR "only" used virtual hosts to IPC's.
Cool and interesting bug, fun to play with, but I really don't think some major attach will happen with this. (Maybe U3 want to prove me wrong? ;)
Think you guys can sleep pretty well.
Are your Honeypot's looking at all ports that may be exploited?
80/443 generally but I see many installations that use 8001 -800x.
Yes honeypots look just like Hik cameras fully exposed to the internet (because they are) but with tech as a middleware to examine the traffic.
some have old firmware and some released this last week, one has the old default password. The rest are the longest random character strings that can be accepted, this we will know if the camera has been compromised by something other than brute force attack.
Changing ports is not layering or improving security, it’s obscuring the port, nothing else. It’s easy enough to scan the whole port set these days so changing ports is pointless.
Low number of scans - highest is just over 100.
a dozen or so login attempts using weak and default passwords
so far nothing trying to exploit anything new
I’m confident that the cameras have been found and are being portscanned but nothing that looks interesting yet!
whilst I’m relieved that this exploit does not seem to be actively targeted in the wild, it’s only a matter of time!
On the other honeypot, lots of scans looking for Mikrotic routers…
Honeypots have been discovered by between 4 and 12 scans, but no attempt to exploit this vulnerability at this point. This is the best news we could have as this means it’s less likely that the vulnerability is not widely being exploited YET!
I suspect we have less than a week’s grace…
interestingly, and off topic, I made one of my canaries look like a MS exchange server and that has had over 1000 scans and attempts to compromise in the same time period!
An ex-Hikvision employee posted:
Why does anyone think this is a good comeback? Hikvision had no choice. Where they not going to release a fix after 89 days? Providing a fix when caught is the bare minimum.
If you look at Google’s project zero, you’ll realise that a great many companies don’t hit the disclosure deadline…
in an ideal world, we’d like to jump on vulnerabilities as soon as we receive them. In reality, we all have work to do and never enough time!
Microsoft last patch Tuesday, then released an emergency out-of-cycle patch a day later for exchange server zero day exploit that was older than 90 days from responsible disclosure.
the estimate is that it affected over a billion email accounts, making them vulnerable to harvesting!
this Hik vulnerability is almost as bad as it gets (I take nothing away from that) but there are much bigger things happening in the enterprise cyber arena (for context)
this Hik vulnerability is almost as bad as it gets (I take nothing away from that) but there are much bigger things happening in the enterprise cyber arena (for context)
Granted, but this report is in the context of the physical security world. While a mere blip on the whole of the IT world and I would not expect it to be necessarily on the front page of Wired or Computer World, I would expect it to be front page of IPVM.
I agree, it will make some of the media outlets at some point.
I listened to a podcast first broadcast last week that was still going on about the Mirai Botnet (that affected Dahua) so once it’s gets in the press, it’s likely to hang around for a while!
While I'm not 100% clear on how easy it is to deploy this exploit my leading concern would be the people at most risk that have used what small funds they have to purchase a CCTV system they have been told that is safe and may protect or aid to future evidence to protect them from domestic violence.
If a stalker who might have reasonable funds could use this, it could be devastating.
If the risk is this high could a push notification through the app not be sent out to recommend upgrades?
If the risk is this high could a push notification through the app not be sent out to recommend upgrades?
That is one way to handle this. However, this would then give Hikvision (or whomever) is the supplier control of one's devices, which is also a security risk. At that point, you need to decide how much you trust the supplier (whether it is Hikvision, Verkada, etc.).
"At that point, you need to decide how much you trust the supplier (whether it is Hikvision, Verkada, etc.)."
Don't trust them at all.
Not true about giving control of a device to a third party by sending a push notification.
hikvision, as the developer of the app, could make a pop up appear on everyone’s devices. Probably not a subset of apps connected to affected devices but certainly they could to all app users next time they load the app or login.
potentially they could minor-update the app to make it do that as well.
this would be a responsible thing to do…
Just wondering what will happen with 3-5 year old models - no firmware upgrades I guess?
Much of the affected model list is actually newer models, like the G0/G2 series models from the past couple years, but there are definitely some older models affected. We've sent Hikvision some questions and will ask them this, as well, thanks.
Can you somehow juxtapose this article with this one: 90+ Hikvision Partners Ask US FCC Not To Ban Hikvision
Mainly the comments about Hikvision having amazing cybersecurity.
So some simple cyber security advice for our fellow installers out there.
Install cameras and other security equipment on separate, physically segregated networks so if something like this happens, then there is no access to the devices so the network remains secure!
Or Hikvision's recent adovacy for zero-trust networks, e.g. Zero Trust Security And Video Surveillance
That isn't a substitute for using a brand of IoT device with a long track record of vulnerabilities and a lack of integrity regarding them.
My first-hand experience says many small end-users don't understand and\or cannot afford a segregated network. Many of your fellow installers that install the monthly promotion brand at ADI and legacy Tri-ed (Hikau and OEMs) don't give two poops about cyber.
Never said it was a magic bullet. simple fact is the least secure product when deployed securely cannot be compromised if deployed correctly.
any internet-facing product is potentially vulnerable to an exploit once discovered…. If it ain’t connected it cannot be exploited!
"My first-hand experience says many small end-users don't understand and\or cannot afford a segregated network. Many of your fellow installers that install the monthly promotion brand at ADI and legacy Tri-ed (Hikau and OEMs) don't give two poops about cyber. "
Oh, I don't know about all that. Many customers will accept separate wiring, to separate switches, and a separate router if the security aspects are properly conveyed.
You shouldn't have to install on a physically separated network. If I have to segregate devices on a network it shouldn't be on any network.
"You shouldn't have to install on a physically separated network. If I have to segregate devices on a network it shouldn't be on any network. "
For this reason and a number of others; not necessarily all for security, you should, or at least logically.
You would think it was common sense. Sad that people are still exposing any devices directly to the net. Plug your windows or Mac computer to a public ip and see what happens.
From a new Hikvision dealer FCC submission:
There is no risk to the Nations Security via HIK- End users need to be held accountable for not changing passwords or not utilizing up to date anti virus software.
It is fascinating to see how little these Hikvision partners know about cybersecurity that they think changing passwords will rectify such critical vulnerabilities.
Kind of like how Ford car owners should be held accountable for not installing 5 point seat harnesses in case the factory 3 point seat belts in all their cars happens to fail. And everyone knows if anything happens to Ford, there are no other car companies in the world that could fill the product void left behind by Ford and it would severely cripple the entire vehicle industry market.
"It is fascinating to see how little these Hikvision partners know about cybersecurity that they think changing passwords will rectify such critical vulnerabilities."
It isn't only hik partners. This is a generational problem. And a cultural problem.
It'S uP tO tHe CoNsOoMeR
UPDATE:
Update Bashis Has Found And Reproduced On His Own
Bashis has found the vulnerability on his own and reproduced it. Bashis is the cybersecurity researcher who discovered numerous Dahua and other video surveillance manufacturer vulnerabilities. The fact that he was able to figure it out so quickly indicates that other experts, including governments or hackers, will likely be able to do so as well. Bashis is not releasing the details.
Hi Bashis,
Could you provide a bit of context to your screen cap? I'm not heavily technical so I'm not sure what I'm supposed to be seeing in the script that's so problematic.
Thx
Sure,
Hardware: r2 is Hik. Please see here
I just used my old crappy Hik cam I have here for playing, please let me know if you want to see anything else that would confirm. (I'm usually into Dahua, never Hik, but I always wanted a true shell on this one too, and not only 'psh')
but I always wanted a true shell on this one too
ash is to bashis, dust to dust.
hello old 'friend'
Howdy! Couple of questions:
1) what you think of Ghidra?
2) have you collected any bounties yet?
1) Useful, but prefer IDA Pro
2) Zero, not claimed any - Yes, been offered "rewards", but declined
What about you?
It is showing that he has full root shell access, something that "shouldn't" be possible for a good cyber secured IoT device. He is also able to show the CPU info, again disclosing more info about the hardware.
Update: Hikvision USA has sent a 'Special Bulletin' to dealers:
The content/claims are similar to the original HQ announcement.
Question :- Does this also affect their other products, like IP intercoms, access control & alarm panels?
Good question, they might be if they could be accessed with http/https. One of the reasons I usually release working exploit/scanner for most vulnerabilities I find, only for the reasons to allow your own testings and hopefully remediations.
However, I would not be surprised it they are, as most of these devices (as usual I can only speak about Dahua) and some of them is/was affected, as they share same base of SDK/code between devices.
Nevertheless, think I would recommend to assume it does affect all devices until proven not.
The last generation or two have been conditioned to not take their security or privacy seriously. This is nothing, in the larger picture of things to come.
Several years ago I got the invitation from famous antivirus SW developer to participate in hackathon as security system vendor. "Attackers" had a task to "burn" electrical power station through accessing its managing software through vulnerabilities of security devices (ip-cameras). Can't say accurately winners time, but it took about couple of hours to do that. Winners simulated scenario - adjusting electrical power station so that in real situation it should be completely burned. Access was "granted" through vulnerable/backdoored ip-cameras.
Access was "granted" through vulnerable/backdoored ip-cameras.
Was the backdoor known before the hackathon?
Cool stuff, although extremely little you could do via a IPC/NVR/XVR/DVR...etc. w/o external loaded tools, unless the device has full-blown busybox, that will give you some stuff. Or with compiled (not so easy) full-blown busybox & tools with NFS mount to some external host.
Update: the CVE has been filled:
ROFL, Think some Hik or it's supporter showed up now to just 'Disagree' with everything ;)
Update: more new articles about the vulnerability:
Security Sales: ‘Highest Level of Critical Vulnerability’ Found in Certain Hikvision Products
Related, SSI's web/senior editor learned this week about the CVSS:
Also, Forbes Contributors article: Widely-Used Hikvision Security Cameras Vulnerable To Remote Hijacking
Got notified today via Anixter of the Hikvision vulnerability and links to updates. I apologize if I missed it above, but do we know if this vulnerability impacts OEM product in the field as well or only Hikvision branded? Interlogix advised they are not aware of a vulnerability in their cameras at this time.
Our company stopped oem cooperation with Hikvision more than 2 years ago. but per our request in two weeks we received necessary FW updates.
Update: the US government's Cybersecurity & Infrastructure Security Agency (CISA) has issued its own alert on the vulnerability:
UPDATE: Hikvision has published an FAQ about this vulnerability.
Hikvision's FAQ denied this is a "Chinese government back door", stating "Hikvision does not have government backdoors in our products":
IPVM has requested Hikvision clarify if it does not have any backdoors in its products, so Hikvision can be on the record declaring no backdoors of any kind - not simply limited to "government" ones.
The FAQ also claimed that IPVM ("an industry blog") included "misleading information" about Hikvision's port forwarding recommendation, claiming Hikvision only advises this when "absolutely necessary":
However, this is false - IPVM's reporting is based on the same Best Practices page that Hikvision links to in the FAQ, which states users who want "quick and steady access" "may have to choose" port forwarding:
Since most users (naturally) wants "quick and steady access", this still amounts to a recommendation.
However, this is false - IPVM's reporting is based on the same Best Practices page that Hikvision links to in the FAQ, which states users who want "quick and steady access" "may have to choose" port forwarding:
Went to the link. Here is what is actually stated chuck....
It is well known that the Internet is flooded with constant cyber-attacks. Once connected to the Internet, devices will face all kinds of cyber security problems. Therefore, it is generally recommended that devices not be directly connected to the nternet, unless there are special access purposes.
If P2P or VPN solutions fail to meet the needs of users, who want to have a quick and steady access to the specified port service of the device through the Internet,users may have to choose the traditional "port forwarding" scheme. While this provides easy access to devices, special consideration should be given to cybersecurity controls because these devices will be visible from the internet. If one decides to use this method, it is highly recommended that additional host-based security controls are used to better secure the device.
Just make it up as you go. You can't even call it paraphrasing...just poor blog attempt at controlling the language. You may fit in well at cn(blog)n or Ms(blog)nbc(ya).
Just make it up as you go. You can't even call it paraphrasing..
Which part did I "make up"? Hikvision states some users "may have to choose" port forwarding if they want "quick and steady access" (and don't use P2P/VPN) - what part is incorrect? It doesn't matter how many caveats and warnings Hikvision has; Hikvision is free to state 'no port forwarding, period' but chooses not to.
Hikvision saying users may have to choose port forwarding if they "want to have a quick and steady access" is like an Olympic coach saying athletes may have to choose steroids if they want to be "strong and fast". Any other warnings are contradicted by this directive. If Hikvision is truly opposed to port forwarding (as they should) they should just remove that claim. Given they continue to include it, it speaks volumes for their approach.
Just make it up as you go. You can't even call it paraphrasing...just poor blog attempt at controlling the language. You may fit in well at cn(blog)n or Ms(blog)nbc(ya).
You’re kidding, right?
Your not really gonna attack Rollet because you’re up late and looking for a hair to split?!?
And then not even have the confidence to argue facts, but rather go right for the ad homs?
With Mr. Charles “Never miss an update” Rollet?
Have you no decency, sir?
This report has been updated with a video summarizing Hikvision vulnerabilities:
You can verify your cams now, PoC here
I've got to ask.... why do you use triple quoted string literals ("""302 when requesting http on https enabled device"""
) everywhere instead of actual comments (# 302 when requesting http on https enabled device
)? I'm not judging, just a little curious.
Well, you could also ask why I use four spaces instead of one tab ;)
Anyhow, for your question, since I left "vi" & "Joe" and then later "sublime" for "pyCharm" in coding, I've learned new things and since I trying to move forward, I left '# Comments' for """Comments""" to get less warnings in "PyCharm".
Fortinet is now reporting that there is botnet spreading through CVE-2021-36260.
Mirai-based Botnet - Moobot Targets Hikvision Vulnerability | FortiGuard Labs
Moobot botnet spreading via Hikvision camera vulnerability - Bleeping Computer
Remember that moment in the Water World when Kevin Costner drops the flare into the oil tank and the old bloke says "thank God"
Thank God it's not just me seeing this!
2 sites that we have been called out to have had ongoing DoS attacks that are not identical but very close to what was reported in the Fortinet report. Common denominator open ports to an unpatched Hik nvr.
Thanks for the post Andrew.
You should listen to this "Hikvision Cybersecurity Awareness Training 2022" from today!:
A year later and still approximately 80,000 cameras haven't been patched.
Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug