Hikvision Has "Highest Level of Critical Vulnerability," Impacting 100+ Million Devices

By John Honovich, Published Sep 20, 2021, 08:04am EDT

Hikvision has admitted a 9.8 vulnerability that is "the highest level of critical vulnerability—a zero-click unauthenticated remote code execution" per the researcher, Watchful_IP, who discovered this. IPVM estimates it impacts 100+ million devices.

While Watchful_IP assessed this is "definitely NOT" a "Chinese Government-mandated backdoor," PRC government-created and -controlled Hikvision poses great risk to users around the world as its government backing has driven it to become the most widely used video surveillance manufacturer globally.

Cybersecurity concerns are a long-standing issue for Hikvision, e.g., it was US government federally banned by the 2019 NDAA and the US government is planning to ban FCC authorizations for Hikvision, so this admission comes at a critical time for the company.

How It Works

The researcher describes it as simple to exploit:

Only access to the http(s) server port (typically 80/443) is needed. No username or password needed nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself.

Neither Hikvision nor the researcher is releasing a full Proof of Concept, but Hikvision describes it as the result of "send[ing] a specially crafted message".

A CVE has been reserved (CVE-2021-36260), but no information has yet to be published yet. [Update 9/22/2021: the CVE has been filled]

IPVM Image

PRC Government Has Vulnerability Information For Weeks

Join IPVM Newsletter?

IPVM is the #1 authority in video surveillance news, in-depth tests, and training courses. Get emails, once a day, Monday to Friday.

The PRC government has had this vulnerability information as all PRC companies are mandated by PRC law to provide vulnerabilities to the government since September 1 (CORRECTION: this post initially said the government had the info for "months", however, the PRC law went into effect September 1, 2021):

The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days

Watchful_IP says that Hikvision confirmed reproducing the vulnerability on June 23, 2021, so even assuming the PRC government did not have this for years, the PRC government has had it for weeks at least.

This is a powerful way for adversaries, including the PRC government, to access networks around the world that would be undetectable by the Hikvision device's own logging.

Update Bashis Has Found And Reproduced On His Own

Bashis has found the vulnerability on his own and reproduced it. Bashis is the cybersecurity researcher who discovered numerous Dahua and other video surveillance manufacturer vulnerabilities. The fact that he was able to figure it out so quickly indicates that other experts, including governments and black hat hackers, will likely be able to do so as well. Bashis is not releasing the details.

Root Access to Attack Internal Devices or DDoS

This vulnerability provides total control of the underlying 'computer' in these devices with unrestricted root shell access, per Watchful_IP:

This permits an attacker to gain full control of device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.

This means, as the researcher called out, that the vulnerability can be used to "access and attack" internal networks as well as launch denial of service attacks across the Internet.

Vast Array of Models Impacted

IPVM Image

The vulnerability affects a vast array of Hikvision devices, hundreds of models, primarily cameras, with Hikvision listing 80+ groupings. The total number of models, though, is even far greater. For example, three of the groupings are of the broadly used DS-2CVxxx1, DS-2CVxxx5, DS-2CVxxx6, (screencap attached) that covers hundreds of models alone. Additionally, Hiwatch generally is impacted (e.g., HWI-xxxx) as well as many, many others. Review the list of impacted models.

Firmware to Fix Available

For models that Hikvision has confirmed to be impacted, new firmware to fix the vulnerability is available.

OEMs Impacted

IPVM Image

Because Hikvision has OEMed so widely (see the Hikvision OEM Directory), this will impact dozens or perhaps hundreds of brands around the world.

Worse, Hikvision OEM partners often try to keep hidden their relationship with Hikvision, so many OEMs will not acknowledge this and many buyers will never realize.

100+ Million Devices

We estimate 100+ million devices globally are impacted by this vulnerability making it, by far, the biggest vulnerability to ever hit video surveillance. The combination of its critical nature (9.8 / "zero-click unauthenticated remote code execution") and Hikvision's massive market size make this risk unprecedented.

For background, back in 2016, Hikvision said they manufactured "more than 55M cameras" and the annual output has grown substantially since. Hikvision has therefore shipped a few hundred million cameras and tens of millions of recorders during the time frame the vulnerability covers.

2017 Hikvision Backdoor Comparison

This is the worst Hikvision vulnerability since Hikvision's backdoor was discovered in 2017 where Hikvision included a magic (ostensibly secret) string that allowed anyone with that string to perform admin operations, without having the device's admin credentials.

Dahua 2021 Comparison

Just a few weeks ago, Dahua disclosed its own new critical vulnerabilities. However, Hikvision's vulnerability is worse as the new Dahua ones 'just' allow for admin access with Hikvision's give complete root access.

Hikvision CSO "Debunks"

Just three days before Hikvision admitted this critical vulnerability, Hikvision's EMEA CSO posted a blog post about why vulnerabilities are not the same as backdoors:

IPVM Image

Port Forwarding Still Recommended

Hikvision's cybersecurity "Best Practices" continues to recommend using port forwarding which puts those devices at the highest risk of being hacked.

IPVM Image

This "best practice" was written after Hikvision's 2017 backdoor was discovered and widely exploited and is still the head "best practice" on Hikvision's site today.

In it, while Hikvision warns about the risks of port forwarding, they tell users that if they want 'quick and steady' remote access to their Hikvision devices (and most do), that they "may have to choose" port forward:

If P2P or VPN solutions fail to meet the needs of users, who want to have a quick and steady access to the specified port service of the device through the Internet, users may have to choose the traditional 'port forwarding' scheme.

IPVM has long warned about Hikvision's tactics here, e.g., Hikvision Hardening Guide Recommends Port Forwarding and P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding.

Don't Expose, Says Watchful_IP

Watchful_IP, contrary to Hikvision and in line with actual cybersecurity professionals, recommends not to port forward, saying:

I’d recommend you do not expose any IoT device to the Internet no matter who it is made by

Unfortunately, so many Hikvision users do so because Hikvision continues to recommend doing it for "quick and steady access" to their devices.

FCC Risk

This will hurt Hikvision and its 90+ partners' petitions the US government that claim Hikvision is not a security threat. Beyond the threat of being a PRC-government-controlled entity, this new massive vulnerability will raise fresh concerns about Hikvision's (lack of) security.

GDPR Risk

Hikvision's EMEA CSO, in last week's blog post, argued that end-users, not manufacturers, are responsible under GDPR:

the end-users who buy these cameras are responsible for the data/video footage they generate. They are, in other words, the data custodians who process the data and are in control of the video footage, which is required to be kept private by law (under the GDPR). Secret access to video footage on these devices is impossible without the consent of the end-user.

The final line is simply factually false because, as Hikvision's newest vulnerability reveals, secret access to Hikvision devices is quite possible, either by intent or failure of Hikvision's R&D, compounded by Hikvision's continued recommended use of port forwarding.

Failure for Hikvision

This critical vulnerability, discovered by an independent researcher, is a failure for Hikvision. The massive company that reports nearly $10 billion USD annual revenue and alleges 20,000 R&D engineers has faced incredible scrutiny for years over its cybersecurity and either choose to allow or could not find this vulnerability that a single researcher found.

Given that Hikvision buried this disclosure over a weekend, Hikvision likely hopes the public will ignore this. How this impacts the company's global scrutiny remains to be seen.

7 reports cite this report:

'Donation Diplomacy' From Dahua, Hikvision, and Huawei Examined on Oct 19, 2021
PRC China manufacturers donating technology is widespread in Latin America...
Axis Three Medium Vulnerabilities Disclosed on Oct 06, 2021
Three medium-severity vulnerabilities have been discovered in Axis firmware...
Remote Access (Port Forwarding, DDNS, P2P, VPN) Usage Statistics 2021 on Sep 27, 2021
With new Dahua and Hikvision critical vulnerabilities this month, it raises...
No Impact, No Idea: Hikvision Partners On Critical Vulnerability on Sep 24, 2021
IPVM spoke with 21 of the 100 Hikvision partners who asked the FCC not to ban...
Hikvision, HWG Deceive FCC About New Critical Vulnerability [Update: Hikvision Issues Correction] on Sep 23, 2021
Hikvision and its law firm, HWG, deceived the FCC in a lengthy submission...
Problems Fixing Critically Vulnerable Hikvision Devices on Sep 21, 2021
IPVM has been investigating means to upgrade and fix vulnerable Hikvision...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on Jul 29, 2021
Cybersecurity vulnerabilities have escalated over the past few years and...

Comments (147)

Only IPVM Subscribers may comment. Login or Join.

Do they have any estimates on if/when they will have a patch for this? To me that's the bigger issue. All devices will have a vulnerability at some point - it's how quickly and easily they can be patched that matters (in my opinion)

Agree: 3
Disagree: 4
Informative
Unhelpful
Funny

Firmware is available for Hikvision's own models, as Hikvision has known about this for, at least, 89 days. We have not seen any notices yet from Hikvision's vast array of OEM partners.

Agree: 1
Disagree
Informative: 4
Unhelpful: 1
Funny: 1

All devices will have a vulnerability at some point

No, rarely do devices have 9.8 / "zero click unauthenticated remote code execution". The severity of this is very rare.

Combine Hikvision's PR strategy to bury the disclosure, an extremely rare vulnerability, a massive impacted base and a minimal approach to getting users to protect themselves against this.

Agree: 6
Disagree: 1
Informative: 3
Unhelpful: 1
Funny: 1

I'm no Hikvision fan - and yes they are probably the worst in the industry and maybe even in any industry.

However, we are kidding ourselves if we think that there is some manufacturer that has perfect code with no security vulnerabilities. I just don't want us to think that if Hikvision goes away then all of our cybersecurity concerns are fixed.

Agree: 6
Disagree
Informative
Unhelpful: 1
Funny

if we think that there is some manufacturer that has perfect code with no security vulnerabilities

No one is thinking that. You need to acknowledge the difference in seriousness of vulnerabilities, that's for example, why there is a scoring system. If this was a 4.0 or 5.0, etc., this would not even be a story. It's a 9.8. It's very dangerous and quite statistically rare.

It's like you smoked pot when you were 18 and Bob beat up an old lady yesterday. It would be weird and unfair to say "Well, you are both criminals." This is what you are doing here.

Agree: 5
Disagree: 1
Informative: 2
Unhelpful: 2
Funny: 2

I'm not trying to do that - I guess I need to work on my wording. In my defense I did say

they are probably the worst in the industry and maybe even in any industry.

and I would say this particular situation is worse than beating up an old lady - probably more like Bernie Madoff taking lots of old people's retirement and crippling thousands of peoples' futures.

I agree that there are differences in severity and frequencies. Hikvision seems to be the worst in both.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

they are probably the worst in the industry and maybe even in any industry.

still not as bad as Phillips hue… they published new signed firmware with a copy of the private key used to sign the firmware included in the download!

the certificate was ‘baked in’ so all those devices are still completely vulnerable!

what’s worse is that they use UPNP by default so all that are still working are still public facing!

at least the Hikvision cameras, that are installed via the NVR PoE ports are not directly accessible (unless virtual host has been enabled!)

Agree
Disagree
Informative
Unhelpful
Funny

at least the Hikvision cameras, that are installed via the NVR PoE ports are not directly accessible (unless virtual host has been enabled

My understanding is that the virtual host option is not available in the latest versions?

Agree
Disagree
Informative
Unhelpful
Funny

"It's like you smoked pot when you were 18 and Bob beat up an old lady yesterday. It would be weird and unfair to say "Well, you are both criminals." This is what you are doing here."

It isn't weird, it's true.

Agree: 1
Disagree
Informative
Unhelpful
Funny: 1

it's how quickly and easily they can be patched that matters

Good point.

How long do you think it would take to patch a few million exposed devices?

IPVM Image

Agree: 4
Disagree
Informative: 2
Unhelpful
Funny

A long-ass time. It’s a big problem!

Agree: 3
Disagree
Informative
Unhelpful
Funny: 1

IPVM Image

Agree
Disagree
Informative
Unhelpful
Funny

Most of the patches are already released for EMEA region

Agree
Disagree
Informative
Unhelpful
Funny

While S Korea and Taiwan are NATO countries, that doesn't preclude any other manufacturer from crafting back doors or having vulnerabilities in their code and product. Are any other manufacturers really that more secure? Cybersecurity, software and firmware are a train wreck. It's costing us way too much time and money to try and keep networks secure, systems operating yet still be usable and serviceable. There has to be a better way.

Agree
Disagree: 1
Informative
Unhelpful
Funny

Are any other manufacturers really that more secure?

Yes, Avigilon, Axis, Hanwha, etc. all have way better cybersecurity track records.

Agree: 11
Disagree: 2
Informative: 5
Unhelpful: 2
Funny: 1

Yes John, but some of those are **still** shipping with default credentials! Administrator with a blank password! Root…

these really do need to be called out (this is not necessarily the post stream to do that)

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny

Hanwha ships with no default credential. Complex password creation is required on bootup.

Agree
Disagree
Informative
Unhelpful
Funny

So does Hikvision and Dahua…

read between the lines for the others…

Agree: 2
Disagree
Informative
Unhelpful
Funny

Are any other manufacturers really that more secure?

Yes.

At this point I would struggle to think of any product that has been demonstrated to be continuously LESS secure than Hikvision in terms of what would typically be classified as "professional" equipment sold by dealers. XM might be the closest contender, but I think they lean a little more towards the consumer side, or at a minimum through an ODM channel where the final firmware is compiled by the brand selling it, and therefore that brand has more control over the final release and its security.

Agree: 6
Disagree: 1
Informative: 1
Unhelpful: 1
Funny

Dahua vs Hikvision:

Agree
Disagree: 2
Informative
Unhelpful: 3
Funny: 1

Not sure if that is in response to Hikvision holding the title for most insecure, or that Dahua should be runner-up instead of XM.

Agree: 3
Disagree: 1
Informative
Unhelpful
Funny

While S Korea and Taiwan are NATO countries

Not that it matter for the point you are making, but no, they are not: NATO - Member countries

South Korea is a NATO partner country, but due to the political realities Taiwan is not: NATO - Partners

Are they both friendly countries which many democratic countries have a political and military corporation with? Absolutely.

Agree: 3
Disagree: 1
Informative: 1
Unhelpful: 1
Funny

While S Korea and Taiwan are NATO countries

To be clear, you're implying South Korea and Taiwan are part of the North Atlantic Treaty Organization?

Sure about that?

Agree: 1
Disagree
Informative
Unhelpful
Funny

No, we cleared this up earlier. I used NATO rather than friendly to the United States and I believe there is another term that is more correct.

Agree
Disagree
Informative
Unhelpful
Funny

Would be interesting to find out how many people took advantage of the Hikvision Source Code Transparency Center to audit the source code. From the vulnerability details posted, this sounds like something that would be a decent chunk of code to implement, as it is not a buffer overflow exploit, or something that utilizes unintended consequences of standard code. If there is a mechanism to get a root shell, that is going to require code that should not be that hard to spot if you have actual source code transparency.

So, did nobody utilize the SCTC, was the code related to this exploit not in code that was audited, or did those persons reviewing the source code not do a thorough review? Knowing these answers (which we likely never will) would really provide a lot of interesting context.

Agree: 3
Disagree: 1
Informative: 2
Unhelpful: 1
Funny: 1

Hikvision has never disclosed / discussed usage of their 'transparency center', though, at the time, they made it clear that they would have to physically be in Hikvision's office to look, which limits time and number of people who would even try:

The reviewer will have to be physically present in the Hikvision facility in California and the time frame for access depends on the specific circumstances and requirements of the agency.

Agree
Disagree: 1
Informative: 2
Unhelpful: 2
Funny: 2

Hikvision has never disclosed / discussed usage of their 'transparency center'

Yes, general information about it has been conspicuously absent from their marketing since its announcement. I would be very surprised if it has ever been used, or even internally maintained in a state of readiness.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Huawei’s UK source code and firmware examination facility has been heavily used

Agree
Disagree
Informative
Unhelpful
Funny

For source code review, or as a storage area?

Agree
Disagree
Informative
Unhelpful
Funny: 6

Hackvision - say no more.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 6

Some of the better aged quotes from the FCC commentary:

HikVision has protected our clients over the past 5 plus years with zero cyber attacks.

And though they have had a couple breaches in the past, they updated their procedures and have not been any significant ones within the last 3-4 years…

They actually are more secure and require more password and security measures to enable them than their US branded counterparts.

There has never been one instance that I can recall over the last 15 years I’ve been in this industry, in regards to a security or privacy issue with a Hikvision product.

In a Casino video is very sensitive and Hikvision has all the protocols to make sure we have no security breach. Most surveillance systems are subject to a data breach no matter what you could do to prevent access to the video data, but the robust security structure in the Hikvision products limits the chance of any data breach.

In all these years, we have never had any report of security breach and all IT, cyber-security, and PCI Compliance tests and audits have passed.

All camera systems are secured by a closed network, in order to get inside the network and intruder would need 1) The IP Address 2) The port Number 3) The user ID and 4) The password…

or just

5) specially crafted message…

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny: 10

It's really hard to take those folks seriously. I just don't get how they're (apparently) blind to their bias.

Agree
Disagree
Informative
Unhelpful
Funny

Great work by IPVM to let us know so fast. I just updated a bunch of DS-7616NI-I2s, no problem. However, we have some older DS-7616NI-E2s that are not upgradeable so waiting to see what comes out of HIK.

Agree: 2
Disagree
Informative: 3
Unhelpful
Funny

"However, we have some older DS-7616NI-E2s that are not upgradeable so waiting to see what comes out of HIK."

Replace them with something else...

Agree
Disagree
Informative
Unhelpful
Funny

This is a good start, or should I say HIKcup?

IPVM Image

Agree
Disagree
Informative
Unhelpful
Funny: 5

By default HIK DVRs and Cameras use port 8000 for server port and 80 for web port. Does anyone know which port exposes the vulnerability?

If it's port 80 that's easy to turn off, the HIK client and mobile app run on port 8000.

If it's port 80 then a lot of people are in a lot of trouble..

Agree
Disagree
Informative
Unhelpful
Funny

Scott, Watchful_IP says:

Only access to the http(s) server port (typically 80/443) is needed

Agree
Disagree: 1
Informative: 2
Unhelpful: 1
Funny: 1

If it's just the web server port HIK users can just disable port forwarding rules on port 80 and call it a day.

If a vulnerability is found on the server port (8000) then HIK is in some serious trouble.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Disabling port 80 remote access doesn't eliminate the issue. If someone inside the network, such as a pc, etc is infected it can then leverage the Hik exploit. It is foolish to think that just changing a firewall rule solves this. If the cameras are on he main network, it must be fixed.

Agree: 4
Disagree
Informative: 1
Unhelpful
Funny

If you're already inside the network then you don't need to use your local access to find a local HIK camera and use the vulnerability to get inside the network. You're already inside the network!

Agree: 4
Disagree
Informative
Unhelpful
Funny

“The calls are coming from INSIDE the house!”

Agree
Disagree
Informative
Unhelpful
Funny: 3

You're already inside the network!

A compromised device could be used as a jump box or as a way to achieve persistence. Putting all defense on the outside of the network and going "oh well" if something penetrates is not a good strategy.

Agree: 1
Disagree
Informative
Unhelpful
Funny

“Disabling port 80 remote access doesn't eliminate the issue.”

True but it reduces the likelihood and ease of attack significantly.

much in the same way we lock our cars when on the drive reduces the likelihood of them being stolen when compared to leaving the keys in them!

It would require a more determined attacker with different skills than an easy win for a script kiddie - remove the low hanging fruit ;)

Agree
Disagree
Informative
Unhelpful
Funny

Do people really put any IP camera on a production network?

Agree
Disagree
Informative
Unhelpful
Funny

If it isn't good practice to put IP cameras on a production network then why even have network cameras?

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

If it isn't good practice to put IP cameras on a production network then why even have network cameras?

signed - Todd Rockoff

Agree
Disagree
Informative
Unhelpful
Funny: 3

Yeah, why put a network device on a network...crazy talk....

Agree
Disagree
Informative
Unhelpful
Funny

Todd Rockoff was the head of the HDCCTV Alliance back in the day... and his entire focus - as the head of such an analog technology group - was to tell everyone how IP cameras suck.

your comment sounded like something he would say so I made that joke.

here is a link from 2013

Agree
Disagree
Informative
Unhelpful
Funny: 1

Yes, including IT people I see in forums.

Agree
Disagree
Informative
Unhelpful
Funny

"Do people really put any IP camera on a production network?"

Yes. Which network would you like to see the network cameras on? Perhaps, the lab network, security network (hmm sounds reasonable), honeypot to no where network?

Agree
Disagree
Informative
Unhelpful
Funny

"Disabling port 80 remote access doesn't eliminate the issue. If someone inside the network, such as a pc, etc is infected it can then leverage the Hik exploit. It is foolish to think that just changing a firewall rule solves this. If the cameras are on he main network, it must be fixed. "

Just spitballing; make better camera choices..

Agree
Disagree
Informative
Unhelpful
Funny

IPVM has submitted its comment to the FCC. We are sharing it here because (1) it's related and (2) this report is getting a lot of traffic today so we want people to be aware of it and if they have responses, questions, objections, etc., please share:

IPVM Image

Agree: 5
Disagree: 1
Informative: 4
Unhelpful: 2
Funny: 1

poor Chuck D... : (

IPVM Image

Agree: 1
Disagree
Informative
Unhelpful
Funny: 6

Davis has been quiet on this so far, he is posting on LinkedIn today but not about Hikvision:

IPVM Image

Meanwhile Hikvision USA has posted nothing on LinkedIn today while Hikvision UK and Ireland have posted 5 items on Linkedin, none of them related to this critical vulnerability:

IPVM Image

Likewise, HIkvision Europe multiple LinkedIn posts today, none on the vulnerability but ironically posting about attending a 'cyberprevention' expo:

IPVM Image

Agree
Disagree: 1
Informative: 2
Unhelpful: 1
Funny: 2
Is it just ports 80/443 or can the same hack be applied to the other ports that are used for their mobile applications?
Agree
Disagree
Informative
Unhelpful
Funny
Is it just ports 80/443 or can the same hack be applied to the other ports that are used for their mobile applications?
Agree
Disagree
Informative
Unhelpful
Funny

This will hurt Hikvision and its 80+ partners' petitions the US government

Updated to "90+" as that post will shortly be updated to include 95+ pro-Hikvision comments.

Agree
Disagree
Informative: 1
Unhelpful
Funny

This is bad for all users… period! No one can deny that !

Is it as bad as the Cisco 13 hard coded credentials that had been in the code for up to 10 years before Cisco ‘found’ then in a code review! During that time we know that affected switches were installed in critical infrastructure and a good proportion of Fortune 500 companies.

now I know that John will be trying to suggest I’m a proponent…. I’m a cyber researcher so I’m calling out Hikvision that this is bad.

What’s unclear is how exploitable this actually is in practice. I’ve already fired up my kali Linux box and dropped it on a segregated network to have a play ;)

Watch this space!

honeypots already deployed to see if it is being actively exploited in the wild!

Agree
Disagree
Informative: 1
Unhelpful
Funny: 1

John will be trying to suggest I’m a proponent…. I’m a cyber researcher so I’m calling out Hikvision that this is bad.

Question - what have you been hearing from Hikvision about this? We are not seeing much public efforts from them to get the word out on this to make sure users upgrade. Are they actively going to dealers directly with this?

Agree
Disagree
Informative
Unhelpful
Funny

There are certainly details and advisories circulating in non-US markets. You know that I cannot send this to you yet (to do so would be breaching a no-contact-with-media standard clause in my contract as the email has been received through the company’s email account and is traceable), but maybe another partner can?

Agree
Disagree
Informative: 1
Unhelpful
Funny

would be breaching a no-contact-with-media standard clause in my contract

Is this actually a thing? I am asking seriously as this is the first I have heard of such a clause.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Yes very common…

I think you reference it as the reason for us being able to post undisclosed…

Im happy to contribute where I can, but still need to earn my beans to feed the wife…

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

I think you reference it as the reason for us being able to post undisclosed…

No, to clarify, I have never heard it being put into a contract. Typically, it is an informal or separate rule but not generally written into a contract. It certainly might be put into contracts but that's the first I've heard of it like that. Thanks!

Agree
Disagree
Informative: 1
Unhelpful
Funny: 1

I’ll email you an excerpt…

it’s a common way to gag employees so that the media can be managed via the marketing/or PR team!

I think Hikvision UK might also have added it after you called out the late Phil Wring for supporting his employer

Agree
Disagree
Informative: 1
Unhelpful
Funny

Hi John, company policies have the same force as contract for regular employees and contract employees. Doesn't need your cursive signature in blue ink to be legally binding. HR Dept's job is to distribute these policies and ensure employees consent and know that consent is a requirement for continued employment. Violation of company policy is always potentially punishable by not just termination but also legal recourse. It is very common for any large company to have a PR Dept and for policy to specify that only PR Dept is allowed to contact the media or even to publicly comment on the company. This is why "Undisclosed" posts on IPVM are necessary for folks at large companies to have free discussion here without looking over their shoulder or hiring counsel.

Agree
Disagree: 1
Informative: 1
Unhelpful: 1
Funny: 1

This varies widely by state.

Violation of company policy is always potentially punishable

Well is it always, or always potentially? I always potentially may get in a wreck everytime I drive a car or I always potentially will win the lottery with every ticket I purchase.

Agree
Disagree: 1
Informative: 1
Unhelpful: 1
Funny: 1

"This varies widely by state.

Violation of company policy is always potentially punishable

Well is it always, or always potentially? I always potentially may get in a wreck everytime I drive a car or I always potentially will win the lottery with every ticket I purchase"

Masterful wordsmithing. I may have used "always potentially" before and if not will incorporate it into a future argument or two.

Agree
Disagree
Informative
Unhelpful
Funny: 1

UK partners were emailed on Sat 18th September.

I believe that there are some firmware patches but I’m not sure which models are covered.

does anyone have a complete affected-devices list?

Agree
Disagree
Informative
Unhelpful
Funny

Assume all models until proven not. I got root access on my own device, while researching on totally different firmware and version.

Agree
Disagree
Informative: 1
Unhelpful
Funny

There is a list being circulated of models and fw versions affected.

I’m trying to obtain it in the public domain if anyone has a link?

Agree
Disagree
Informative
Unhelpful
Funny

This is Hikvision's notice with models listed: Security Notification - Command Injection Vulnerability in Some Hikvision products | Security Advisory | Hikvision

Is there another list than that?

Btw, how is your honeypot detecting the exploit? The researcher says the Hikvision device does not log anything with this vulnerability.

Agree
Disagree: 1
Informative
Unhelpful: 1
Funny: 1

There is another list with all the model numbers rather that part code groups.

The honeypots are configured to log all inbound and outbound transactions (port mirroring on the switch)

there is increased activity received (TCP connects and drops) but absolutely nothing I can see that is malicious (at this stage)

It feels like it’s a discovery phase, ready to deploy when the weaponised exploit code is completed!

@bashis is there anything you can add to help me identify a signature?

Agree
Disagree
Informative: 1
Unhelpful
Funny

U9, defiantly - if I can know it's for legit usage, contact me on email: mcw at noemail.eu (and not with gmail or similar junk)

Agree
Disagree
Informative
Unhelpful
Funny

@U9, Or even better, relay via IPVM/John, then I have no questions to ask as I trust IPVM.

Agree
Disagree
Informative
Unhelpful
Funny

UI9, nothing heard - nothing shared, guess you have started to see interesting things in your honeypots, no?

Agree
Disagree
Informative
Unhelpful
Funny

Hi Bashis

sorry been busy with some big jobs.

there is absolutely nothing interesting going on, just random connections trying to connect and explore ports.

my supposition is that the bad-actors are still building a list ready to exploit autonomously later…

Agree
Disagree
Informative: 1
Unhelpful
Funny

Seeing some activity on port 65527 IIRC. Unlikely to be linked IMO - any thoughts

Agree
Disagree
Informative
Unhelpful
Funny

Hi UI9,

After spending some more time on this, I don't think think this would be any major issue IMO.

There is few limitations, such as limited characters for the command injection, need to reach writable place, nothing found that could be used to upload to device nor for reverse shell - even if you could launch ssh access, you need to punch hole in firewall to reach the sshd listener.

Got access to my friends places w/ VPN (yup, we use such things) to reach NVR and IPC's, and got only command injection to one IPC, but no ssh access as the NVR "only" used virtual hosts to IPC's.

Cool and interesting bug, fun to play with, but I really don't think some major attach will happen with this. (Maybe U3 want to prove me wrong? ;)

Think you guys can sleep pretty well.

Agree
Disagree
Informative
Unhelpful
Funny

Are your Honeypot's looking at all ports that may be exploited?

80/443 generally but I see many installations that use 8001 -800x.

Agree
Disagree
Informative
Unhelpful
Funny

Yes honeypots look just like Hik cameras fully exposed to the internet (because they are) but with tech as a middleware to examine the traffic.

some have old firmware and some released this last week, one has the old default password. The rest are the longest random character strings that can be accepted, this we will know if the camera has been compromised by something other than brute force attack.

Changing ports is not layering or improving security, it’s obscuring the port, nothing else. It’s easy enough to scan the whole port set these days so changing ports is pointless.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Evening #9

Anything rattling around in the honeypot?

Agree
Disagree
Informative
Unhelpful
Funny

Low number of scans - highest is just over 100.

a dozen or so login attempts using weak and default passwords

so far nothing trying to exploit anything new

I’m confident that the cameras have been found and are being portscanned but nothing that looks interesting yet!

whilst I’m relieved that this exploit does not seem to be actively targeted in the wild, it’s only a matter of time!

On the other honeypot, lots of scans looking for Mikrotic routers…

Agree
Disagree
Informative
Unhelpful
Funny

Honeypots have been discovered by between 4 and 12 scans, but no attempt to exploit this vulnerability at this point. This is the best news we could have as this means it’s less likely that the vulnerability is not widely being exploited YET!

I suspect we have less than a week’s grace…

interestingly, and off topic, I made one of my canaries look like a MS exchange server and that has had over 1000 scans and attempts to compromise in the same time period!

Agree: 1
Disagree
Informative: 4
Unhelpful
Funny

An ex-Hikvision employee posted:

IPVM Image

Why does anyone think this is a good comeback? Hikvision had no choice. Where they not going to release a fix after 89 days? Providing a fix when caught is the bare minimum.

Agree: 2
Disagree: 1
Informative
Unhelpful: 2
Funny: 2

If you look at Google’s project zero, you’ll realise that a great many companies don’t hit the disclosure deadline…

in an ideal world, we’d like to jump on vulnerabilities as soon as we receive them. In reality, we all have work to do and never enough time!

Microsoft last patch Tuesday, then released an emergency out-of-cycle patch a day later for exchange server zero day exploit that was older than 90 days from responsible disclosure.

the estimate is that it affected over a billion email accounts, making them vulnerable to harvesting!

this Hik vulnerability is almost as bad as it gets (I take nothing away from that) but there are much bigger things happening in the enterprise cyber arena (for context)

Agree
Disagree
Informative: 1
Unhelpful
Funny

this Hik vulnerability is almost as bad as it gets (I take nothing away from that) but there are much bigger things happening in the enterprise cyber arena (for context)

Granted, but this report is in the context of the physical security world. While a mere blip on the whole of the IT world and I would not expect it to be necessarily on the front page of Wired or Computer World, I would expect it to be front page of IPVM.

Agree: 1
Disagree
Informative
Unhelpful
Funny

I agree, it will make some of the media outlets at some point.

I listened to a podcast first broadcast last week that was still going on about the Mirai Botnet (that affected Dahua) so once it’s gets in the press, it’s likely to hang around for a while!

Agree
Disagree
Informative
Unhelpful
Funny

Why does anyone think this is a good comeback?

Just making lemonade.

Agree
Disagree
Informative
Unhelpful
Funny

While I'm not 100% clear on how easy it is to deploy this exploit my leading concern would be the people at most risk that have used what small funds they have to purchase a CCTV system they have been told that is safe and may protect or aid to future evidence to protect them from domestic violence.

If a stalker who might have reasonable funds could use this, it could be devastating.

If the risk is this high could a push notification through the app not be sent out to recommend upgrades?

Agree: 2
Disagree
Informative
Unhelpful
Funny

If the risk is this high could a push notification through the app not be sent out to recommend upgrades?

That is one way to handle this. However, this would then give Hikvision (or whomever) is the supplier control of one's devices, which is also a security risk. At that point, you need to decide how much you trust the supplier (whether it is Hikvision, Verkada, etc.).

Agree: 2
Disagree
Informative
Unhelpful
Funny

"At that point, you need to decide how much you trust the supplier (whether it is Hikvision, Verkada, etc.)."

Don't trust them at all.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Not true about giving control of a device to a third party by sending a push notification.

hikvision, as the developer of the app, could make a pop up appear on everyone’s devices. Probably not a subset of apps connected to affected devices but certainly they could to all app users next time they load the app or login.

potentially they could minor-update the app to make it do that as well.

this would be a responsible thing to do…

Agree
Disagree
Informative
Unhelpful
Funny

Just wondering what will happen with 3-5 year old models - no firmware upgrades I guess?

Agree: 1
Disagree
Informative
Unhelpful
Funny

Much of the affected model list is actually newer models, like the G0/G2 series models from the past couple years, but there are definitely some older models affected. We've sent Hikvision some questions and will ask them this, as well, thanks.

Agree
Disagree
Informative: 3
Unhelpful
Funny

Can you somehow juxtapose this article with this one: 90+ Hikvision Partners Ask US FCC Not To Ban Hikvision

Mainly the comments about Hikvision having amazing cybersecurity.

Agree: 1
Disagree
Informative
Unhelpful: 1
Funny

So some simple cyber security advice for our fellow installers out there.

Install cameras and other security equipment on separate, physically segregated networks so if something like this happens, then there is no access to the devices so the network remains secure!

Agree: 3
Disagree: 1
Informative: 1
Unhelpful: 1
Funny

Or Hikvision's recent adovacy for zero-trust networks, e.g. Zero Trust Security And Video Surveillance

Agree
Disagree: 2
Informative: 1
Unhelpful: 2
Funny: 1

That isn't a substitute for using a brand of IoT device with a long track record of vulnerabilities and a lack of integrity regarding them.

My first-hand experience says many small end-users don't understand and\or cannot afford a segregated network. Many of your fellow installers that install the monthly promotion brand at ADI and legacy Tri-ed (Hikau and OEMs) don't give two poops about cyber.

Agree: 1
Disagree: 3
Informative
Unhelpful
Funny: 1

Never said it was a magic bullet. simple fact is the least secure product when deployed securely cannot be compromised if deployed correctly.

any internet-facing product is potentially vulnerable to an exploit once discovered…. If it ain’t connected it cannot be exploited!

Agree: 1
Disagree: 1
Informative
Unhelpful: 1
Funny

"My first-hand experience says many small end-users don't understand and\or cannot afford a segregated network. Many of your fellow installers that install the monthly promotion brand at ADI and legacy Tri-ed (Hikau and OEMs) don't give two poops about cyber. "

Oh, I don't know about all that. Many customers will accept separate wiring, to separate switches, and a separate router if the security aspects are properly conveyed.

Agree
Disagree: 2
Informative
Unhelpful: 1
Funny

You shouldn't have to install on a physically separated network. If I have to segregate devices on a network it shouldn't be on any network.

Agree: 1
Disagree: 5
Informative
Unhelpful
Funny

"You shouldn't have to install on a physically separated network. If I have to segregate devices on a network it shouldn't be on any network. "

For this reason and a number of others; not necessarily all for security, you should, or at least logically.

Agree: 1
Disagree: 2
Informative
Unhelpful
Funny

You would think it was common sense. Sad that people are still exposing any devices directly to the net. Plug your windows or Mac computer to a public ip and see what happens.

Agree: 2
Disagree: 1
Informative
Unhelpful
Funny

From a new Hikvision dealer FCC submission:

There is no risk to the Nations Security via HIK- End users need to be held accountable for not changing passwords or not utilizing up to date anti virus software.

It is fascinating to see how little these Hikvision partners know about cybersecurity that they think changing passwords will rectify such critical vulnerabilities.

Agree: 5
Disagree: 1
Informative: 1
Unhelpful
Funny: 1

Kind of like how Ford car owners should be held accountable for not installing 5 point seat harnesses in case the factory 3 point seat belts in all their cars happens to fail. And everyone knows if anything happens to Ford, there are no other car companies in the world that could fill the product void left behind by Ford and it would severely cripple the entire vehicle industry market.

Agree
Disagree
Informative
Unhelpful
Funny: 2

"It is fascinating to see how little these Hikvision partners know about cybersecurity that they think changing passwords will rectify such critical vulnerabilities."

It isn't only hik partners. This is a generational problem. And a cultural problem.

Agree: 2
Disagree: 1
Informative
Unhelpful
Funny

It'S uP tO tHe CoNsOoMeR

Agree
Disagree: 1
Informative
Unhelpful
Funny: 4

UPDATE:

Update Bashis Has Found And Reproduced On His Own

Bashis has found the vulnerability on his own and reproduced it. Bashis is the cybersecurity researcher who discovered numerous Dahua and other video surveillance manufacturer vulnerabilities. The fact that he was able to figure it out so quickly indicates that other experts, including governments or hackers, will likely be able to do so as well. Bashis is not releasing the details.

Agree
Disagree: 1
Informative: 5
Unhelpful
Funny

IPVM Image

Agree
Disagree: 1
Informative: 4
Unhelpful
Funny: 1

Hi Bashis,

Could you provide a bit of context to your screen cap? I'm not heavily technical so I'm not sure what I'm supposed to be seeing in the script that's so problematic.

Thx

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

Sure,

Hardware: r2 is Hik. Please see here

I just used my old crappy Hik cam I have here for playing, please let me know if you want to see anything else that would confirm. (I'm usually into Dahua, never Hik, but I always wanted a true shell on this one too, and not only 'psh')

Agree
Disagree: 1
Informative: 3
Unhelpful
Funny

…but I always wanted a true shell on this one too…

#bash is not available?

Agree
Disagree: 1
Informative
Unhelpful
Funny: 3

Nope, before only 'psh', now 'ash' as well.

Agree
Disagree
Informative: 1
Unhelpful
Funny

but I always wanted a true shell on this one too

ash is to bashis, dust to dust.

Agree
Disagree: 1
Informative
Unhelpful
Funny: 7

Oh, U1 disguised as U3, hello old 'friend' ,-)

Agree
Disagree: 1
Informative
Unhelpful
Funny: 3

hello old 'friend'

Howdy! Couple of questions:

1) what you think of Ghidra?

2) have you collected any bounties yet?

Agree
Disagree: 1
Informative
Unhelpful
Funny

1) Useful, but prefer IDA Pro

2) Zero, not claimed any - Yes, been offered "rewards", but declined

What about you?

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny

U3, mate,

Still waiting for your answer on my return questions...

Agree
Disagree
Informative
Unhelpful
Funny

you just killed Rhodes

Agree
Disagree: 1
Informative
Unhelpful
Funny: 3

It is showing that he has full root shell access, something that "shouldn't" be possible for a good cyber secured IoT device. He is also able to show the CPU info, again disclosing more info about the hardware.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Update: Hikvision USA has sent a 'Special Bulletin' to dealers:

IPVM Image

The content/claims are similar to the original HQ announcement.

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny

Question :- Does this also affect their other products, like IP intercoms, access control & alarm panels?

Agree
Disagree: 1
Informative
Unhelpful
Funny

I don’t think it does. I’m still searching for a full list.

Agree
Disagree: 1
Informative
Unhelpful
Funny

Extremely sure you will not find that. :-/

Agree: 3
Disagree: 1
Informative
Unhelpful
Funny: 4

Good question, they might be if they could be accessed with http/https. One of the reasons I usually release working exploit/scanner for most vulnerabilities I find, only for the reasons to allow your own testings and hopefully remediations.

However, I would not be surprised it they are, as most of these devices (as usual I can only speak about Dahua) and some of them is/was affected, as they share same base of SDK/code between devices.

Nevertheless, think I would recommend to assume it does affect all devices until proven not.

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny

The last generation or two have been conditioned to not take their security or privacy seriously. This is nothing, in the larger picture of things to come.

Agree: 1
Disagree: 2
Informative
Unhelpful
Funny
Agree
Disagree: 1
Informative
Unhelpful
Funny

Several years ago I got the invitation from famous antivirus SW developer to participate in hackathon as security system vendor. "Attackers" had a task to "burn" electrical power station through accessing its managing software through vulnerabilities of security devices (ip-cameras). Can't say accurately winners time, but it took about couple of hours to do that. Winners simulated scenario - adjusting electrical power station so that in real situation it should be completely burned. Access was "granted" through vulnerable/backdoored ip-cameras.

Agree
Disagree: 1
Informative
Unhelpful
Funny

Access was "granted" through vulnerable/backdoored ip-cameras.

Was the backdoor known before the hackathon?

Agree
Disagree: 1
Informative
Unhelpful
Funny

Cool stuff, although extremely little you could do via a IPC/NVR/XVR/DVR...etc. w/o external loaded tools, unless the device has full-blown busybox, that will give you some stuff. Or with compiled (not so easy) full-blown busybox & tools with NFS mount to some external host.

Agree
Disagree
Informative
Unhelpful
Funny
Agree
Disagree
Informative: 1
Unhelpful
Funny

ROFL, Think some Hik or it's supporter showed up now to just 'Disagree' with everything ;)

IPVM Image

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1
Agree
Disagree
Informative: 2
Unhelpful
Funny: 1

Got notified today via Anixter of the Hikvision vulnerability and links to updates. I apologize if I missed it above, but do we know if this vulnerability impacts OEM product in the field as well or only Hikvision branded? Interlogix advised they are not aware of a vulnerability in their cameras at this time.

Agree
Disagree
Informative
Unhelpful
Funny

Our company stopped oem cooperation with Hikvision more than 2 years ago. but per our request in two weeks we received necessary FW updates.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Update: the US government's Cybersecurity & Infrastructure Security Agency (CISA) has issued its own alert on the vulnerability:

IPVM Image

Agree
Disagree
Informative
Unhelpful
Funny

UPDATE: Hikvision has published an FAQ about this vulnerability.

Hikvision's FAQ denied this is a "Chinese government back door", stating "Hikvision does not have government backdoors in our products":

IPVM Image

IPVM has requested Hikvision clarify if it does not have any backdoors in its products, so Hikvision can be on the record declaring no backdoors of any kind - not simply limited to "government" ones.

The FAQ also claimed that IPVM ("an industry blog") included "misleading information" about Hikvision's port forwarding recommendation, claiming Hikvision only advises this when "absolutely necessary":

IPVM Image

However, this is false - IPVM's reporting is based on the same Best Practices page that Hikvision links to in the FAQ, which states users who want "quick and steady access" "may have to choose" port forwarding:

IPVM Image

Since most users (naturally) wants "quick and steady access", this still amounts to a recommendation.

Agree
Disagree
Informative
Unhelpful
Funny

However, this is false - IPVM's reporting is based on the same Best Practices page that Hikvision links to in the FAQ, which states users who want "quick and steady access" "may have to choose" port forwarding:

Went to the link. Here is what is actually stated chuck....

About “Port Forwarding”

It is well known that the Internet is flooded with constant cyber-attacks. Once connected to the Internet, devices will face all kinds of cyber security problems. Therefore, it is generally recommended that devices not be directly connected to the nternet, unless there are special access purposes.

If P2P or VPN solutions fail to meet the needs of users, who want to have a quick and steady access to the specified port service of the device through the Internet,users may have to choose the traditional "port forwarding" scheme. While this provides easy access to devices, special consideration should be given to cybersecurity controls because these devices will be visible from the internet. If one decides to use this method, it is highly recommended that additional host-based security controls are used to better secure the device.

Just make it up as you go. You can't even call it paraphrasing...just poor blog attempt at controlling the language. You may fit in well at cn(blog)n or Ms(blog)nbc(ya).

Agree
Disagree
Informative
Unhelpful
Funny

Just make it up as you go. You can't even call it paraphrasing..

Which part did I "make up"? Hikvision states some users "may have to choose" port forwarding if they want "quick and steady access" (and don't use P2P/VPN) - what part is incorrect? It doesn't matter how many caveats and warnings Hikvision has; Hikvision is free to state 'no port forwarding, period' but chooses not to.

Agree
Disagree
Informative
Unhelpful
Funny

Hikvision saying users may have to choose port forwarding if they "want to have a quick and steady access" is like an Olympic coach saying athletes may have to choose steroids if they want to be "strong and fast". Any other warnings are contradicted by this directive. If Hikvision is truly opposed to port forwarding (as they should) they should just remove that claim. Given they continue to include it, it speaks volumes for their approach.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Just make it up as you go. You can't even call it paraphrasing...just poor blog attempt at controlling the language. You may fit in well at cn(blog)n or Ms(blog)nbc(ya).

You’re kidding, right?

Your not really gonna attack Rollet because you’re up late and looking for a hair to split?!?

And then not even have the confidence to argue facts, but rather go right for the ad homs?

With Mr. Charles “Never miss an update” Rollet?

Have you no decency, sir?

Agree
Disagree
Informative
Unhelpful
Funny

This report has been updated with a video summarizing Hikvision vulnerabilities:

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

You can verify your cams now, PoC here

Agree
Disagree
Informative
Unhelpful
Funny

“Defiantly not vulnerable”

That’s the way I prefer my devices ;)

Agree
Disagree
Informative
Unhelpful
Funny

Cool, but I prefer not mine like that ;)

Agree
Disagree
Informative
Unhelpful
Funny

I've got to ask.... why do you use triple quoted string literals ("""302 when requesting http on https enabled device""") everywhere instead of actual comments (# 302 when requesting http on https enabled device)? I'm not judging, just a little curious.

Agree
Disagree
Informative
Unhelpful
Funny

Well, you could also ask why I use four spaces instead of one tab ;)

Anyhow, for your question, since I left "vi" & "Joe" and then later "sublime" for "pyCharm" in coding, I've learned new things and since I trying to move forward, I left '# Comments' for """Comments""" to get less warnings in "PyCharm".

Agree
Disagree
Informative: 1
Unhelpful
Funny
Loading Related Reports