Hikvision Cloud Security Vulnerability Uncovered

By: Brian Karas, Published on Dec 05, 2016

A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely take over the server and get access to sensitive customer data. This is newer and different than Hikvision's security issues in 2015 and before and has not been disclosed by Hikvision.

Iraklis Mathiopoulos [link no longer available], the researcher who uncovered this, reported the issue to Hikvision, and provided additional perspective to IPVM regarding this issue and Hikvision's handling of it.

Full details of the vulnerability, our analysis of Hikvision's server weakness, and what this means for the security of users with Hikvision cameras on their network is covered in this report.

* ******** ********** ********* a ******** ************* ** Hikvision's ****** ***** *******. This ************* ******* ** attacker ** ******** **** over *** ****** *** get ****** ** ********* customer ****. **** ** newer *** ********* **** Hikvision's ******** ******** **** *** ********* *** *** **** disclosed ** *********.

******* ************ [**** ** longer *********], *** ********** who ********* ****, ******** the ***** ** *********, and ******** ********** *********** to **** ********* **** issue *** *********'* ******** of **.

**** ******* ** *** vulnerability, *** ******** ** Hikvision's ****** ********, *** what **** ***** *** the ******** ** ***** with ********* ******* ** their ******* ** ******* in **** ******.

[***************]

Vulnerability ********

[**** ** ****** *********]

*************' **** ********* *** the ************* *** **********, ** ********* ** as ***** (*** ******** ******) vulnerability, *** ** ***** an ******** *** **** commands ** * ****** that ** ********* ** XML ****. *** ********* XML **** ******** ******** that *** ****** ******* the **** ********, ********* data ** *** ********.

*** **** ******, ************ created * ******* ****** to ******* ******** ****, spoofing ** *** **** to ****** ******* ** a ****** ******* (**** a ***** ***** [**** no ****** *********] ******, a ********* ***). **** XML *** **** ** the***-******.*** ******, ***** *** **** credentials *** ****** ***** use **** ************* **** the ******, *** ********** a ******* ****** *** hik-online.com ****** ** **** the ******** ** * file (/***/*****) **** ** his ******* ******.

*** ******** **** *********'* server, ******* *** ******** of *** ***** **** highlighted ** *** ****, as ***** *****:

*** ********** ********* **** a ********* ******** ***** have **** ****** ********* this ************* **** ********** customer **** ****** ** the ******, ** *********** using ** ** "****" the ****** *** **** full ****** ** *** server. **** ***** **** be ****** **** ** attack ** ********'* *******, accessing **** ***** ** even ******* **** ********* *************.

********** ***-******.*** ******* ***** give ******* ****** ** IP ********* *** ***** of ********-********* ********* ******* as **** ** ********* and ********* ********** **** the *******.

15 **** ** *******

*** ********** **** ********* did *** **** ****** enough ******, **** ********** 15 **** ***** ** his *** ***** ******* when ** *** ********* emails **** ****:

************ ********* ** *********'* security ********:

*** ************** ** ********* was ** *** **** side, ***** **** **** are ******** ** **** a ********* ******** ****.

***** *** **** ****** of ***** ******** ********* Hikvision ********** *** **** of *** '********* ******** Response ******' (****), *******, emails ***** **** *** responded.

Resolved *** *** ***** ********* ********

** *** ******** ****, Hikvision ***** *** ************* two **** ***** *** researcher ******* *** ** and ********* ******** *** one *** ***** ********* acknowledged *******.

Hikvision ********, *** *** *********

********* *** *********** ** ******* *********** from ********* ******* **** to *****, *** **** *** vulnerability ** * ******** server ************* ****** **** a **** ** ********* intent ** *********'* ****.

*******, ** ***** **** been *********. **** ***** about **** *************, *** researcher **** **:

*** ********** ************* ***** have **** ********* ** following * ******** ******* that ******** ******* ************* scans. ** ***** **** the ******** **** ** the ****** *** ****** not ****** *** ********, or ** ** *** tested, *** **** *** executed ******.

Default ***** ********** **** ********* ** ****

********* ******* *** ************ being ******* **** *"***** ****" ******* ******* by ************ ********* *** **** that ********* ********* (** those *** *** ****** Hikvision *********'* ***** **************, including *******) ***** ******** access *******, ****** ** customer's ******* ******* ********* knowing.

** ***** ** ******* the ******* ** *********, and *** ********* ** their *******, ********* ***** to ****** ****** ********. This *** ************* ** considered ** ** * basic *******, *** ** is**** ********** ** *** to ******* **** ********** from ***** ********** ** production *******.

Unknown *** **** ** *** **** ********

** ** ******* *** how **** **** ************* existed ** ** ****** before *** ********** *** able ** ********** *********'* cloud **************.

No ******** ** ******** ********

** ***** ********* ********** for * ******** ** this *****, *** ******** no ******** ******** **** Hikvision. *** ***** ** America ******** *** **** lack ** ************** ******* ****** *****:

***** ** ******* ******** no ******** ** ******** attempts ** ******* *********’* headquarters ** ******** *** its ****** ** **********.

Rapid7, *********'* ***** **** - ** *****

********* *** ************ ***** ****** ** security ***** **** ****** to ******* ************* ***********, *** **** ****** to ******* *** ********** information ** *************** **********, and *** **** **** been *********. **** ***** Hikvision *** ******* ************* on **** *** ******** no ******** **** *********. We ********* ****** ** well, *** ********* **** Hikvision *** ****** * customer, *** ************** ***** not ******** *** ******* without ***** ******, *********'*, permission.

Additional *************** ****** ** *****

***** ***** *** *********** of ***** **-*** ************ weaknesses ******** ** *********'* cloud *******, ************ ******** that ***** *** ****** other ******** ******:

**** ** * ********* question ** ****** *** to *** **** ** information. ** * *** to *****, ***** ** the **** ** ************* that *** ********** ***********.***, * ***** *** that ** ** **** likely **** *** **** other ********* ******* **** have ******** **********.

Impact ** *********

********* *** **** ********** by *** ***** ****** since ****: ************* *** China ********** *******, **** the ****** ********** ********* (as *** ********** ***** articles ***** ******** ****** ****).

**** ***** ******* *** nothing ** ** **** the ******* ********** *** it **** **** **** much ** ** **** Hikvision's ******* ************* ************. After ******* **** ** rally ***** *** **** issues *** ********** ** staying *** ** ******** ****** ******** **** damaged *****, ********* ****** ******** how ** ****** ***** such *************** **** **** cloud ***, ******* ************** and ********** ********** ** their ************ ****.

Vote - ****

Comments (30)

I swear I didn't vote very! Lol

I swear I didn't vote very!

So you're saying it was definitely Marty then, eh? ;)

With 151 votes so far, the majority is 'Not very', currently at 79% of the tally.

Whoever did vote 'Very' is in a small minority with just 7% of the total.

FTR, I voted moderately. I don't trust anyone more than moderately tho

what is the hikonline.com server used for? I know it's used for DDNS for the cameras, but is it used for anything else?

For standard Hikvision-branded commercial cameras and recorders (the stuff most integrators here would be dealing with) hik-online.com looks to be primarily a DDNS service.

The researcher said his consumer-oriented OEM camera required the cloud server in order to even view live video, similar to how the Ex-Viz systems work, making it much more involved in the user<=>device connection.

POLL: Should Iraklis Mathiopoulos be compensated for his time and efforts by Hikvision? Agree/Disagree.

But he was compensated:

25/9/16: Received my bounty by post. A 69$ cloud camera.

:)

$69? ADI must not have been running a special that week.

He was compensated, in the form of a free camera that would have cost him $69.

The real question is, is Hikvision's response and payment comparable to other bug bounty programs, and does it provide incentive for other white-hat hackers to spend time testing their systems for them?

I will add my opinion that I think the camera he received is almost worse than no payment. It is like Hikvision saying "we have taken the time to value your contribution, and we feel it is worth very little". Hikvision's cost on that $69 camera is surely even less than the retail value.

Another white-hat researcher reading this might say "It's not worth spending time evaluating Hikvision products/platforms because the company will not compensate me appropriately." This leaves those vulnerabilities open to black-hat attackers, who would NOT disclose them to Hikvision, and instead use them for their own financial gain in other ways, which would likely be a much worse scenario for Hikvision's customers.

Hackerone is a platform that helps coordinate and reward vulnerability discovery. According to them:

We recommend a minimum of $100. The average is around $500 and the current record is $30,000

Related, his reaction to Hikvision's cube camera was not positive:

"I will add my opinion that I think the camera he received is almost worse than no payment. It is like Hikvision saying "we have taken the time to value your contribution, and we feel it is worth very little". Hikvision's cost on that $69 camera is surely even less than the retail value."

You are being too nice...this is like leaving a penny as a tip for a waiter in a fine restaurant.

Only assholes do that kind of stuff.

Hikvision's cost on that $69 camera is surely even less than the retail value.

Not after you back out the subsidy ;)

Just a quick update on this, which I haven't put on my blog.

About 2 weeks ago I received an invoice from TNT. I have to pay them something in the region of 40 GBP for import taxes and admin fees. So yes, I actually lost money on this :-)

Iraklis, we paypal'ed you to cover the import taxes and admin fees. No reason you should have to pay to fix a vendor's problems.

Very nice gesture John. Appreciate it.

I have to pay them something in the region of 40 GBP for import taxes...

Ironically, many U.S. integrators would love a $50 import fee on every Hik camera brought in ;)

I think Hikvision's (flawed) perspective is that a researcher publicly disclosing vulnerabilities hurts their reputation more than it helps them improve their security. Therefore they won't promote it.

I think its the lack of a clear security strategy. They had the opportunity to offer me something in return for a NDA. I'm not taking a hit at Hikvision, unfortunately its a very common symptom that can be observed in many organisations.

Any speculation on what the cost to HIK would have been if the vulnerability had led to a high profile security breach?

If I was rating how companies respond to vulnerabilities their response would be as bad as it gets. They are actively discouraging anyone from taking a closer look - and this doesn't sound like it was a complex hack.

It doesn't surprise me that there are security flaws in security products - it does surprise me that companies don't realize that how they respond to a vulnerability is often MORE important than the vulnerability.

Any speculation on what the cost to HIK would have been if the vulnerability had led to a high profile security breach?

Hard to say, but between time spent internally dealing with the issue, potential lost business, etc., it would likely be a pallet-load worth of $69 cameras at a minimum.

...it would likely be a pallet-load worth of $69 cameras at a minimum.

Double pallet now thru Dec 31.

Any speculation on what the cost to HIK would have been if the vulnerability had led to a high profile security breach?

I would not speculate on the specific cost as it would minimally need to know how many accounts were stored there, what information about those accounts was there, etc.

But there is certainly a real cost in terms of reputation with this. Hikvision has spent a lot of money marketing their cybersecurity in response to the last round of issues. Time helps. It is a lot easier to say, "Yes we had problems but those were (approaching) 2 years ago." Now they need to go back out, defend this and answer more questions about their cybersecurity.

a $69 cloud camera...?? Either it is a slap in the face to offer such a low cost consumer camera, or a LOL that it is a cloud camera going to a network security researcher, or they are trying to silence/teach him a lesson. Once the camera phones home, they can try to PWN his network, as they already control the camera that is now inside his network...

Assuming he 1) actually uses it 2) places it at home and 3) isn't inside a giant honeypot....

One Hikvision cloud camera going on e-bay now.

You think Rapid7 limited response is that what they did was not checking the cloud service, but only perhaps Hikvision professional IPC?

Or does it seems Rapid7 is responsible seeing this issue found was and should of been detected by what should of been highly qualified engineers.

I guess no government likes to be found with egg on their face, or in this case with the pants on the floor.

Chinese companies don't like to pay anything for software, so finding something wrong all be it a serious issue, has even less value than a street vendor selling rat on a stick with suspicious sauce.

Or does it seems Rapid7 is responsible seeing this issue found was and should of been detected by what should of been highly qualified engineers.

It is an interesting question. It would certainly help if Hikvision made it clear what Rapid7 has tested, what they found and how frequently they test (do they test each new firmware release, etc., is it cameras only, etc.).

Albeit?

https://www.merriam-webster.com/dictionary/albeit

Eh, I hate to say it, but I can't imagine Dahua being much better about the situation unless someone twists their arm.

I think though...maybe I should ask them to create clear incentives and maintain a clear line of communication for vulnerability disclosures...

However, that would also assume they would be open about their existing vulnerabilities that they are working to address.

Life would just be so much better if more companies were clear and open about their software development roadmap. I can imagine if any surveillance manufacturer had their crap together like LibreOffice they'd be on top of our collective lists here in a heartbeat.

Or, implement something similar to the GDPR

Few things in life make C level execs more focused than potential multi-million EUR/USD fines.

Iraklis,

Thank you very much for your work on this and for your disclosure. It sounds like you gave Hikvision a fair amount of time to respond, and the fact that they did not, says a lot. Although we do not utilize Hikvision, this should be a wake up call for all other camera and IoT device manufacturers, that there are many White Hat hackers carrying out their own projects. Surely there are other camera manufacturers out there with this and other vulnerabilities, but when notified of a breach, we expect them to react swiftly.

I surely don't envy the work and due diligence necessary on the manufacturing side, but maybe we pay a few bucks more per camera to ensure we are dealing with viable manufacturers that protect us and themselves.

Login to read this IPVM report.

Related Reports

Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Density Presents Occupancy Monitoring For Coronavirus Protection on May 22, 2020
Density presented its cloud-based occupancy sensor to deal with Coronavirus...
Access Control Course Spring 2020 - Register Now - Last Chance on Apr 21, 2020
IPVM offers the most comprehensive access control course in the...
Leica Presents AI LIDAR / Thermal / Visible Camera (BLK247) on May 06, 2020
Leica presented its AI multispectral BLK247 camera at the April 2020 IPVM New...
Hanwha Presents AI Analytics and First 8K Camera on May 11, 2020
Hanwha presented their AI Analytics and the "Industry's First 8K" camera at...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
"Fever Camera" Online Show June 2020 - On-Demand Recordings on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show....
Last Chance - Spring 2020 IP Networking Course - Register Now on May 06, 2020
This is the last chance to register for the only networking course designed...
Seek Scan Thermal Temperature Screening System Tested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to...

Recent Reports

False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020
While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
US Surgeon General Unwittingly Showcases Sanctioned Dahua Temperature System on Jul 28, 2020
The US' top public health spokesperson, the Surgeon General, posted a photo...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...