Hikvision Cybersecurity Vulnerabilities Reported By Lithuania Government

By Ethan Ace, Published Feb 15, 2021, 08:26am EST (Info+)

Nearly 100 vulnerabilities were found in Hikvision firmware by a new report from Lithuania's government. Hikvision refused to provide any response, despite being given 2 weeks time to respond.

IPVM Image

Inside this report:

  • A summary of the vulnerabilities
  • The vulnerabilities explained
  • Comment from Lithuania's Ministry of Defence
  • Continued cybersecurity issues
  • Comparison to Axis firmware vulnerabilities

IPVM Image

Nearly 100 Vulnerabilities

The report was released by Lithuania's National Cyber Security Centre, part of the Ministry of National Defence. Camera firmware was decompiled and software versions checked for known CVEs.

The report summarizes their findings from this process, finding nearly 100 vulnerabilities in software packages used in Hikvision DS-2CD2183G0-IU firmware (V5.6.2 build 190701):

Eleven software packages containing 95 security vulnerabilities were found installed in the Hikvision DS-2CD2183G0-IU camera. Thirty two vulnerabilities had a threat score greater than 6.5 (out of 10).

Additionally, they found that newer firmware contained more vulnerabilities than older versions (95 vs. 63) which they previously tested in an earlier report.

Critical Vulnerabilities

The package with the most vulnerabilities and the most critical was an older version of OpenSSL (1.0.1j), which contains 45 vulnerabilities, three of which have the highest possible score, 10/10. Others, including BusyBox, libssh2, and libxls also have severe vulnerabilities, scored at 8+.

The NCSC report mentions the potential ramifications of these vulnerabilities:

The identified vulnerabilities could allow hackers to execute cyber-attacks, remotely intercept camera information and execute malicious code. In addition, the camera was found to be susceptible to Denial of Service (DoS) attacks.

Out Of Date Software Versions

Notably, all of these packages are severely out of date, with many dating to 2012 or earlier, including Open SSL and BusyBox, the packages with the most severe vulnerabilities. Newer versions of these packages which contain few or no known vulnerabilities are available, but Hikvision has not implemented them.

Vulnerabilities Not Exploited During Testing

The NCSC did not exploit any of these vulnerabilities during testing. There is no proof of concept of how these vulnerabilities may be exploited. Instead, NCSC pointed out that the aim of the study was to assess what vulnerabilities existed and how severely they were rated by the common vulnerability scoring system. It is unlikely that any of these vulnerabilities would be exploited by inexperienced users, due to their complexity, but they could be starting points for more complex attacks.

Report Limitations

Though the NCSC report performed detailed analysis of firmware for the cameras tested, firmware may vary on other product lines and in other regions. The NCSC performed their analysis only on firmware from the European region.

Also, note that newer versions of firmware are now available (latest version was 5.6.3 build 190923 at the time of writing). Vulnerabilities may vary in this and any newer versions as they are released.

Dahua Firmware Analysis Not Included

Dahua is mentioned in this new report and an earlier May 2020 report, but the NCSC did not perform detailed vulnerability analysis as they did with Hikvision. Instead, Dahua testing focused on "phone home" traffic, open ports, and web service versions. They did not find any specific "direct cyber security vulnerabilities" in these tests, but found that the camera opened up connects and periodically sent packets to servers in 5 different countries, including China.

Axis Contrast: No Known Vulnerabilities

In addition to Hikvision, NCSC also checked Axis firmware for vulnerabilities in current software. They found that while factory firmware (7.3.0 in their tests) had 53 known vulnerabilities, dating back to 2016, the latest version of firmware at the time of their research had no known vulnerabilities (9.3.0).

No Response From Hikvision

Hikvision acknowledged receipt of our request for comment on the study and vulnerabilities but did not respond with any statement.

Update, a day after IPVM published Hikvision responded:

Hikvision takes cybersecurity very seriously and is always open to cybersecurity research on our products. Hikvision is aware of the NKSC report and is currently internally investigating the findings of the report. The report addresses third-party software vulnerabilities. However, NKSC only conducted static analysis and the report does not describe if any of these vulnerabilities are exploitable for this Hikvision product.

Update: Hikvision Statement (March 3, 2021)

Hikvision has replied to IPVM with this statement, copied in full:

Statement on the Suspected Security Issue in Two Hikvision Cameras Reported by the Lithuanian National Cyber Security Centre (NKSC)

In January 2021, the Lithuanian Cyber Security Centre (NKSC) released a camera security assessment report disclosing its findings of the cyber security assessment they performed on home video surveillance cameras supplied by various manufacturers to the local market. Through the software component analysis tool (SCA), two Hikvision cameras DS-2CD4C26FWD-AP and DS-2CD2183G0-IU were examined by the study with the conclusion that the software used in the equipment was relatively old and potentially had vulnerabilities.

Hikvision conducted a thorough investigation regarding the report’s findings and would like to provide the following analysis and conclusions:

  1. The known component vulnerability analysis method used in the report is based on the name and version number of open source software to evaluate known vulnerabilities, which can lead to false positives on embedded devices;
  2. The code related to the vulnerabilities of some open source components mentioned in the report is not compiled into the firmware, or the code related to the vulnerabilities in some open source components mentioned is included in the firmware, but in this case, the corresponding functional modules are not used;
  3. After some vulnerabilities are discovered in open source software, source code patches will first be released to fix the vulnerabilities. However, in order to fix the vulnerabilities as soon as possible, device vendors often incorporate the source code of the patched vulnerabilities to solve the problem, but the open source software version number used in the product firmware is still the previous number of the old version.

For the above reasons, Hikvision has conducted strict security verification on the open source components vulnerabilities listed in the report. Through patches and other methods to circumvent the potential risks, Hikvision ensures that these vulnerabilities will not affect the security of the device.

Hikvision takes product security very seriously. We purchase a large number of third-party and open source software around the world and apply them to our products. During the process of use and management, we have established the strict management specifications and implementation procedures that are in accordance with industry best practices, to ensure that all imported third-party software meets our security requirements and can be effectively and securely managed.

For the specific measures of Hikvision on third-party and open source software security management, please refer to the fifth part of the Hikvision Cybersecurity White Paper (https://www.hikvision.com/en/support/cybersecurity/cybersecurity-white-paper/hikvision-cybersecurity-white-paper2019/).

Bad For Hikvision

Given Hikvision's very poor track record, including critical vulnerabilities, cloud vulnerabilities, and backdoors, this report is likely to raise concerns about Hikvision's cybersecurity. Further, while many past Hikvision vulnerabilities were disclosed by private individuals, this report's publication by a government agency is likely to carry even more weight.

2 reports cite this report:

Hikvision Audit Admits iVMS-4200 Auto Connects to China on Feb 10, 2022
Hikvision submitted a cybersecurity audit to the FCC revealing the widely...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on Jul 29, 2021
Cybersecurity vulnerabilities have escalated over the past few years and...

Comments (40)

Only IPVM Subscribers may comment. Login or Join.

No offense to Lithuania, but Lithuania? Do other governments do this type of testing?

Agree: 2
Disagree: 1
Informative
Unhelpful: 3
Funny

Do other governments release the results? Good on Lithuania or any government that wants to investigate such things and better inform the public.

Agree: 17
Disagree
Informative
Unhelpful
Funny

Absolutely good on Lithuania for releasing the results. That wasn't what I was getting at. Why just Lithuania? If other governments are doing testing like this (I certainly hope they are) why not release the results? What is the downside to calling it out? Especially if they are already known exploits or issues?

Agree: 6
Disagree
Informative
Unhelpful
Funny

cloak and dagger...

we know your vulnerabilities... but we aren't telling you that we know...and we aren't telling people what we are doing to find these...

just accept we know everything...

Agree: 4
Disagree
Informative
Unhelpful
Funny: 1
Agree
Disagree
Informative
Unhelpful
Funny

My only guess would be they didn’t do this type of testing before buying. Any sane government wouldn’t buy Chinese cameras with 100 vulnerabilities if they knew about it.

Also a lot of governments don’t even allow Chinese brands in the tendering process so…

Maybe they just Googled them first and thought “Hell no!”

Agree
Disagree
Informative
Unhelpful
Funny

While reading the report and noting the CVE's, it's just nothing new in vulnerability way, so to speak, just lack of interest from vendors for updating to latest libraries / code in their blobs. (And therefore no need of NDA, it's old public)

The Lithuanian's could do exactly same list with Dahua, and even with most vendors in this industry actually.

The vendors (Hik, Dahua, etc..) problem, I guess, are they just compile all things into one big blob, and won't be so easy task to update to latest versions w/o breaking things.

For Dahua specific, noted recently some nice SQlite injections, guess I'll report them shortly as nothing 'interesting' could be done.

Any 'sane' people would simply not buy this stuff (I'm not sane ,).

Agree
Disagree
Informative: 2
Unhelpful
Funny

It does make me chuckle when we get tenders that say ‘No Chinese made cameras’. Occasionally (more often these days) we get ‘No cameras, hardware or software from USA manufacturers’

For the first time received one with both banned!

Also see ‘No Cisco’ presumably this is due to the numerous reported hard coded back doors and vulnerabilities they found in their code review!

Agree
Disagree
Informative: 2
Unhelpful
Funny

IMO, very few who has not origin China, still lots of vendors outside of .cn who OEM them (including Cisco).

To my best knowledge (please correct me if I am wrong, may be others too), the only vendor I know is Axis, who do not OEM foreign (.cn/.tw/etc.) IPC's.

Which is very clear for me while 'dissecting' the firmwares, since there is huge differences and in practical not comparable, as most Chinese vendors compile all into one big blob, while Axis do not (actually more comparable to mini Linux environment)

No, I am not paid nor employe of Axis, who trying to promote their products, but I cannot deny that I am actually a bit impressed about the structure in Axis firmware, and also the security measures they have implemented since my full disclosure of the format string back in 2016.

My 0.02$

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

the only vendor I know is Axis, who do not OEM foreign (.cn/.tw/etc.) IPC's.

Also, Avigilon, see Motorola Solutions Opens US Factory For Avigilon, Pelco, IV And More

You may not see as many Avigilon cameras in the wild since they are generally not sold on the Internet. If you ever want access to one, just let us know :)

Agree
Disagree
Informative
Unhelpful
Funny

Interesting, thx :)

Agree
Disagree
Informative
Unhelpful
Funny

Have a question for you

Is it possible to completely wipe out HIK NVR OS

and install Linux

just curios

Thanks

Agree
Disagree
Informative
Unhelpful
Funny

I explored this idea a bit. Might have gone further if the FCC rule hadn't been written. If the rule passes it won't matter what OS the device is running it still won't have an FCC license to be powered on. Might make an interesting experiment but I don't see a payout in extending the service life of my Interlogix TVN71s or TVN21s.

Agree
Disagree
Informative
Unhelpful
Funny

"IMO, very few who has not origin China, still lots of vendors outside of .cn who OEM them (including Cisco)." - going to start my own OEM branding, maybe name it "if you don't care, we don't care series"

Agree
Disagree
Informative
Unhelpful
Funny

There are sane governments?

Agree
Disagree
Informative
Unhelpful
Funny

It may be Lithuania because the country is small, and lately it seems like Hikvision is intent on creating an EU hub here, which may have drawn more attention. Just see other IPVM articles: IPVM Search Engine

Also, many of Lithuania's state institutions are well known for using Chinese hardware and Russian software, while the country is positioning itself as a fintech, hitech and startup hub. So there may have been some pressure to get the backyard in order before expecting serious FDI. Being Lithuanian, I'm happy to learn investigations are happening and published, as eventually the market will see the benefits.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Norwegians did the same investigations somewhat a year ago but did not disclose any results. At least I was aware of their findings but the actual result is under NDA.

Agree
Disagree
Informative: 7
Unhelpful
Funny

Please share, since you seems not to be on NDA =)

Agree
Disagree
Informative
Unhelpful
Funny

Why do I post it undisclosed with no extra details then?

But you can figure out the 2+2 math from the official statement from Frank Bakke-Jensen (Norwegian Minister of Defense): Forsvarsmateriell, Forsvaret ved Forsvarets logistikkorganisasjon (FLO) and Forsvarsbygg (these are Norwegian MOD organizations) have reviewed their systems, and have stated that they have not registered products from Hikvision. No agreements have been established with Hikvision.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Well, this isn't particularly advanced testing (no offense to Lithuania). If they did what I think they did, it probably took longer to write the report than to discover the list of CVEs. There are free tools like OpenVAS that anybody could use to come up with the same results. Wouldn't be surprising if some enterprise IT departments were doing the same checks daily.

The vulnerabilities that the NSA would be interested in are the ones that aren't already listed in a CVE database somewhere.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

And thus the NDA for the NSA

Agree
Disagree
Informative
Unhelpful
Funny

Why test products with a checked past or from Nation States that are know to be nefarious on occasion is the bigger question.

Price and performance don't equal supply chain security, there is way more to it than a crisp image and good margins.

Do you stand behind what you put your name on?

Agree
Disagree
Informative
Unhelpful
Funny

If someone is concerned about security, either find the means to properly test or don't purchase the products. We get what we get....

Agree
Disagree
Informative
Unhelpful
Funny

They all "should"; may be considered irresponsible not to.

Agree
Disagree
Informative
Unhelpful
Funny

this is not directly related, but the Lithuanian government views Russia and China as its two biggest threats, citing “the malicious use of Chinese cyber capabilities in Lithuanian cyberspace" in particular.

Agree
Disagree
Informative
Unhelpful
Funny

I think we do too...

Agree
Disagree
Informative
Unhelpful
Funny

All should no matter what , and keep up on the cyber threat , that is at every turn

when you let your guard down is when you fail

always at watch and always alert to foil the attempts of espionage

more than ever

Agree: 1
Disagree
Informative
Unhelpful
Funny

when you let your guard down is when you fail

No kidding. The IoT world is a raging storm of vulnerabilities. You can stick the cameras on a VLAN with a firewall, but what about all the rest? For example, printers are fully functioning computers, but almost nobody keeps their firmware updated, and printers have wide access on the network (because people need to print).... So now printers are one of the trendy ways for hackers to get in. When you let your guard down...

Agree: 4
Disagree
Informative: 1
Unhelpful
Funny

Hp has been doing alot with securing their printers, firmware, and talking about cyber. Watch their videos here or on YouTube call the wolf. Very funny and bring attention to the issue.

Real world exploits have been done with drones to capture print jobs using Rouge access points so they have a point...

HP reinvents security with global campaign starring Christian Slater

Agree
Disagree
Informative: 3
Unhelpful
Funny

Axis fw9.3 is mid 2019 so these results appear to be miles out of date

Would be interesting to know what scanning tools are being used also to discover these and compare.

also to note that when performing scans on axis devices, some vulnerability modules do show such as a few Apache vulns . This however doesn’t represent true as elements of the modules aren’t even utilised on the axis devices so aren’t ‘true’ vulnerabilities

Agree
Disagree
Informative: 1
Unhelpful
Funny

IPVM may have folks with those skillsets, on hand; I would be all for some of my subscription money going towards that. $199 per person(minimum) at 15,000+ members (~$3millon annually). Maybe they already do some of that type of testing?

Agree: 2
Disagree
Informative
Unhelpful
Funny

Crickets........

Agree
Disagree
Informative
Unhelpful
Funny

Update: Hikvision responds:

Hikvision takes cybersecurity very seriously and is always open to cybersecurity research on our products. Hikvision is aware of the NKSC report and is currently internally investigating the findings of the report. The report addresses third-party software vulnerabilities. However, NKSC only conducted static analysis and the report does not describe if any of these vulnerabilities are exploitable for this Hikvision product.

Agree: 1
Disagree
Informative
Unhelpful
Funny

"We take cybersecurity very seriously" always makes me shudder... It usually means the exact opposite.

NKSC only conducted static analysis and the report does not describe if any of these vulnerabilities are exploitable

This is a valid point. I would have preferred it if actual exploitation had been attempted. The thing with vulnerability scanners (which I assume is what NCSC used) is that you get a huge number of false positives. You really need to know how libraries are being used.

This kind of goes to answer what Ross was asking. Vulnerability scanning isn't super hard. You check the version of all the libraries, plug that into a CVE database, get a list of matches, and you're done. But that doesn't mean they are all exploitable. Without knowing if they're exploitable, the report isn't particularly useful.

Let me excerpt from Conor Mancone on Security Stack Exchange:

You should never send a vulnerability report from a scanner to a company. 90% of the time those are useless by themselves, and are likely to be ignored by any competent security team. The reason is because scanners can have any number of false positives, so a positive from a vulnerability scanner does not actually mean there is a vulnerability. However, it is common for new bug bounty testers to simply send vulnerability reports from scanners off to companies without any understanding of what the report says, if it is correct, or if it is even applicable. As a result security teams will often just ignore a report that came straight out of a scanner. Most bug bounty programs specifically state this.

Mike Ounsworth also has an interesting comment on that post:

I'm one of the security team members who receives random reports like this. I agree that 90% of the time it's a false positive sent by an amature sec researcher who has no idea what the finding means. That said, 10% of the time, it's a tool we don't run and it's useful. Also, 100% of the time it tells us about the PR impact of people scanning our site. We do sometimes make "unnecessary" code changes purely for PR reasons so that our customers get less alarmed when they run a scan.

Are the CVEs relevant to Hikvision? Maybe. But they need to be tested to be sure.

Now, you can talk about why Hikvision got dinged on 100 CVEs while Axis didn't have any matches. It is probably better to keep libraries updated. Does that mean that Axis will always be more secure? It's a good sign, but that in itself does not make it more secure. It's just a metric, like the warnings I get from my password manager. I know what and how the passwords are used, so I'm not bothered that computer 1 and computer 2 have the same password because it's actually referring to the same domain account. That's a false positive. But at the same time, it shows that I'm not keeping my password manager well organized. Likewise, since Axis is paying attention to that detail and Hikvision isn't, I can say that Axis is probably more diligent with regards to cyber security.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Dahua is no better than Hik, the regularly noted Dahua "phone home" is most likely their P2P cloud, used for "keep alive" (should be turned off).

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

note to Lithuania, agency acronyms should not be translated regardless of how one spells cyber.

NCSC vs. NKSC

Agree
Disagree
Informative
Unhelpful
Funny: 1

Thank you, I hadn't seen information on these vulnerabilities elsewhere. This motivated me to set up my router to block all external access to similar devices on my network that are intended only for internal use.

Thanks again!

Agree
Disagree
Informative
Unhelpful
Funny

The Danish defense checks Chinese cameras, but the result is kept secret.

P.S. The source is in Norwegian and under a paywall. The header explains what's inside anyways.

Dansk forsvar sjekker kinesiske kameraer, men resultatet blir holdt hemmelig - Digi.no

Agree
Disagree
Informative
Unhelpful
Funny

Update, Hikvision has responded with the following statement:

Statement on the Suspected Security Issue in Two Hikvision Cameras Reported by the Lithuanian National Cyber Security Centre (NKSC)

In January 2021, the Lithuanian Cyber Security Centre (NKSC) released a camera security assessment report disclosing its findings of the cyber security assessment they performed on home video surveillance cameras supplied by various manufacturers to the local market. Through the software component analysis tool (SCA), two Hikvision cameras DS-2CD4C26FWD-AP and DS-2CD2183G0-IU were examined by the study with the conclusion that the software used in the equipment was relatively old and potentially had vulnerabilities.

Hikvision conducted a thorough investigation regarding the report’s findings and would like to provide the following analysis and conclusions:

  1. The known component vulnerability analysis method used in the report is based on the name and version number of open source software to evaluate known vulnerabilities, which can lead to false positives on embedded devices;
  2. The code related to the vulnerabilities of some open source components mentioned in the report is not compiled into the firmware, or the code related to the vulnerabilities in some open source components mentioned is included in the firmware, but in this case, the corresponding functional modules are not used;
  3. After some vulnerabilities are discovered in open source software, source code patches will first be released to fix the vulnerabilities. However, in order to fix the vulnerabilities as soon as possible, device vendors often incorporate the source code of the patched vulnerabilities to solve the problem, but the open source software version number used in the product firmware is still the previous number of the old version.

For the above reasons, Hikvision has conducted strict security verification on the open source components vulnerabilities listed in the report. Through patches and other methods to circumvent the potential risks, Hikvision ensures that these vulnerabilities will not affect the security of the device.

Hikvision takes product security very seriously. We purchase a large number of third-party and open source software around the world and apply them to our products. During the process of use and management, we have established the strict management specifications and implementation procedures that are in accordance with industry best practices, to ensure that all imported third-party software meets our security requirements and can be effectively and securely managed.

For the specific measures of Hikvision on third-party and open source software security management, please refer to the fifth part of the Hikvision Cybersecurity White Paper (Hikvision Cybersecurity White Paper 2019 | Cybersecurity White Paper | Hikvision).

Agree
Disagree
Informative: 1
Unhelpful
Funny

deleted by poster

Agree
Disagree
Informative
Unhelpful
Funny
Loading Related Reports