Hikvision Cybersecurity Vulnerabilities Reported By Lithuania Government

Nearly 100 vulnerabilities were found in Hikvision firmware by a new report from Lithuania's government. Hikvision refused to provide any response, despite being given 2 weeks time to respond.

Inside this report:

• A summary of the vulnerabilities
• The vulnerabilities explained
• Comment from Lithuania's Ministry of Defence
• Continued cybersecurity issues
• Comparison to Axis firmware vulnerabilities

Nearly 100 Vulnerabilities

The report was released by Lithuania's National Cyber Security Centre, part of the Ministry of National Defence. Camera firmware was decompiled and software versions checked for known CVEs.

The report summarizes their findings from this process, finding nearly 100 vulnerabilities in software packages used in Hikvision DS-2CD2183G0-IU firmware (V5.6.2 build 190701):

Eleven software packages containing 95 security vulnerabilities were found installed in the Hikvision DS-2CD2183G0-IU camera. Thirty two vulnerabilities had a threat score greater than 6.5 (out of 10).

Additionally, they found that newer firmware contained more vulnerabilities than older versions (95 vs. 63) which they previously tested in an earlier report.

Critical Vulnerabilities

The package with the most vulnerabilities and the most critical was an older version of OpenSSL (1.0.1j), which contains 45 vulnerabilities, three of which have the highest possible score, 10/10. Others, including BusyBox, libssh2, and libxls also have severe vulnerabilities, scored at 8+.

The NCSC report mentions the potential ramifications of these vulnerabilities:

The identified vulnerabilities could allow hackers to execute cyber-attacks, remotely intercept camera information and execute malicious code. In addition, the camera was found to be susceptible to Denial of Service (DoS) attacks.

Out Of Date Software Versions

Notably, all of these packages are severely out of date, with many dating to 2012 or earlier, including Open SSL and BusyBox, the packages with the most severe vulnerabilities. Newer versions of these packages which contain few or no known vulnerabilities are available, but Hikvision has not implemented them.

Vulnerabilities Not Exploited During Testing

The NCSC did not exploit any of these vulnerabilities during testing. There is no proof of concept of how these vulnerabilities may be exploited. Instead, NCSC pointed out that the aim of the study was to assess what vulnerabilities existed and how severely they were rated by the common vulnerability scoring system. It is unlikely that any of these vulnerabilities would be exploited by inexperienced users, due to their complexity, but they could be starting points for more complex attacks.

Report Limitations

Though the NCSC report performed detailed analysis of firmware for the cameras tested, firmware may vary on other product lines and in other regions. The NCSC performed their analysis only on firmware from the European region.

Also, note that newer versions of firmware are now available (latest version was 5.6.3 build 190923 at the time of writing). Vulnerabilities may vary in this and any newer versions as they are released.

Dahua Firmware Analysis Not Included

Dahua is mentioned in this new report and an earlier May 2020 report, but the NCSC did not perform detailed vulnerability analysis as they did with Hikvision. Instead, Dahua testing focused on "phone home" traffic, open ports, and web service versions. They did not find any specific "direct cyber security vulnerabilities" in these tests, but found that the camera opened up connects and periodically sent packets to servers in 5 different countries, including China.

Axis Contrast: No Known Vulnerabilities

In addition to Hikvision, NCSC also checked Axis firmware for vulnerabilities in current software. They found that while factory firmware (7.3.0 in their tests) had 53 known vulnerabilities, dating back to 2016, the latest version of firmware at the time of their research had no known vulnerabilities (9.3.0).

No Response From Hikvision

Hikvision acknowledged receipt of our request for comment on the study and vulnerabilities but did not respond with any statement.

Update, a day after IPVM published Hikvision responded:

Hikvision takes cybersecurity very seriously and is always open to cybersecurity research on our products. Hikvision is aware of the NKSC report and is currently internally investigating the findings of the report. The report addresses third-party software vulnerabilities. However, NKSC only conducted static analysis and the report does not describe if any of these vulnerabilities are exploitable for this Hikvision product.

Update: Hikvision Statement (March 3, 2021)

Hikvision has replied to IPVM with this statement, copied in full:

Statement on the Suspected Security Issue in Two Hikvision Cameras Reported by the Lithuanian National Cyber Security Centre (NKSC)

In January 2021, the Lithuanian Cyber Security Centre (NKSC) released a camera security assessment report disclosing its findings of the cyber security assessment they performed on home video surveillance cameras supplied by various manufacturers to the local market. Through the software component analysis tool (SCA), two Hikvision cameras DS-2CD4C26FWD-AP and DS-2CD2183G0-IU were examined by the study with the conclusion that the software used in the equipment was relatively old and potentially had vulnerabilities.

Hikvision conducted a thorough investigation regarding the report’s findings and would like to provide the following analysis and conclusions:

1. The known component vulnerability analysis method used in the report is based on the name and version number of open source software to evaluate known vulnerabilities, which can lead to false positives on embedded devices;
2. The code related to the vulnerabilities of some open source components mentioned in the report is not compiled into the firmware, or the code related to the vulnerabilities in some open source components mentioned is included in the firmware, but in this case, the corresponding functional modules are not used;
3. After some vulnerabilities are discovered in open source software, source code patches will first be released to fix the vulnerabilities. However, in order to fix the vulnerabilities as soon as possible, device vendors often incorporate the source code of the patched vulnerabilities to solve the problem, but the open source software version number used in the product firmware is still the previous number of the old version.

For the above reasons, Hikvision has conducted strict security verification on the open source components vulnerabilities listed in the report. Through patches and other methods to circumvent the potential risks, Hikvision ensures that these vulnerabilities will not affect the security of the device.

Hikvision takes product security very seriously. We purchase a large number of third-party and open source software around the world and apply them to our products. During the process of use and management, we have established the strict management specifications and implementation procedures that are in accordance with industry best practices, to ensure that all imported third-party software meets our security requirements and can be effectively and securely managed.

For the specific measures of Hikvision on third-party and open source software security management, please refer to the fifth part of the Hikvision Cybersecurity White Paper (https://www.hikvision.com/en/support/cybersecurity/cybersecurity-white-paper/hikvision-cybersecurity-white-paper2019/).

Bad For Hikvision

Given Hikvision's very poor track record, including critical vulnerabilities, cloud vulnerabilities, and backdoors, this report is likely to raise concerns about Hikvision's cybersecurity. Further, while many past Hikvision vulnerabilities were disclosed by private individuals, this report's publication by a government agency is likely to carry even more weight.