Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits

Author: Brian Karas, Published on Nov 16, 2016

This list compiles reported exploits for security products, and is updated regularly.

We have summarized exploits by date and by manufacturer, providing a brief description of the exploit along with affected product(s) and firmware version(s), when known.

Historical List Of Exploits

This list contains a summary of known exploits in reverse chronological order. Additional details are provided in a section for each manufacturer below. Manufacturers with an asterisk (*) next to their name indicate products that were OEM'd under multiple brand names beyond the original manufacturer listed.

  • December 2016 - Sony - Attackers can remotely enable telnet on cameras.
  • December 2016 - Hikvision(3) - hik-online.com servers susceptible to XXE exploit
  • November 2016 - Milesight - Cameras have a number of vulnerabilities that allow remote exploit.
  • November 2016 - Siemens - Remote privilege escalation possible via exploiting web interface.
  • October 2016 - NUUO(2) - Insecure default credentials.
  • October 2016 - Dahua*(2), XiongMai - Mirai botnet.
  • August 2016 - NUUO(1) - Remote root exploit and remote command injection vulnerability.
  • July 2016 - Axis - Remote root exploit.
  • July 2016 - Pelco - Digital Sentry hard coded username/password backdoor.
  • March 2016 - TVT* - Remote code execution.
  • March 2016 - HID - Command injection vulnerability allows attacker full control of device.
  • August 2015 - Dedicated Micros - Devices have no default password, allowing full access.
  • June 2015 Avigilon - ACC - Allows attackers to read arbitrary files. 
  • October 2014 - Bosch - 630/650/670 Recorders - Multiple exploits allow attacker to get root console and also retrieve config data.
  • September 2014 - Hikvision(2) - 7200 series NVRs - Buffer overflow to gain root access.
  • November 2013 - Dahua*(1) - DVR's/NVR's - Execute admin commands without authentication
  • November 2013 - Vivotek - RTSP stream authentication can be bypassed.
  • August 2013 - Hikvision(1) - IP Cameras - Remote root exploit.

Exploits For Specific Companies

Avigilon

ACC versions prior to 4.12.0.53 and prior to 5.4.2.21 allowed for arbitrary files to be retrieved through specially crafted URLs, giving anyone with remote access to the server the ability to access files at will, without authentication, making this a critical vulnerability. Additional details are in the CVE Report for this vulnerability. 

Axis

Products with firmware from versions 5.20.x to 6.2.x had a vulnerability that allowed for an attacker to gain access to a root console on the device, allowing them full control of the device. Attackers did not need to know usernames/passwords, or other information about the product in order to exploit it, making this an extremely severe vulnerability. Axis issued a press release on this exploit, and IPVM covered the Axis exploit as well.

Bosch

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

DVR 630/650/670 units with firmware version 2.12, and possibly older versions, are vulnerable to exploits where attackers can send specially-crafted URLs to the device to enable telnet access, which provides a root console that does not require authentication. No special software is required to carry out this attack. Vulnerability details and proof of concept examples are listed in ExploitDB under ID 34956.

Dahua

(2) Dahua camera and NVR firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which took down internet sites and service providers in October 2016. Products OEM'd from Dahua, which include multiple brands such as FLIR and Honeywell, were also affected.

(1) Recorders with firmware 2.608 could be exploited to accept certain admin commands without authentication, allowing an attacker to retrieve configuration information from the device to change user passwords. ExploitDB contains additional details under ID 29673  

Dedicated Micros

Dedicated Micros DVRs, including at least DV-IP Express, SD Advanced, SD, EcoSense, and DS2, ship with no default credentials, and insecure protocols enabled. This can allow attackers to take over the device and/or to sniff network traffic during setup.  Additional details in VU 276148.

HID

VertX and EDGE systems with firmware prior to March 2016 are susceptible to a command injection exploit, where an attacker can cause the controllers to lock or unlock doors without authentication, as well as perform a number of other functions on the controller. This vulnerability was detailed on Trend Micro's blog, technical details can be found in this github repository.

Hikvision

(3) A security researcher found hik-online.com servers vulnerable to an XML External Entity (XXE) exploit. This vulnerability allowed the researcher to retrieve arbitrary files from the server, exposing users to the risk of having data on the public IP/port of their registered devices exposed. Further coverage available in our Hikvision cloud server vulnerability report.

Both of the exploits listed below are believed to be fixed in current firmware, though an exact firmware version that addresses these issues is not known.

(2) NVR's with firmware 2.2.10, and possibly other versions, contain a vulnerability that allows for a buffer overflow attack, enabling attackers to gain control of the device. This vulnerability was examined and described by research firm Rapid7. Hikvision 

(1) Hikvision IP cameras with firmware v4.1.0 b130111, and possibly other versions, can be attacked to gain access to the admin account, bypass authentication entirely using hard-coded credentials, or to execute arbitrary code through a buffer overflow attack. Core security issued a report detailing these exploits.

Milesight

Milesight camera firmware prior to ~November 2016 may contain a number of vulnerabilities including hard-coded credentials and the ability to execute admin commands via unauthenticated CGI calls, making the cameras highly vulnerable to attacks.

Nuuo

(2) Nuuo NT-4040 Titan firmware version NT-4040_01.07.0000.0015_1120, contains default credentials of admin:admin, and localdisplay:111111. A remote network attacker can gain privileged access to a vulnerable device. Further information can be found in CERT Vulnerability Listing for this issue.

(1) Multiple devices, including the NVRmini, NVRmini2, Crystal, Titan and NVRSolo with firmware prior to 3.0.8 have multiple vulnerabilities that allow for remote code execution, remote root exploit, remote file deletion, and other attacks. Exploits are listed on ExploitDB under multiple IDs, including: 4020040209402104021140212402134021440215. Each of these represents a critical vulnerability that is easy for an attacker to execute against the device.

Pelco

Digital Sentry products running firmware prior to 7.13.84 contained a hard-coded admin account that could be used to take full control of the device by a remote attacker. IPVM covered this vulnerability when it was made public, and CERT also contains additional details

Sony

Attackers can remotely enable telnet on Gen 5 and Gen 6 cameras with firmware prior to 1.86.00 and 2.7.2 respectively, enabling them to potentially login as root. Additional details in our coverage of this exploit.

Siemens

Specially crafted URLs allow an attacker to gain admin-level privileges on affected cameras. List of affected cameras and recommended firmware versions to resolve this issue are provided by Siemens.

TVT

Specially crafted URLs can be used to cause the recorders manufactured by TVT to execute arbitrary commands. At least 79 distinct brands OEM'd these units, including well-known brands like ADI and Q-See. Rotem Kerner documented the exploit on his site, and also provided IPVM with additional details on how he crafted the exploit.

Vivotek

Firmware 0105a, 0105b, and possibly other versions, are susceptible to having RTSP authentication bypassed, allowing video streams to be viewed without authentication. Firmware after 0301c should not be affected. Additional information from Core security: Vivotek RTSP auth bypass.

XiongMai

Xiongmai firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which targeted Dahua and Xiongmai devices, and took down internet sites and service providers in October 2016. Due to Xiongmai being primarily an OEM component supplier, many affected products were sold under alternate brands.

5 reports cite this report:

VPNs for Video Surveillance on Feb 07, 2017
Remote access in surveillance networks is a key cyber security and usability issue. With cyber attacks rising, how can users ensure their systems...
10 Manufacturer Cyber Security Compared on Dec 13, 2016
With the rise in exploits and growing awareness of cyber security issues in video surveillance, we tested ten different manufacturer's cameras....
Top Surprises in the Video Surveillance Industry 2016 on Nov 29, 2016
  The top 3 surprises of 2016 for integrators surveyed by IPVM were: The race to bottom, repeating 2015's Top Surprise Result New -...
Network Security for IP Video Surveillance Guide 2016 on Feb 03, 2016
Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...
Remote Network Access for Video Surveillance on Mar 13, 2015
Remotely accessing video is difficult for 3 reasons. Private Networks: Almost all video surveillance uses private IP addresses, that are by...

Comments (18)

Only IPVM PRO Members may comment. Login or Join.

If you know any exploits not listed here, please comment and I will update the report.

This is a great list!

This is a very useful list.

There is a Vulnerability regarding Dedicated Micros DVR, Note VU#276148.

Well so far, firmware updates seem to the standard thing to stay on top to combat the bulk of these vulnerabilities. This is irregardless of any manufacturer... Unfortunately, some companies are better about disseminating those updates than others.

Dahua, I sell your ****, but I know your ****. Get your **** together so I can sell more and tech less dammit!

Honestly though, my Dahua rep's been pretty good at getting us firmware, but having to work with her timezone to get support tends to be inconvenient. Having a regularly updated FTP directory of firmware (that isn't PAL focused) would be lovely. I'm about ready to start hosting it myself... I think though I want do it differently from ftp.asm.cz and 52.29.179.27

Robert Dahua factory FTP has both Pal and Ntsc firmwares, and is updated daily, are you working with the factory directly?

Yeah, but asking them for every single one when you aren't the primary tech support guy and just a sales engineer isn't very productive. My primary project manager is about as paranoid about firmware as it gets. Also...the great firewall of China has been nothing short of a pain in the ass for them to get support out to us as easily as they want.

Even the DahuaWiki, maintained by DahuaUSA itself doesn't get to access the firmware direct from the FTP.

whats the url?

the biggest exploit is the careless user/installer who does not change

default login credentials.

go to shodan hq

search for any manufacturers device

enter with default login

do as you want

Agreed, but manufacturers don't need to help. :)

Not surveillance but close:

HID VertX door controller exploit:

https://github.com/coldfusion39/VertXploit

Access control product exploits will be included as well, thanks for the link.

Vivotek RTSP authentication bypass

Bosch DVR 600 series root shell access exploit

This is excellent - add my vote to expanding this to include other security products.

This has the potential to be a good resource for anyone (like me) wanting to promote network security services for security systems.

Would you consider adding some indication on what the manufacturer's response history is like when confronted with a vulnerability? If I'm recommending a product I'm not concerned with the fact that there was a historic problem, I'm concerned about how the manufacturer responded to the problem (and would likely respond to a future vulnerability).

Thanks for taking this initiative!

John -

The response history suggestion is a good one, I will try to add that in when we have enough data to do so.

Siemens branded IP cameras? I would guess that's probably an OEM...?

Related Reports on Directory

Directory of Alarm Company Brokers on Feb 20, 2017
Selling an RMR based business, such as alarm company, can be highly profitable, with acquisition prices of 36 to 48x RMR (equivalent to 3 to 4x...
Directory of Alarm Panel Manufacturers on Feb 16, 2017
Alarm panels are the central controller of intrusion systems. The following is a list of manufacturers of alarm panels. This directory only covers...
Directory Of Wholesale Central Station Monitoring Providers on Feb 15, 2017
Wholesale central stations help smaller and local dealers providing monitoring to their customers. Dozens of options exist.  Below is the first...
Free VMS Software Directory on Jan 13, 2017
Many Video Management Software (VMS) providers offer free versions, either open source, for a limited number of cameras or for a limited amount of...
Genetec Access Control Security Center 5.5 Release on Aug 26, 2016
Inside, we examine Genetec's new Access Control features in Security Center 5.5. Enhanced Active Directory and 'Universal Groups' New, Single...
Directory Of 69 Video Analytics Suppliers on Aug 22, 2016
This directory provides a list of video analytics providers to help you see and research what options are available. [premium_content] Video...
Directory Of 94 Video Management Software (VMS) Suppliers on Aug 15, 2016
This directory provides a list of Video Management Software providers to help you see and research what options are available. Listing Format The...
IP Cameras Default Passwords Directory on May 28, 2016
Finding an IP camera's default password can be tedious or aggravating. And keeping up with changes in newer firmwares can be difficult, especially...
New Products Directory - ISC West 2016 on Apr 01, 2016
It has been a busy few months in the industry, with new product announcements, many acquisitions and lots of moves. Here is a directory of them all...

Most Recent Industry Reports

Hikvision Pyronix Releases 'Huge' New Panel on Feb 27, 2017
Hikvision's 2016 acquisition Pyronix has been touting their 'huge' new large system panel. Indeed, the new Euro 280 claims features that are better...
Bosch Favorability Results on Feb 27, 2017
Bosch is one of the most well known brands in the industry and they have combined recently with Sony in video surveillance. But how has Bosch...
ADT CEO: My Daughters Better At Installs Than Most 20 Year Techs on Feb 27, 2017
Times have changed. At the Barnes Buchanan conference, ADT's CEO Tim Whall made an interesting and, surely to some, controversial observation....
Avigilon Favorability Results on Feb 27, 2017
One of the fastest growing companies has turned into one of the rockiest, as cooling growth, management turnover and a roller coaster stock price...
Honeywell Sues Alarm.com For Violating Anti-Trust Laws on Feb 24, 2017
Is Alarm.com about to dominate the smart home software market? That is what Honeywell alleges in its new lawsuit, first reported by...
Axis: "Everything is IP" - False on Feb 24, 2017
Axis is congratulating itself, with executive Fredrick Nilsson declaring: "Now the conversion is all done and everything is IP and analog is...
Advertising Like Avigilon at the ISC West Airport on Feb 24, 2017
Avigilon has grabbed a lot of attention over the last few years advertising at the Las Vegas airport when attendees fly in. But how does that...
Artificial Intelligence Robot Assistant (ACTi) on Feb 23, 2017
Has artificial intelligence come to the video surveillance industry? ACTi has released 'SARA' which it bills as an 'AI assistant that brings...
Cutting Costs 70% Using Milestone With HD Analog on Feb 23, 2017
HD analog and enterprise VMSes are often thought of as being on opposite sides of the spectrum, with HD analog best for small jobs due to its low...
Dahua 4K HD Analog Cameras Announced on Feb 23, 2017
HD analog has been gaining popularity (even if Axis hopes otherwise). Last year, HD analog's max resolution doubled from 1080p to 4MP (see our 4MP...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact