Patch now! Insecure Hikvision security cameras can be taken over remotely

Patch now! Insecure Hikvision security cameras can be taken over remotely

In a detailed post on Github, security researcher Watchful_IP describes how he found that the majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical, unauthenticated, remote code execution (RCE) vulnerability, even with the latest firmware.

Hikvision

Hangzhou Hikvision Digital Technology Co., Ltd. engages in the development, production, and sale of security products. Its business activities include the provision of services for hard disk recorders, video codes, video servers, surveillance cameras, monitoring of ball machine, road mounts and other products, as well as security services. The company was founded on November 30, 2001 and is headquartered in Hangzhou, China.

According to global market data provider IHS Markit, Hikvision has 38% of the global market share, and it has been the market leader since 2011. Hikvision is also known for its research on technologies such as visual recognition, cloud computing, and their adoption in security scenarios.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability found by Watchfull_IP is listed under CVE-2021-36260 and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.

The critical bug has received 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact it enables the attacker to gain even more access than the owner of the device has, since the owner will be restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

According to the researcher, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner. The attack will not be detectable by any logging on the camera itself. A threat actor can exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

Affected products

Users can find a list of affected products in the security notification from Hikvision. Among them are IP Cameras and  PTZ Cameras. PTZ is short for Pan/Tilt/Zoom and the name is used for cameras that can be remotely controlled and pointed. These cameras can, and are often used in surveillance mode where they cover an area by moving between preset points and the footage is often recorded, so it can be reviewed at a later time.

Users of other brands should also be advised that there are a huge number of OEM resellers offering Hikvision cameras under their own model numbers.

Responsible disclosure

The researcher has not disclosed any specifics about the attack to protect potential victims. In his post he describes how he worked with Hikvision since the discovery made on Sunday June 20, 2021. He was extremely pleased that they took him seriously and involved him in taking care of the problem.

On August 17, Watchfull_IP received the patched IPC_G3 (V5.5.800 build 210628) and IPC H5 (V5.5.800 build 210628) firmware from HSRC for testing.

“Decrypted and reversed the code in addition to live testing on my own equipment and confirmed to HSRC that the patched firmware resolves the vulnerability.

Was further pleased to note this problem was fixed in the way I recommended.”

We are glad that researchers like this check the security of the products we use and do responsible disclosure when they find problems, so manufacturers can resolve matters before some cybercriminal can start using our security equipment against us.

Mitigation

A word of caution is needed here, since not all the software portals have been provided with the latest firmware that is patched against this attack. To be sure to get a patched version it is recommended by Hikvision to download the latest firmware for your device from the global firmware portal. The researcher however notes that at the time of writing updated firmware seems to be properly deployed on the Hikvision China region firmware portal for Chinese region devices, but only partially on the global site. If you are in doubt there is a list of the vulnerable firmware versions in the researchers post.

In general it is a good idea not make your cameras accessible from the internet and if you do, put them behind a VPN.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.