Hikvision has been forced to issue patches to its video surveillance cameras after it was discovered that a bug in its code could enable a hacker to remotely access affected devices and gain admin rights.
The issues led the United States Computer Emergency Readiness Team (US-CERT) to disclose the vulnerabilities in an advisory. Seven camera models were affected by two bugs – an improper authentication flaw and a vulnerability in the configuration file. The bugs were assigned CVSS ratings of 10 and 8.8 accordingly.
US-CERT stated that the successful exploitation of these vulnerabilities could lead to a malicious attacker escalating his or her privileges or assuming the identity of an authenticated user and obtaining sensitive data. Hikvision is widely thought to be the world leader in CCTV security cameras and video surveillance accessories.
In November 2014, researchers from Rapid7 Labs identified three serious buffer overflow vulnerabilities in Hikvision digital video recorders (DVRs), and in April of that same year, a researcher with the SANS Technology Institute found bitcoin mining malware on Hikvision DVRs.
Another major manufacturer, Dahua, was accused in March of leaving backdoors in its CCTV cameras and DVRs. It subsequently pushed out a patch to 11 of its products.
US-CERT said that while Hikvision has released updates to mitigate the improper authentication vulnerability in cameras sold through authorised distributors, it has not mitigated the password in configuration file vulnerability.
The security agency warned that Hikvision was aware of so-called “grey market” cameras which are sold via unauthorised channels.
“These cameras often use unauthorised firmware created by sources outside of Hikvision. In the case of these ‘grey market' devices, updating the firmware may result in converting the camera's interface back to its original state. Users of ‘grey market' cameras who cannot update due to this unauthorised firmware will still be susceptible to these vulnerabilities,” said US-CERT in a statement.
According to a posting by a security researcher by the nickname of “Montecrypto”, the bug was discovered in March and “makes it possible to gain full admin access to the device”. The researcher gave the company at the time, two weeks to “come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed”.
They added that “it would be wise to disconnect your cameras from the Internet”. The researcher backed off from publishing details after being contacted by Hikvision.
In March, the manufacturer sent out a notice of a 'privilege escalating vulnerability' and released firmware upgrades for 200+ Hikvision IP cameras.
Paul Williams, CIO at Cloudview, told SC Media UK that vulnerable devices can be purposed to the hacker's needs, be this to steal information, stop recording as and when the attacker chooses, feed false information as real video or to use as part of a wider botnet, such as Hajime.
“Patching would not be advised in any case. Since the hacker can implement any code (or add any code they choose) on this system they can often make sure their access and control persists across firmware revisions. The best advice would be to reset to factory mode, then install new firmware. Changing passwords on an unpatched system will do little good, but everyone should make sure that their devices do not still use default passwords,” he said.
Matt Walmsley, EMEA director at Vectra Networks, told SC that the most effective and low-cost solution to securing IoT devices would be for manufactures to better educate their customers.
“Smart devices need some form of secure credentials; enabling the purchaser to configure the device for their network environment and ensure the latest firmware images are installed,” he said.
“Owners can be negligent in not changing the default accounts shipped with these devices, so vendors must adopt practices which force their customers to change the default shipping password before they're allowed to proceed further with configuration. It would also be useful if they integrated some basic password integrity checking to prevent common or reused passwords.”