If you own Hikvision security cameras you would have noticed the sudden change in the live feed display where the normal footages were replaced with the term HACKED. However, it isn’t the case with all Hikvision security cameras but only some of them but if you are the owner of one such camera then it is obvious that there is a backdoor in the device.
In May, Department of Homeland Security’s ICS-CERT issued warning regarding the presence of remotely exploitable vulnerabilities in Hikvision security cameras; these vulnerabilities were of such nature that it required low-level skills to exploit them. In its advisory, the department clearly stated that if these vulnerabilities are exploited successfully then the malicious attacker would gain high-level privileges and/or impersonate an authentic user and access or even steal sensitive, confidential data.
And now, malicious attackers are trying to exploit this vulnerability, the first example is the appearance of HACKED by replacing live feed of some models of Hikvision security cameras.
On Sep 12, a security researcher using the alias Monte Crypto posted access control bypass in IP cameras from Hikvision on Full Disclosure mailing list and warned users that a majority of these cams contain a backdoor that can let unauthentic impersonation of a configured user account.
“The vulnerability poses a severe risk [and] is trivial to exploit,” and still there are “hundreds of thousands of vulnerable devices” that are active on the internet, wrote Monte Crypto.
In his post on Full Disclosure regarding the vulnerability, it is claimed that there is a superuser admin account in all devices manufactured by Hikvision. This account allows understanding of how to retrieve users and roles, how to download camera configuration and how to get camera snapshot without authentication. Monte Crypto also noted that the vulnerability is not new and has been there in Hikvision products since 2014.
A Reddit user ‘wolfblitzer69’ posted the sample image where HACKED replaced live feed of the security camera from Hikvision. Further research revealed that it isn’t only Hikvision brand cameras that are affected with backdoor but various “white labeled camera products” manufactured by well-known brands are containing backdoors.
So what are the consequences of this mishap?
Monte Crypto explained that there are various, negative repercussions of having a security camera with a backdoor installed. Such as, the hacker/attacker would obtain full administrative access and use the vulnerability of the device to retrieve plain-text passwords for “all configured users.”
Changing the weak password will not resolve the issue as well. However, Monte Crypto states that if you upgrade the camera or immediately disconnect it from the internet or any “untrusted network” then you might be able to save the day. Moreover, you can also try to implement network access control rules that let only the trusted IP addresses to establish connections to the devices that are vulnerable. It is worth noting that Hikvision IP cameras are equipped with UPNP, which is enabled-by-default and can get exposed to the internet automatically.
Hikvision has already released firmware updates for numerous models of its security cameras where the backdoor is removed so you must install the update if it is available for your device. However, do remember that some Hikvision cameras are sold online as “English, not upgradable” or “Multilanguage” but in reality, these are modified Chinese language cameras so you cannot upload English firmware in these cameras. If you attempt to do so then a boot loop will occur, which can only be recovered by installing the original Chinese language firmware over TFTP.
A demo video of Hikvision backdoor exploit is released by IPVM and can be viewed here:
Featured and Top image credit: Reddit