A security researcher has found a show-stopping vulnerability in Hikvision surveillance cameras. Unpatched units are susceptible to remote hijacking, and the attacker doesn’t need a username or password to break in. All that’s needed is access to a couple of standard Internet ports.
The attack can be executed via HTTP (port 80) or HTTPS (port 443). Once a camera has been compromised, the attacker can use it as a starting point to explore the rest of a victim’s network. Past attacks on connected cameras have also sought to enlist the devices into botnet armies capable of launching massive DDoS (distributed denial of service) attacks or spam campaigns.
This vulnerability is about as serious as they come, rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).
Watchfull_IP, the white hat hacker who discovered the flaw, reported that it is present in Hikvision models manufactured as far back as 2016. Hikvision’s security notification lists dozens of impacted models. It’s not surprising that the list would be so long, given that Hikvision owns approximately 40% of the global surveillance camera market.
The full list of vulnerable cameras could actually be much longer, however.
Malwarebytes notes that several other OEMs rebrand Hikvision cameras and sell them as their own. It could take quite some time before all of these other devices are identified.
After discovering this vulnerability in late June, Watchfull_IP reported it immediately to Hikvision. The company understood the severity of the flaw and worked with Watchfull_IP to ensure it had properly patched it in an updated firmware release.
Watchfull_IP was sent the new firmware less than 60 days from the original report and was “pleased to note this problem was fixed in the way [he] recommended.”
How To Secure Your Devices
Hikvision has rolled out firmware updates for affected devices on its global portal. It’s also a good idea to block outside access to port 80 and 443 on your network even if you’ve applied the new firmware. If remote access to camera feeds is required, it should always be done via a VPN.