HikVision Surveillance devices have vulnerabilities that open the door to hacking, security researchers have warned.
Digital Video Recorders (AKA Network Video Recorders), such as those from the likes of Hikvision, are used to record surveillance footage of office buildings and surrounding areas.
However, the range of vulnerabilities in Hikvision’s kit create a means to remotely delete recorded footage, an attack that defeats the purpose Hikvision security cameras. Compromised DVR systems might be used as a waypoint to hack into local networks containing pawned DVR’s. Compromised DVRs might then be used to attack point of sale devices, workstations and servers, or other targets.
Hacked DVRs might be abused as a part of a botnet, a potential abuse that cybercrooks have already latched onto. For example, insecure Hikvision DVRs were abused in a (mostly ineffective) scam to mine Bitcoins back in April.
Security researchers at Rapid7 discovered that 150,000 of Hikvision DVRs devices could be accessed remotely. Rapid7 warns that DVRs exposed to the internet are routinely targeted for exploitation. “This is especially troubling given that a similar vulnerability (CVE-2013-4977) was reported last year, and the product still appears unpatched out of the box today,” researchers at the firm behind the Metasploit penetration testing tool conclude.
A blog post (extract below) by Rapid7, the firm behind the Metasploit penetration testing tool, explains the vulnerabilities at play in greater depth.
[Hikvision] DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision’s RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post serves as disclosure of the technical details for those vulnerabilities. In addition, a remote code execution through a Metasploit exploit module has been published.
No authentication (login) is required to exploit this vulnerability. The Metasploit module demonstrates how unpatched security bugs would enable hackers to gain control of a vulnerable device while sitting behind their keyboard, potentially thousands of miles away.
Rapid7 attempted to contact Hikvision several times since September but the company provided no response, prompting a decision to go public.
The security researchers are calling on Hikvision to provide fixes and workarounds that address the latest round of vulnerabilities in its equipment.
Until a patch is administered users of Hikvision gear are urged to contact their vendor. Manufacturers that white-label Hikvision components and software are urged to do the same.
El Reg dropped a note to the China-based manufacturer’s security response email address, requesting a comment on Rapid7’s advisory. We’ll update this story as and when we hear back.
A Russian website offering feeds from insecure CCTV cameras and net-connected home security cameras made the news on Thursday following a warning from data privacy watchdogs at the ICO. That security weakness stemmed from failure to change default passwords whereas Rapid7’s warning relates to DVR vulnerabilities. Just changing the password wouldn’t work in this case, according to Rapid7.
“The Hikvision DVRs we researched can be hacked regardless of the password being changed because of the three vulnerabilities we found inside them – this makes them even more vulnerable than the CCTV cameras because the DVRs can still be exploited by attackers even if the user changes the default password,” explained Mark Schloesser, a security researcher at Rapid7. “In this case the only solution is for Hikvision to administer a patch.”