Critical Flaw May Affect Millions of Hikvision DevicesVideo Security Tech Firm Releases Firmware Update to Fix Vulnerability
A security researcher who goes by the alias Watchful_IP has discovered a command injection vulnerability that affects millions of Hikvision's internet of things - or IoT - devices.
Hikvision manufactures video-based IoT devices - including surveillance cameras, disk recorders, video codes and video servers - that are used across industries and sectors, including critical infrastructure.
The flaw was first reported to the video security solutions provider by the security researcher on June 21, 2021. In a public advisory, the company now says that it has fixed the flaw and also rolled out a firmware update for end users of all affected devices, based on the security researcher's suggestions.
When Information Security Media Group asked Watchful_IP why it took nearly 90 days to fix and release the firmware update, he said, "There is a huge range of firmware to check, patch and test. Ninety days is actually very quick, given the large range of products that needed to undergo this process when it’s done thoroughly with proper testing."
In order to protect customers, Hikvision fixed firmware on public firmware portals before publicly announcing this problem, Watchful_IP says. Responsible disclosure is a complicated process that needs to be handled carefully so that you don’t expose companies or end users to bad actors before fixes are ready, he notes. As soon as you announce a vulnerability publicly, he says, "The bad guys look for it to use to harm people."
Hikvision says the flaw could potentially affect nearly 80 products, including models from as early as 2016. While the company did not specify the number of devices affected, video surveillance resource IPVM says, "We estimate 100+ million devices globally are impacted."
The vulnerability, which is being tracked as CVE-2021-36260, has a CVSS rating of 9.8, which is critical. The flaw abuses the web servers of "some" Hikvision products, according to the CVE description. Due to insufficient input validation, it allows threat actors to launch a command injection attack by sending specially crafted malicious commands, the description says.
The researcher and the company did not disclose technical details of the vulnerability or release the proof of concept publicly, citing concerns of exploitation in the wild, according to Watchful_IP's blog.
The researcher says the vulnerability permits an attacker to gain full control of a device with an unrestricted root shell. This, the researcher says, "is far more access than even the owner of the device has, as they are restricted to a limited 'protected shell' (psh), which filters input to a predefined set of limited, mostly informational commands."
All an attacker needs is access to the http server port 80 or https server port 443. No username or password is needed, nor are any actions needed from the device owner, and the attack will not be detectable by any logging on the device itself, the researcher says.
In addition to a complete compromise of the device, successful exploitation also enables threat actors to access internal networks and penetrate deeply as well as laterally, the researcher adds.
According to Hikvision's security advisory, an attacker must be on the same network as the at-risk device to exploit the vulnerability. The threat actor can exploit the vulnerability and attack a device only if they can get to the login screen of a vulnerable device, the report says."
Thus, the easiest way to evaluate system risk level, according to the company, is to check whether the device's webpage is directly accessible from the internet without any extra network variation. "If yes, the system should be considered at high risk," the advisory says.
Apart from updating the device firmware, Hikvision recommends that users:
- Minimize port numbers exposed to the internet;
- Avoid common port numbers and reconfigure them to customized ports;
- Enable IP filtering.
The researcher adds: "I'd recommend you do not expose any IoT device to the internet - no matter who it is made by or in which country the device is made, including the U.S, Europe, etc. Use a VPN for access if needed. Block outbound traffic too, if at all possible. I also like to give these devices the wrong gateway, or router, IP."
Flaw Being Used for Espionage?
In 2018, then-President Donald Trump's administration banned governmental agencies from doing business with Hikvision, among other companies, under the 2019 Defense Authorization Act. The reasons cited for the ban included national security risk, privacy and espionage concerns.
In the U.K. now, British politician David Alton, in response to Hikvision's disclosure, tweeted that the "Home Office Ministers will meet the Biometrics and Surveillance Camera Commissioner to discuss the issues raised in his correspondence with Hikvision."
Home Office Ministers will meet the Biometrics and Surveillance Camera Commissioner shortly to discuss the issues raised in his correspondence with Hikvision – which makes the Uyghur surveillance equipment in Xinjiang and banned in the US but not the U.K. https://t.co/OBK5ZHnd0p pic.twitter.com/ISMqrI624L— Lord (David) Alton (@DavidAltonHL) September 21, 2021
U.K. Lords Minister Susan Williams, in response to Alton's tweet, says: "We are aware of a number of Chinese technology companies linked to violations taking place in Xinjiang, and are monitoring the situation closely."
When ISMG asked Watchful IP why he believed that this was a genuine bug and not a deliberate entry point into Hikvision's devices for state-sponsored espionage campaigns, he said: "I have worked in IT with an emphasis on security for almost 30 years. With such experience, it becomes obvious if something is deliberately placed and obfuscated on an embedded device. The manner in which a deliberately implanted and malicious 'backdoor' would be implemented and utilized is totally different to this genuine software vulnerability."
He further clarified: "I cannot provide specific details aside [of saying] it was absolutely clear to me ... this was a genuine software bug and not a deliberate backdoor. If I found something I considered to be a backdoor placed by any vendor based in any country, I would publicly disclose it irrespective of the vendor’s wishes."