We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Cybersecurity Month: Save 25% on EP and EDR for your business – BUY NOW
Patch now! Insecure Hikvision security cameras can be taken over remotely
Exploits and vulnerabilities
Posted: by
In a detailed post on Github, security researcher Watchful_IP describes how he found that the majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical, unauthenticated, remote code execution (RCE) vulnerability, even with the latest firmware.
Hangzhou Hikvision Digital Technology Co., Ltd. engages in the development, production, and sale of security products. Its business activities include the provision of services for hard disk recorders, video codes, video servers, surveillance cameras, monitoring of ball machine, road mounts and other products, as well as security services. The company was founded on November 30, 2001 and is headquartered in Hangzhou, China.
According to global market data provider IHS Markit, Hikvision has 38% of the global market share, and it has been the market leader since 2011. Hikvision is also known for its research on technologies such as visual recognition, cloud computing, and their adoption in security scenarios.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability found by Watchfull_IP is listed under CVE-2021-36260 and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.
The critical bug has received 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact it enables the attacker to gain even more access than the owner of the device has, since the owner will be restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.
According to the researcher, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner. The attack will not be detectable by any logging on the camera itself. A threat actor can exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.
Users can find a list of affected products in the security notification from Hikvision. Among them are IP Cameras and  PTZ Cameras. PTZ is short for Pan/Tilt/Zoom and the name is used for cameras that can be remotely controlled and pointed. These cameras can, and are often used in surveillance mode where they cover an area by moving between preset points and the footage is often recorded, so it can be reviewed at a later time.
Users of other brands should also be advised that there are a huge number of OEM resellers offering Hikvision cameras under their own model numbers.
The researcher has not disclosed any specifics about the attack to protect potential victims. In his post he describes how he worked with Hikvision since the discovery made on Sunday June 20, 2021. He was extremely pleased that they took him seriously and involved him in taking care of the problem.
On August 17, Watchfull_IP received the patched IPC_G3 (V5.5.800 build 210628) and IPC H5 (V5.5.800 build 210628) firmware from HSRC for testing.
“Decrypted and reversed the code in addition to live testing on my own equipment and confirmed to HSRC that the patched firmware resolves the vulnerability.
Was further pleased to note this problem was fixed in the way I recommended.”
We are glad that researchers like this check the security of the products we use and do responsible disclosure when they find problems, so manufacturers can resolve matters before some cybercriminal can start using our security equipment against us.
A word of caution is needed here, since not all the software portals have been provided with the latest firmware that is patched against this attack. To be sure to get a patched version it is recommended by Hikvision to download the latest firmware for your device from the global firmware portal. The researcher however notes that at the time of writing updated firmware seems to be properly deployed on the Hikvision China region firmware portal for Chinese region devices, but only partially on the global site. If you are in doubt there is a list of the vulnerable firmware versions in the researchers post.
In general it is a good idea not make your cameras accessible from the internet and if you do, put them behind a VPN.
SHARE THIS ARTICLE
COMMENTS
RELATED ARTICLES
ABOUT THE AUTHOR

Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Silouette of person
Contributors

Malware
Threat Center

Malwarebytes Podcast
Podcast

Book with bookmark
Glossary

Suspicious person
Scams

Pencil
Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.

source