Hikvision, a Chinese manufacturer of video surveillance equipment, recently patched a backdoor in a slew of its cameras that could have made it possible for a remote attacker to gain full admin access to affected devices.

The backdoor stems from two bugs: an improper authentication bug and a password in configuration file vulnerability. Both bugs could have allowed an attacker to escalate privileges and access sensitive information.

The United States Computer Emergency Readiness Team (US-CERT) disclosed the vulnerabilities in an advisory on Friday, assigning the highest possible CVSS rating, 10.0 to the improper authentication vulnerability. The password in configuration file issue, meanwhile, received a high severity 8.8 rating.

The warning reiterates a bulletin the company, which is partially owned by the Chinese government, sent customers in March. In the notice, Hikvision warned that request code could be used to access certain IP cameras directly. From there, it could be possible for an attacker to escalate user privileges, and “acquire or tamper with device information.” The company provided firmware updates for seven lines of cameras at the time, the same updates US-CERT pointed out on Friday:

  • DS-2CD2xx2F-I Series
    • Updated firmware: V5.4.5 build 170123 and later
  • DS-2CD2xx0F-I Series
    • Updated firmware: V5.4.5 Build 170123 and later
  • DS-2CD2xx2FWD Series
    • Updated firmware: V5.4.5 Build 170124 and later
  • DS- 2CD4x2xFWD Series
    • Updated firmware: V5.4.5 Build 170228 and later
  • DS-2CD4xx5 Series
    • Updated firmware: V5.4.5 Build 170302 and later
  • DS-2DFx Series
    • Updated firmware: V5.4.9 Build 170123 and later
  • DS-2CD63xx Series
    • Updated firmware: V5.4.5 Build 170206 and later

An independent researcher who goes by the handle “Montecrypto” first disclosed the backdoor in a post to the forum IPCamTalk in early March saying it “makes it possible to gain full admin access to the device.” At the time, he gave the company two weeks to “come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed.”

Montecrypto confirmed the privilege escalation aspect of the vulnerability the same day the company warned of the issue, acknowledging an attacker could remotely escalate their privileges “from anonymous web surfer to admin.”

The researcher promised to disclose details around his findings on March 20, two weeks after he initially disclosed, but retreaded on that decision after making contact with the company.

“Per agreement with Hikvision I am delaying the disclosure,” Montecrypto wrote, “Hikvision promised to responsibly disclose and resolve the vulnerability. They are working with ICS-CERT and other organizations, and it is expected that more details will be communicated soon via those channels. If nothing is communicated in the next few weeks, I will proceed with full disclosure.”

According to IVPM, a video surveillance publication that’s been keeping track of the vulnerabilities, it’s believed the backdoor affects millions of cameras, “given Hikvision’s own regular declarations of shipping tens of millions of cameras.”

According to the company, until customers apply the respective firmware patch, the following cameras are still vulnerable:

  • DS-2CD2xx2F-I Series
    • 2.0 build 140721 to V5.4.0 build 160530
  • DS-2CD2xx0F-I Series
    • 2.0 build 140721 to V5.4.0 Build 160401
  • DS-2CD2xx2FWD Series
    • 3.1 build 150410 to V5.4.4 Build 161125
  • DS- 2CD4x2xFWD Series
    • 2.0 build 140721 to V5.4.0 Build 160414
  • DS-2CD4xx5 Series
    • 2.0 build 140721 to V5.4.0 Build 160421
  • DS-2DFx Series
    • 2.0 build 140805 to V5.4.5 Build 160928
  • DS-2CD63xx Series
    • 0.9 build 140305 to V5.3.5 Build 160106

Hikvision, via US-CERT, warned customers Friday that trying to update some “grey market” cameras – devices sold through unauthorized channels, thus with unauthorized firmware – could result in complications.

“Updating the firmware may result in converting the camera’s interface back to its original state. Users of ‘grey market’ cameras who cannot update due to this unauthorized firmware will still be susceptible to these vulnerabilities.”

While Hikvision fixed the improper authentication vulnerability it has yet to fix the password in the configuration file vulnerability, US-CERT points out.

Hikvision, when reached Monday, rejected both the researcher and IPVM’s claim the vulnerabilities amounted to a backdoor.

“First of all, we need to clarify this vulnerability is a code error instead of backdoor. Hikvision guarantees hereby that it never has, does or would intentionally contribute to the placement of ‘backdoors’ in its products,” a member of Hikvision’s Security Response Center told Threatpost late Monday.

Hikvision also directed Threatpost to a letter it sent customers and partners last Thursday notifying them of the March firmware update, 5.4.5. The company also addressed the issue with the configuration file, acknowledging it will enhance its private key decryption storage method in an upcoming release.

“The configuration file is encrypted and is therefore not readable, and protects users’ credentials. Also, the configuration file can only be exported by the admin account. Hikvision appreciates ICS-CERT’s comment, and will enhance the private key decryption storage method in the upcoming firmware release.”

Several years ago, Hikvision, in an effort to better secure its products, contracted the security firm Rapid7 to carry out a penetration test and vulnerability assessment of its IP cameras, embedded recorders, and software tools. That partnership was spurred after Rapid7 identified a series of vulnerabilities, buffer overflows that allowed the remote execution of arbitrary code, in Hikvision DVRs in 2014. It’s unclear how long since the audit the vulnerabilities identified in March have existed in Hikvision cameras.

The Hikvision advisory comes a day after US-CERT warned of a similar set of vulnerabilities in IP cameras and digital video recorders manufactured by another Chinese company, Dahua. The company told customers and partners in early March the vulnerabilities were caused called “a small piece of code.” Bashis, an independent researcher, found the issues, a backdoor that allowed remote unauthorized admin access via the web, and disclosed them via the Full Disclosure mailing list on March 6.

A spokesman from Dahua confirmed the information in US-CERT’s advisory early Monday and said that customers can download updated firmware from the “Device Upgrade Kit” section of the company’s website to mitigate the vulnerabilities.

This article was updated on May 9 to include statements from Hikvision, including a link to the company’s May 4 letter to customers.

Categories: IoT, Vulnerabilities

Comments (4)

  1. Brian
    1

    Doesn’t say much for Hikvision when they say grey market cameras will still be vulnerable – What do they mean? Grey doesn’t mean they are counterfeit copies. Grey are products made by Hikvision destined for one geographical region but imported into another by an unofficial distributor, a technique designed to rip off the consumer by maintaining higher prices in certain regions. A particular nasty and morally unacceptable practice adopted from the music and film industry!

    They need to step up a fix those as well, as they have profited from them.

    Reply
  2. Robert Yates
    2

    Great article Chris. Many IP camera and digital video recorder manufacturers out there have no interest in their consumers safety or privacy. Just a big interest in profits. It’s nice to see the leader of the pack, Hikvision, taking the time to work with the US government, other third parties (like Cisco), to alert consumers and to also work quickly to find fixes for vulnerabilities.

    Reply
  3. RoboGeek
    3

    First of all, a privilege-escalation vulnerability is not a ‘backdoor’. Despite Montecrypto’s mischaracterization of the issue (and he admitted he got it wrong in his forum posts!)– Threatpost reiterates the same mistake in the story title…even ignoring the comments from the manufacturer to set the record straight “…this vulnerability is a code error instead of backdoor.”

    And the ‘password in the config file’ is not a default password…hikvison does not have default passwords…it’s the encrypted admin password set by the user [and the device enforces password complexity].

    And finally, these cameras are not typically connected directly to the Internet, so the characterization of the vulnerability being remotely exploitable is misleading. IP cameras are typically connected to a private VLAN connected to a NVR. This is like considering a printer vuln to be remotely exploitable…but most folks do not expose the web interface of their printer to the Internet.

    Exploting this ‘backdoor’ requires valid admin credentials, local network access, and the ability to potentially decrypt a password (which requires local network and/or physical access). Bottom line is that the facts reported here are both incorrect and misleading and the true risk/threat is not stated clearly.

    Reply
  4. RoboGeek
    4

    It’s a bit more complicated than that. The hardware for many Hikvision products is manufactured by third-parties, however only ‘official’ Hikvision products have the legitimate Hikvision-supplied firmware.

    These same third-party manufactured devices are relabeled as Hikvision by some importers (note that Annke, Amcrest,LTS, and even some Swann cams are the same hardware, made by the same third-party).

    The issue is that the firmware on these devices is reverse-engineered CDM (China Domestic Market) firmware. If you try to replace with valid firmware it will brick the device. It’s not Hikvision’s job to fix the hacked reverse-engineered firmware of those who are counterfeiting their cameras… 🙂

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>