Backdoor found in Hikvision cameras

[fenderman]

I agree with you, but the consumer faces very little in consequences. The camera keeps working, except now its used in the Mirai botnet to attack others. The headlines won't blame the consumer, instead the headlines will blame Hikvision for not providing security updates. This is exactly what happened to Microsoft and that is why they provide security updates for pirated Windows 7.

Hikvision decided long ago that they dont care...this was a business calculation...

 

[zero-degrees]

Many consumers purchased these items without knowing that Hikvision would be bricking their devices if they tried to patch security issues..

Rubbish! The majority of consumers that end up with HIK hardware are not pure novices. The majority of novices end up at Best Buy buying the sale of the week box set. If you are smart enough to end up with HIK/Dahua you have a little more understanding of whats going on and most likely know exactly what you are doing when you buy a grey market camera. Also the MAJORITY of all gray market cameras clearly state NO FIRMWARE UPGRADE UNLESS WE PROVIDE UPGRADE. Amazon, Ebay, AE, these sellers rarely hide this fact because they DON'T want problems post sale, so the buyer knows what he's doing.

Snowflake nation - want the best deal, then want to cry when they do something wrong and brick a device. If your willing to save a few $$$ on gray market hardware you need to understand the risk AND accept said risks should any arise. You put $100 on red when the wheel hits black you can't cry you didn't know better...

 

[mat200]

Rubbish! The majority of consumers that end up with HIK hardware are not pure novices. The majority of novices end up at Best Buy buying the sale of the week box set. If you are smart enough to end up with HIK/Dahua you have a little more understanding of whats going on and most likely know exactly what you are doing when you buy a grey market camera. Also the MAJORITY of all gray market cameras clearly state NO FIRMWARE UPGRADE UNLESS WE PROVIDE UPGRADE. Amazon, Ebay, AE, these sellers rarely hide this fact because they DON'T want problems post sale, so the buyer knows what he's doing.

Snowflake nation - want the best deal, then want to cry when they do something wrong and brick a device. If your willing to save a few $$$ on gray market hardware you need to understand the risk AND accept said risks should any arise. You put $100 on red when the wheel hits black you can't cry you didn't know better...

So we should accept the policies of the manufacturers which purposefully create dangerous problems for the rest of the world using the internet by denying the updates to their products and also the source code which they leveraged from open source projects?

IoT security will always be in the dumpster unless those who make the products are forced to be more responsible.

1) All products supported should be able to be updated. It should not matter which country you are in.
2) If the product is no longer supported, make the source code available to those who will do better at updating it.
( hint - the spies already have the source code - and know how to break in. )

 

[fenderman]

So we should accept the policies of the manufacturers which purposefully create dangerous problems for the rest of the world using the internet by denying the updates to their products and also the source code which they leveraged from open source projects?

IoT security will always be in the dumpster unless those who make the products are forced to be more responsible.

1) All products supported should be able to be updated. It should not matter which country you are in.
2) If the product is no longer supported, make the source code available to those who will do better at updating it.
( hint - the spies already have the source code - and know how to break in. )

No you can go spend 5-10x more and hope for the best... or be smart and implement your own protection which you need to do anyway regardless of whose product you use....you are not going to control what hikvision does, they dont care about you or your opinion. See its really simply, they know you will keep buying their product because all you care about is the bottom line cost.

 

[nayr]

So we should accept the policies of the manufacturers which purposefully create dangerous problems for the rest of the world using the internet by denying the updates to their products and also the source code which they leveraged from open source projects?

you bought the products and put them on the internet; your the one creating dangerous problems for the rest of the world; not hikvision.. be responsible for your own actions before you go preaching to others to do the same.

 

[john-ipvm]

See its really simply, they know you will keep buying their product because all you care about is the bottom line cost.

I partially disagree. On the one hand, I agree that Hikvision likely is confident that purchasers who buy primarily based on cost will continue to purchase them.

However, Hikvision is very concerned about their reputation (or lack thereof) when it comes to cybersecurity. Because Hikvision is owned by the Chinese government, and because the high-end of the market is concerned about cybersecurity and the Chinese government ownership, every time they have a cybersecurity incident it is a crisis for them. This is I know given our coverage of them and connections with industry execs.

My point here is that if these grey market / unauthorized devices start getting mass hacked, this will become a PR crisis for Hikvision and the high-end buyers will point to that as another reason not to choose Hikvision. And Hikvision wants the high-end - the scale of those projects and the premiums that those buyers are willing to pay, e.g. Hikvision Launches American Enterprise Expansion.

For now, though, I do not see Hikvision being motivated to take much action here because there is no proof and they can send the one email to dealers and hope this goes away.

 

[fenderman]

I partially disagree. On the one hand, I agree that Hikvision likely is confident that purchasers who buy primarily based on cost will continue to purchase them.

However, Hikvision is very concerned about their reputation (or lack thereof) when it comes to cybersecurity. Because Hikvision is owned by the Chinese government, and because the high-end of the market is concerned about cybersecurity and the Chinese government ownership, every time they have a cybersecurity incident it is a crisis for them. This is I know given our coverage of them and connections with industry execs.

My point here is that if these grey market / unauthorized devices start getting mass hacked, this will become a PR crisis for Hikvision and the high-end buyers will point to that as another reason not to choose Hikvision. And Hikvision wants the high-end - the scale of those projects and the premiums that those buyers are willing to pay, e.g. Hikvision Launches American Enterprise Expansion.

For now, though, I do not see Hikvision being motivated to take much action here because there is no proof and they can send the one email to dealers and hope this goes away.

John, this has been going on for years and they have only made it more difficult to alter camera regions to properly update firmware. If they were serious about security they would never create a scenario where the end user could not update the firmware. It doesn't take a security or industry expert to conclude that they simply dont care. If they did, they would provide regular firmware updates to all products...forcing a strong password which took years to implement is about all they have done...its sad...

 

[nayr]

you can create secure trusted platform distribution systems that require signed software to load up, while preventing grey markets and all but the most determined state-sponsored actors.. Apple and Cisco and many others do this quite well w/Hardware; but you cant keep being the cheap shit with little talent behind the products.. this kind of security goes all the way through the distribution channels and of course drives up costs when you have teams of PHD's on staff.

nobody in the video surveillance industry has caught on; heads still stuck in analogue days and only seem to have a very basic understanding of digital security.

Hikvision's attempts at controlling its distribution channels and securing its products is laughable; but so is this entire industry.. IP Security Cameras is an oxymoron.

 

[dt-cam]

There is good information in here. Thank you for sharing.

 

[montecrypto]

Update on the promised March 20 full disclosure date:

Per agreement with Hikvision I am delaying the disclosure. Hikvision promised to responsibly disclose and resolve the vulnerability. They are working with ICS-CERT and other organizations, and it is expected that more details will be communicated soon via those channels. If nothing is communicated in the next few weeks, I will proceed with full disclosure.

 

[zero-degrees]

Wonder if HIK compensates for a zero-day disclosure. Obviously is in their benefit, however they are financed by the Chinese government, so there is that ....

 

[alastairstevenson]

Wonder if HIK compensates for a zero-day disclosure.

To protect information security for users and enterprise, please do not publish or spread the flaw. HSRC will reward the reporter according to the Hikvision Security Flaw Assessment.

Apparently they do.

 

[john-ipvm]

Apparently they do.

Last fall, a researcher found a critical security vulnerability in Hik-Online. They sent him a cube camera as a reward. I would assume / hope they have become more generous since.

 

[alastairstevenson]

hope they have become more generous since.

Their business has got a lot to lose if trust in their products falls due to these problems and the way they are responded to.

 

[fenderman]

Last fall, a researcher found a critical security vulnerability in Hik-Online. They sent him a cube camera as a reward. I would assume / hope they have become more generous since.

How many cube cams can you buy for 25-200k
Apple announces long-awaited bug bounty program

 

[montecrypto]

Last fall, a researcher found a critical security vulnerability in Hik-Online.

That is what people do out of boredom - look for issues in hikvision websites... here's one: If you want to find out an email address of an ipcamtalk user, type their username into hikvision's password reset form. For example, itunedvr uses @yandex.ru account and one particular Scottish user likes hotmail (yuck!). Although his username is different from what he uses here.

 

[iTuneDVR]

Montecrypto!
All is open and not hidden!

So what's the problem?
Your hands were shaking?
Trying to reset the password does not mean it is reset

 

[Kroegtijgertje]

That is what people do out of boredom - look for issues in hikvision websites... here's one: If you want to find out an email address of an ipcamtalk user, type their username into hikvision's password reset form. For example, itunedvr uses @yandex.ru account and one particular Scottish user likes hotmail (yuck!). Although his username is different from what he uses here.

So you tried to reset my password?
Congratulations for not succeeding

 

[alastairstevenson]

If you want to find out an email address of an ipcamtalk user, type their username into hikvision's password reset form.

Oh dear! That's pretty poor.
That explains the email I puzzled about that I had last week from Hikvision saying "We have received a request to reset your password for your account on ...", and the other one last night.
I'd thought it was maybe Hikvision trying to do some digging after I'd had a PM on here from their Ipcamtalk contact.
The implementation is poor - it seems to just take a wild stab at a username match and send an email to the first partial match it finds.
I hope the spammers don't get their hands on it.

I think I might steal @montecrypto 's discovery and submit it to the "About Hikvision Security Response Center (HSRC)" Hikvision UK & Ireland and see if they will send me one of those new low-light IPCs that may rival the Dahua Starlight varifocal turret.
I already have a cube camera Lol!

@john-ipvm - presumably this is Hikvision's disclosure and response to the vulnerability @montecrypto discovered : Hikvision UK & Ireland

 

[john-ipvm]

presumably this is Hikvision's disclosure and response to the vulnerability @montecrypto discovered : Hikvision UK & Ireland

Yes, and it is very limited. There is no press release. There is no mention of it on any Hikvision social media accounts. There is no reference to it on any trade magazines. When Hikvision wants to get the word out about something, they can easily do it. So far, they have clearly kept it quiet.

That said, as long as Hikvision discloses details to ICS-CERT or @montecrypto publishes details in the next month, that will get the word out.