Backdoor found in Hikvision cameras

autospy said:
I agree with you, but the consumer faces very little in consequences. The camera keeps working, except now its used in the Mirai botnet to attack others. The headlines won't blame the consumer, instead the headlines will blame Hikvision for not providing security updates. This is exactly what happened to Microsoft and that is why they provide security updates for pirated Windows 7.
Click to expand...
Hikvision decided long ago that they dont care...this was a business calculation...
 
  • Like
Reactions: zero-degrees and nayr
autospy said:
Many consumers purchased these items without knowing that Hikvision would be bricking their devices if they tried to patch security issues..
Click to expand...

Rubbish! The majority of consumers that end up with HIK hardware are not pure novices. The majority of novices end up at Best Buy buying the sale of the week box set. If you are smart enough to end up with HIK/Dahua you have a little more understanding of whats going on and most likely know exactly what you are doing when you buy a grey market camera. Also the MAJORITY of all gray market cameras clearly state NO FIRMWARE UPGRADE UNLESS WE PROVIDE UPGRADE. Amazon, Ebay, AE, these sellers rarely hide this fact because they DON'T want problems post sale, so the buyer knows what he's doing.

Snowflake nation - want the best deal, then want to cry when they do something wrong and brick a device. If your willing to save a few $$$ on gray market hardware you need to understand the risk AND accept said risks should any arise. You put $100 on red when the wheel hits black you can't cry you didn't know better...
 
  • Like
Reactions: bigredfish
zero-degrees said:
Rubbish! The majority of consumers that end up with HIK hardware are not pure novices. The majority of novices end up at Best Buy buying the sale of the week box set. If you are smart enough to end up with HIK/Dahua you have a little more understanding of whats going on and most likely know exactly what you are doing when you buy a grey market camera. Also the MAJORITY of all gray market cameras clearly state NO FIRMWARE UPGRADE UNLESS WE PROVIDE UPGRADE. Amazon, Ebay, AE, these sellers rarely hide this fact because they DON'T want problems post sale, so the buyer knows what he's doing.

Snowflake nation - want the best deal, then want to cry when they do something wrong and brick a device. If your willing to save a few $$$ on gray market hardware you need to understand the risk AND accept said risks should any arise. You put $100 on red when the wheel hits black you can't cry you didn't know better...
Click to expand...

So we should accept the policies of the manufacturers which purposefully create dangerous problems for the rest of the world using the internet by denying the updates to their products and also the source code which they leveraged from open source projects?

IoT security will always be in the dumpster unless those who make the products are forced to be more responsible.

1) All products supported should be able to be updated. It should not matter which country you are in.
2) If the product is no longer supported, make the source code available to those who will do better at updating it.
( hint - the spies already have the source code - and know how to break in. )
 
mat200 said:
So we should accept the policies of the manufacturers which purposefully create dangerous problems for the rest of the world using the internet by denying the updates to their products and also the source code which they leveraged from open source projects?

IoT security will always be in the dumpster unless those who make the products are forced to be more responsible.

1) All products supported should be able to be updated. It should not matter which country you are in.
2) If the product is no longer supported, make the source code available to those who will do better at updating it.
( hint - the spies already have the source code - and know how to break in. )
Click to expand...
No you can go spend 5-10x more and hope for the best... or be smart and implement your own protection which you need to do anyway regardless of whose product you use....you are not going to control what hikvision does, they dont care about you or your opinion. See its really simply, they know you will keep buying their product because all you care about is the bottom line cost.
 
  • Like
Reactions: nayr
mat200 said:
So we should accept the policies of the manufacturers which purposefully create dangerous problems for the rest of the world using the internet by denying the updates to their products and also the source code which they leveraged from open source projects?
Click to expand...

you bought the products and put them on the internet; your the one creating dangerous problems for the rest of the world; not hikvision.. be responsible for your own actions before you go preaching to others to do the same.
 
fenderman said:
See its really simply, they know you will keep buying their product because all you care about is the bottom line cost.
Click to expand...

I partially disagree. On the one hand, I agree that Hikvision likely is confident that purchasers who buy primarily based on cost will continue to purchase them.

However, Hikvision is very concerned about their reputation (or lack thereof) when it comes to cybersecurity. Because Hikvision is owned by the Chinese government, and because the high-end of the market is concerned about cybersecurity and the Chinese government ownership, every time they have a cybersecurity incident it is a crisis for them. This is I know given our coverage of them and connections with industry execs.

My point here is that if these grey market / unauthorized devices start getting mass hacked, this will become a PR crisis for Hikvision and the high-end buyers will point to that as another reason not to choose Hikvision. And Hikvision wants the high-end - the scale of those projects and the premiums that those buyers are willing to pay, e.g. Hikvision Launches American Enterprise Expansion.

For now, though, I do not see Hikvision being motivated to take much action here because there is no proof and they can send the one email to dealers and hope this goes away.
 
john-ipvm said:
I partially disagree. On the one hand, I agree that Hikvision likely is confident that purchasers who buy primarily based on cost will continue to purchase them.

However, Hikvision is very concerned about their reputation (or lack thereof) when it comes to cybersecurity. Because Hikvision is owned by the Chinese government, and because the high-end of the market is concerned about cybersecurity and the Chinese government ownership, every time they have a cybersecurity incident it is a crisis for them. This is I know given our coverage of them and connections with industry execs.

My point here is that if these grey market / unauthorized devices start getting mass hacked, this will become a PR crisis for Hikvision and the high-end buyers will point to that as another reason not to choose Hikvision. And Hikvision wants the high-end - the scale of those projects and the premiums that those buyers are willing to pay, e.g. Hikvision Launches American Enterprise Expansion.

For now, though, I do not see Hikvision being motivated to take much action here because there is no proof and they can send the one email to dealers and hope this goes away.
Click to expand...
John, this has been going on for years and they have only made it more difficult to alter camera regions to properly update firmware. If they were serious about security they would never create a scenario where the end user could not update the firmware. It doesn't take a security or industry expert to conclude that they simply dont care. If they did, they would provide regular firmware updates to all products...forcing a strong password which took years to implement is about all they have done...its sad...
 
  • Like
Reactions: nayr
you can create secure trusted platform distribution systems that require signed software to load up, while preventing grey markets and all but the most determined state-sponsored actors.. Apple and Cisco and many others do this quite well w/Hardware; but you cant keep being the cheap shit with little talent behind the products.. this kind of security goes all the way through the distribution channels and of course drives up costs when you have teams of PHD's on staff.

nobody in the video surveillance industry has caught on; heads still stuck in analogue days and only seem to have a very basic understanding of digital security.

Hikvision's attempts at controlling its distribution channels and securing its products is laughable; but so is this entire industry.. IP Security Cameras is an oxymoron.
 
  • Like
Reactions: catseyenu and CCTV Platform
Update on the promised March 20 full disclosure date:

Per agreement with Hikvision I am delaying the disclosure. Hikvision promised to responsibly disclose and resolve the vulnerability. They are working with ICS-CERT and other organizations, and it is expected that more details will be communicated soon via those channels. If nothing is communicated in the next few weeks, I will proceed with full disclosure.
 
  • Like
Reactions: Bink, OldBobcat, triumph202 and 4 others
Wonder if HIK compensates for a zero-day disclosure. Obviously is in their benefit, however they are financed by the Chinese government, so there is that ....
 
  • Like
Reactions: Bink, CCTV Platform, nayr and 2 others
Montecrypto!
All is open and not hidden!

So what's the problem?
Your hands were shaking?
Trying to reset the password does not mean it is reset;)
 
Last edited:
montecrypto said:
That is what people do out of boredom - look for issues in hikvision websites... here's one: If you want to find out an email address of an ipcamtalk user, type their username into hikvision's password reset form. For example, itunedvr uses @yandex.ru account and one particular Scottish user likes hotmail (yuck!). Although his username is different from what he uses here.
Click to expand...
So you tried to reset my password?
Congratulations for not succeeding :p
 
montecrypto said:
If you want to find out an email address of an ipcamtalk user, type their username into hikvision's password reset form.
Click to expand...
Oh dear! That's pretty poor.
That explains the email I puzzled about that I had last week from Hikvision saying "We have received a request to reset your password for your account on ...", and the other one last night.
I'd thought it was maybe Hikvision trying to do some digging after I'd had a PM on here from their Ipcamtalk contact.
The implementation is poor - it seems to just take a wild stab at a username match and send an email to the first partial match it finds.
I hope the spammers don't get their hands on it.

I think I might steal @montecrypto 's discovery and submit it to the "About Hikvision Security Response Center (HSRC)" Hikvision UK & Ireland and see if they will send me one of those new low-light IPCs that may rival the Dahua Starlight varifocal turret.
I already have a cube camera Lol!

@john-ipvm - presumably this is Hikvision's disclosure and response to the vulnerability @montecrypto discovered : Hikvision UK & Ireland
 
alastairstevenson said:
presumably this is Hikvision's disclosure and response to the vulnerability @montecrypto discovered : Hikvision UK & Ireland
Click to expand...
Yes, and it is very limited. There is no press release. There is no mention of it on any Hikvision social media accounts. There is no reference to it on any trade magazines. When Hikvision wants to get the word out about something, they can easily do it. So far, they have clearly kept it quiet.

That said, as long as Hikvision discloses details to ICS-CERT or @montecrypto publishes details in the next month, that will get the word out.
 
You must log in or register to reply here.
Top Bottom