Got this emal re: Hikvision cams being hacked

[james99]

Got this from IPVM:


After a massive number of Hikvision cameras were hacked, Hikvision has added new, and questionable legal language, declaring that Hikvision will take no responsibility for hacked Hikvision cameras.
No Responsibility
The language is inserted in a legal disclaimer section included in Hikvision documentation such as user manuals and quick start guides in the box:

HIKVISION SHALL NOT TAKE ANY RESPONSIBILITES FOR ABNORMAL OPERATION, PRIVACY LEAKAGE OR OTHER DAMAGES RESULTING FROM CYBER ATTACK, HACKER ATTACK, VIRUS INSPECTION, OR OTHER INTERNET SECURITY RISKS
​

This language is not found in documentation prior to the hacks (such as the 5.2 user manual), but is now commonplace in the 5.3 and later documentation, that was released after the numerous hacking issues.
Extremely Uncommon
While product warranties have general liability limitations, it is quite uncommon for camera manufacturers to have explicit language excluding cyber security. Of course, this is even more significant given Hikvision's poor cyber security track record and Hikvision's industry worse cyber security rating from integrators.
Hikvision Chinese Government Ownership
Making this even more complicated, Hikvision is a Chinese state owned enterprise, run by the Chinese government / China communist party. Undoubtedly, the Chinese government is one of the best cyber hacking entities globally.
It is, minimally, ironic, that an organization so strong at cyber hacking would seek to use the International legal system to protect itself from the consequences of their own products being hacked.
End User Risk
If you are an integrator supplying Hikvision or an end user with Hikvision products deployed, we urge you to consult with your attorney to understand the legal risk and ask Hikvision to remove this clause.
Not only is it uncommon but the process of how Hikvision has simply added it to product documentation is questionable (e.g., Are Hikvision products bought before 2015 covered by this? Is inserting a disclaimer in a manual legally binding?).
Buyer Truly Beware
As it is, if Hikvision makes another colossal mistake (e.g., copying malicious code from a bulletin board like they did in 2015) or if they allow Chinese government backdoors in their cameras, Hikvision buyers take all the risk.
And while Hikvision's super low prices are attractive, one needs to seriously factor in these risks.

 

[Jack B Nimble]

Got this from IPVM:


After a massive number of Hikvision cameras were hacked, Hikvision has added new, and questionable legal language, declaring that Hikvision will take no responsibility for hacked Hikvision cameras.
No Responsibility
The language is inserted in a legal disclaimer section included in Hikvision documentation such as user manuals and quick start guides in the box:

HIKVISION SHALL NOT TAKE ANY RESPONSIBILITES FOR ABNORMAL OPERATION, PRIVACY LEAKAGE OR OTHER DAMAGES RESULTING FROM CYBER ATTACK, HACKER ATTACK, VIRUS INSPECTION, OR OTHER INTERNET SECURITY RISKS
​

This language is not found in documentation prior to the hacks (such as the 5.2 user manual), but is now commonplace in the 5.3 and later documentation, that was released after the numerous hacking issues.
Extremely Uncommon
While product warranties have general liability limitations, it is quite uncommon for camera manufacturers to have explicit language excluding cyber security. Of course, this is even more significant given Hikvision's poor cyber security track record and Hikvision's industry worse cyber security rating from integrators.
Hikvision Chinese Government Ownership
Making this even more complicated, Hikvision is a Chinese state owned enterprise, run by the Chinese government / China communist party. Undoubtedly, the Chinese government is one of the best cyber hacking entities globally.
It is, minimally, ironic, that an organization so strong at cyber hacking would seek to use the International legal system to protect itself from the consequences of their own products being hacked.
End User Risk
If you are an integrator supplying Hikvision or an end user with Hikvision products deployed, we urge you to consult with your attorney to understand the legal risk and ask Hikvision to remove this clause.
Not only is it uncommon but the process of how Hikvision has simply added it to product documentation is questionable (e.g., Are Hikvision products bought before 2015 covered by this? Is inserting a disclaimer in a manual legally binding?).
Buyer Truly Beware
As it is, if Hikvision makes another colossal mistake (e.g., copying malicious code from a bulletin board like they did in 2015) or if they allow Chinese government backdoors in their cameras, Hikvision buyers take all the risk.
And while Hikvision's super low prices are attractive, one needs to seriously factor in these risks.

Fake , scare tactics from a competitor. Today don't believe what you read, hear or now even see its the way today is!

 

[fenderman]

Fake , scare tactics from a competitor. Today don't believe what you read, hear or now even see its the way today is!

ipvm is not a competitor.

 

[Jack B Nimble]

Ok I will correct myself scare tactics from a website with less members than a small town (which is just what they claim) and who knows who writes the articles it could all be a 12 year old in his basement. I can have a website call it IP-INTEL say I have 1 million members and write some BS about chinese camera's looking at you in your underwear if you buy a Huisun PTZ !

 

[fenderman]

Ok I will correct myself scare tactics from a website with less members than a small town (which is just what they claim) and who knows who writes the articles it could all be a 12 year old in his basement. I can have a website call it IP-INTEL say I have 1 million members and write some BS about chinese camera's looking at you in your underwear if you buy a Huisun PTZ !

IPVM is a respected industry website. The membership is relatively low because its expensive. He does extensive camera testing. You may disagree with what he says but he certainly has more experience than you who we can all agree has very basic knowledge of ip cameras and networking (if that).
In this post as in many others you completely miss the point when it comes to unsecured cameras. Not only is the camera vulnerable but the entire network if its not segmented. All your personal info is vulnerable. I know I know, you have no personal info saved on your pc/network. You dont care if someone has access to your indoor cameras-we are all still waiting for a link so we can setup a live view.

 

[nayr]

Everything he said was true, and its true of all these Chinese cameras... you cant trust them, the only way to secure them is externally..

this is why Ive been trying to get everyone to use VPN, disable uPNP, and firewall all external network access both too/from an isolated/segregated network.. anything less, is inadequate security.

Its nice to see one Professional Shop is acutely aware of the situation and taking appropriate action, most so called 'Security Pro's' would just rather open a bunch of ports and let the cameras run wild on the internet.

 

[alastairstevenson]

Fake , scare tactics from a competitor. Today don't believe what you read, hear or now even see its the way today is!

Nonsense! Competitor? Do a bit more checking before making wild statements.
It's a true, but old, story.
It was the main driver behind Hikvision's firmware changes to remove the original default passwords and move to the 'device activation' method.
The tendency of end-users - even the Municipal Authorities in question - to not change passwords from the default values was an underlying cause.
A big compliment to call it a hack - not even a script-kiddie activity.

 

[h_2_o]

Everything he said was true, and its true of all these Chinese cameras... you cant trust them, the only way to secure them is externally..

this is why Ive been trying to get everyone to use VPN, disable uPNP, and firewall all external network access both too/from an isolated/segregated network.. anything less, is inadequate security.

Its nice to see one Professional Shop is acutely aware of the situation and taking appropriate action, most so called 'Security Pro's' would just rather open a bunch of ports and let the cameras run wild on the internet.

this times about 1000. however one thing that just does not sit well with me is why does someone who does not secure their camera system blame the manufacturer when someone breaks into it? to me that is about as logical as someone leaving their home unlocked with doors and windows open and then blaming whoever built the house when someone breaks in and steals everything.

edit: nayr that comment is not directed at you just people complaining about cameras not being secure.

 

[Kawboy12R]

A camera with even a unique password is like a pane of glass or a locked door in your home. Don't bet against the lock manufacturer or even a kid with an attitude if they want to get into your "secure" home. If it has access to the internet then it is a weak link that somebody can most likely figure a way through. I'd trust an Axis way before a Hik or some noname Chinese brand though. This doesn't include the possibly valid paranoia of Chinese government backdoors in IP cameras, Hik or otherwise. Hell, even the seemingly near-standard "feature" of unlimited unsecured snapshots from cheap Chinese cameras will be a nightmare for any country in wartime. "Loose lips sink ships" is nothing compared to what could be gained from easy access to a few hundred thousand unsecured cameras in an enemy country.

 

[nayr]

@h_2_o the fallacy is these are called 'Security Cameras'

combined with the fact that the masses have been taught to accept theatre is valid security; easy to blame others when the thin veil is lifted and the security is shown to be a fraud..

your door locks are easy to pick, but buglers dont even bother learning the skill.. because a swift kick will break down most all entry doors, and if not a big rock will let you reach through and unlock it... when key bumping became common knowledge, they blamed the manufacturers for the lack of security.. so they put up minimal efforts to stop it and now they are 'bump proof'.. (my ass, just more theatre)

 

[whoslooking]

This is why security systems should not live on your LAN or Even an VLAN.
All the high level systems I have designed and Installed are true CCTV (Closed Circuit) In design IP Systems are OCTV (Open Circuit).

The Systems have there own ISP Fibre Connections if it truly needed, there own router and Switch.
If your talking security think about making your system secure, The term secured by design is a big part of what I do.

1st detect (high quality locks, Intruder detection system) (Not a Cheap nasty by ADT)
2nd Record (NVR, PC, With RAID)
3rd Capture (High Quality Recording to Share with Enforcement (Police)).

CCTV on it's own is not enough these days.

 

[john-ipvm]

I am the founder of IPVM. Thanks for raising this discussion.

A few thoughts:

The point of the article was not that "its true of all these Chinese cameras" or that even Chinese cameras are 'bad'. The issue here is that Hikvision has changed its legal disclaimer, which is a big deal for many large end users.

As for "It was the main driver behind Hikvision's firmware changes", I think the firmware changes were good and reduced risks. That is not what is being criticized or questioned there. The issue, again, is adding the legal disclaimer, which shifts risks to the dealer and end user.

Btw, as for "The membership is relatively low", we have 10,000 paying members, which for a niche like video surveillance is pretty good.

Finally, use Hikvision, don't use Hikvision but I do think if you do use Hikvision and you are deploying it for larger customers that care about cybersecurity, it has to be brought up and vetted prior to deployment.

 

[tbennett1012]

Hello, I work for an engineering fire specializing in Division 28 design (Electronic Safety and Security) for large clients. My boss asked me to shake down a low cost Hikvision camera. Yes, the new activation routine was enabled so this is a post-patch camera. I analyzed the IP traffic in and out of the camera and discovered that the camera was attempting to reach an IP that ultimately resolved to somewhere in Nigeria.

Think about that for a second. A camera was repeatedly trying to reach an IP in Nigeria. Well, that's not scary at all. The only reason it could not was that the camera was isolated from the internet for testing. I don't care who uses what but we would never specify a Hikvision camera because we have solid evidence of shenanigans.

 

[tbennett1012]

I am a systems designer with a firm specializing in electronic safety and security work. We often specify camera systems for large health care and public sector entities. My boss asked my, within the last two weeks, to test a Hikvision camera to see what it was doing when connected to an isolated segment of our network with no access to the internet.

The camera, connected only to a switch and my computer (through said switch) tried to contact a remote IP address we did not recognize. It ended up resolving to somewhere in Nigeria which is not scary in the least. To make matters more interesting the camera was attempting to reach port 1900 at the target IP. This IP address does not respond to pings or to attempts to connect via http (port 80). It was completely dark and not registered with any DNS.

I would avoid these since the camera we tested was new and had the recently added strong password/activation requirements but was still screaming frantically at the Nigerian IP address. You know, just like any good malware would do.

 

[alastairstevenson]

Camera model?
Purchased from what source?
Did the firmware version in the web GUI match that on the label?
If not - it's likely that the seller has installed customised firmware to make the camera masquerade as English to circumvent Hikvision's region-blocking tactics.
What is the camera serial number - specifically what is the group of 4 letters in the body?

*edit* Out of curiosity - what was the IP address?

 

[tbennett1012]

Hikvision Model DS-2CD2132F-IWS Serial: 514594534. It was provided by Hikvision as a demo, we get a lot of that. To the best of my knowledge the firmware and software were the correct versions because the CD with the software came in the unopened box with the camera.

The IP Address was 213.255.255.250:1900.

Happy hunting.

 

[hiky]

Hello, I work for an engineering fire specializing in Division 28 design (Electronic Safety and Security) for large clients. My boss asked me to shake down a low cost Hikvision camera. Yes, the new activation routine was enabled so this is a post-patch camera. I analyzed the IP traffic in and out of the camera and discovered that the camera was attempting to reach an IP that ultimately resolved to somewhere in Nigeria.

Think about that for a second. A camera was repeatedly trying to reach an IP in Nigeria. Well, that's not scary at all. The only reason it could not was that the camera was isolated from the internet for testing. I don't care who uses what but we would never specify a Hikvision camera because we have solid evidence of shenanigans.

If you have proof please share so that it can be discussed further

 

[tbennett1012]

That may take a couple of days since I've moved on to other tasks but I can drop the Capsa trafic analysis once I plug in the camera again. I didn't save it because we were only testing to satisfy our own curiosity.

 

[alastairstevenson]

Intriguing - a legit source. And one of the new style, not useful, serial numbers.
As you say - a 'dark' destination, heads out through LINX then goes quiet.

alastair@PC-I5 ~ $ sudo nmap -sS 213.255.255.250
[sudo] password for alastair: 

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-21 21:41 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.72 seconds
alastair@PC-I5 ~ $ traceroute 213.255.255.250
traceroute to 213.255.255.250 (213.255.255.250), 64 hops max
  1   192.168.1.1  0.346ms  0.236ms  0.243ms 
  2   *  *  * 
  3   *  *  * 
  4   213.121.98.136  17.352ms  17.468ms  21.374ms 
  5   87.237.20.140  22.366ms  *  18.295ms 
  6   195.66.225.119  19.118ms  19.080ms  18.875ms

It might be worth asking these people what they expect the address to support.
*edit*
The IP address is part of their Nigerian operation.
SkyVision Nigeria Represantative, Nigeria Based Satellite Service Center, Shiron Product Service Center, VSAT internet Providers, VOIP, Intranet & Extranet, LAN & WAN, Telecommunications Company in Nigeria, Management Network Services. - See more at: http://www.businesslist.com.ng

organisation: ORG-SGN1-RIPE
org-name: SkyVision Global Networks Ltd
org-type: LIR
address: Kinetic Business Centre
Theobald Street
address: WD6 4PJ
address: Borehamwood
address: UNITED KINGDOM
phone: +442083871750
fax-no: +442083874004
abuse-c: AR17903-RIPE
admin-c: SVNC-RIPE
admin-c: SVAC-RIPE
mnt-ref: SV-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
abuse-mailbox:

created: 2004-04-17T12:21:36Z
last-modified: 2015-09-25T12:31:17Z
source: RIPE # Filtered

role: SkyVision Network Coordination Center
org: ORG-SGN1-RIPE
address: SkyVision Global Networks
address: Kinetic Business Centre
address: Theobald Street
address: Borehamwood
address: Hertfordshire WD6 4PJ
address: United Kingdom
phone: +44 20 8387 1750
fax-no: +44 20 8387 4004
admin-c: SVAC-RIPE
tech-c: SVTC-RIPE
nic-hdl: SVNC-RIPE
mnt-by: SV-MNT
created: 2001-12-20T14:06:43Z
last-modified: 2008-10-10T14:10:44Z
source: RIPE # Filtered

 

[hiky]

what would be useful now is for a random selection of cams to be tested