The tech flaw that lets hackers control surveillance cameras

[alastairstevenson]

This isn't a new Hikvision vulnerability - it's an IPVM-led story.

The tech flaw that lets hackers control surveillance cameras

Security flaws in two surveillance camera brands used around the world have been identified by Panorama.

www.bbc.co.uk

But it highlights yet again how these devices can present a risk to the networks they reside on - as is so often highlighted here in IPCamtalk.

"Panorama worked with US-based IPVM, one of the world's leading authorities on surveillance technology, to test whether it was possible to hack a Hikvision camera. IPVM supplied the one that was installed in a BBC studio.
Panorama could not run the camera on a BBC network for security reasons - so it was put on a test network where there is no firewall and little protection.
The camera Panorama tested contains a vulnerability discovered in 2017. IPVM's director Conor Healy describes this as "a back door that Hikvision built into its own products."

 

[CaptainCrunch]

"Panorama could not run the camera on a BBC network for security reasons - so it was put on a test network where there is no firewall and little protection."

Little protection? Is that like an unsecured wireless network?

 

[alastairstevenson]

Sounds like either port forwarding was explicitly configured, or UPnP was not disabled on the cameras or the router.
Much the same end result.

 

[samueljh1]

The flaws in this article are not as severe as the new results found in my recent paper ([Paper] Spying on the Spy: Security Analysis of Hidden Cameras). I have been working (along with my university) to raise these concerns to news agencies as they are currently unaware of how bad these attacks can be. The new attacks can be done without port forwarding, and with the cameras sitting behind the firewall. On top of eavesdropping on video and audio data, it is also possible to remotely perform code execution, making it possible to hack other devices in the camera's network. Imagine an attacker controlling critical systems within a governmental agency, simply because a flawed camera was installed on their network. All that we can do now is raise awareness and ensure these devices are disconnected from our networks.

 

[tigerwillow1]

If there's no port forwarding or UPnP, and no cameras on wifi, how does a hacker find out that there are cameras on a network?

 

[looktall]

If there's no port forwarding or UPnP, and no cameras on wifi, how does a hacker find out that there are cameras on a network?

They don't target a network because it has cameras.
They target a network (usually hundreds of them at a time) and if they get entry then they can go from there.
Imagine you're in a storage facility.
You have no idea what's in any of the storage units but you're after the ones that have safes inside them.
How do you know which units to target?
Easy, you target them all, all at the same time.
If you gain entry to any units you can then see if there is a safe.
No safe?
Move on.
Find a safe?
Note down which unit it is so you can come back later and try to break into the safe.

 

[tigerwillow1]

They don't target a network because it has cameras.
They target a network (usually hundreds of them at a time) and if they get entry then they can go from there.

I need to refine the question. If a hacker is going to hack a camera, he first needs to find a network that has cameras. For most of us on the forum, that's our home network. How does the hacker know that a network he has randomly targeted has any cameras that he can try hacking into?

 

[looktall]

I need to refine the question. If a hacker is going to hack a camera, he first needs to find a network that has cameras. For most of us on the forum, that's our home network. How does the hacker know that a network he has randomly targeted has any cameras that he can try hacking into?

Think of it in a different way.
Think of it like vulnerabilities in a SQL server.
The hacker doesn't know where the SQL servers are but he knows where the networks are so he tries them all until he finds a SQL server that is vulnerable.
He's not sitting there doing this manually.
It would be scripted to scan networks until it finds what it's looking for.

Very few data breaches are targeted.
Most of them are discovered by scanning for known vulnerabilities.

 

[tigerwillow1]

The hacker doesn't know where the SQL servers are but he knows where the networks are so he tries them all until he finds a SQL server that is vulnerable.

I'm asking how he finds a camera, vulnerable or not, when there are no ports open, no UPnP, and no wifi.

 

[looktall]

I'm asking how he finds a camera, vulnerable or not, when there are no ports open, no UPnP, and no wifi.

If your network is locked down tight then it's unlikely that a camera is going to be accessible unless other means are used to breach the network.
Eg. Malware, other vulnerable devices on the network, etc.

 

[dryfly]

If your network is locked down tight then it's unlikely that a camera is going to be accessible unless other means are used to breach the network.
Eg. Malware, other vulnerable devices on the network, etc.

What are some ways to lock down tight a network? Obviously a good firewall first. What would be an example of other common vulnerable devices?

Even with my VPN for accessing cameras, I'm starting to wonder if I should have anything that I can access remotely.