Flaw in Security Cameras Could Affect Millions of IoT Devices
Table of Contents
- By Dawna M. Roberts
- Published: Oct 12, 2021
- Last Updated: Mar 18, 2022
Threat researcher Watchful_IP has discovered a significant flaw on millions of Hikvision video IoT devices that could allow bad actors to inject malicious software and commit acts of fraud.
What is Going On?
Tech company Hikvision makes video IoT devices such as cameras, disk recorders, video codes, and video servers used in various industries, including infrastructure.
After being informed of the vulnerability, the company announced publicly that it had fixed the issue and rolled out a firmware update for users of its equipment. Data Breach Today explains ‘The flaw, Hikvision says, could potentially affect nearly 80 products, including models from as early as 2016. While the company did not specify the number of devices affected, video surveillance resource IPVM says, “We estimate 100+ million devices globally are impacted.”
What is the Danger?
The flaw has been named CVE-2021-36260 and it carries a “critical” CVSS rating. The vulnerability allows bad actors to launch command injection attacks to execute malicious tasks. The reason it works is due to insufficient input validation.
Watchful_IP’s blog mentioned that neither the company nor he exposed any technical details of the flaw or a proof of concept due to the concern of exploitation in the wild. The researcher also mentioned that using this flaw, hackers could take complete control of the device, which “is far more access than even the owner of the device has, as they are restricted to a limited ‘protected shell’ (psh), which filters the input to a predefined set of limited, mostly informational commands.”
The only thing someone needs to execute this type of attack is access to the HTTP server port 80 or HTTPS server port 443. They would not need to enter any username or password. The cyber attack would go unnoticed on the network and be undetectable to owners. From the device, threat actors could then access the entire network and commit further acts of fraud.
However, some good news is that the attacker must be on the same network as the IoT device to exploit the vulnerability. They must be able to access the device’s login screen to execute any commands.
Data Breach Today adds,
“Thus, the easiest way to evaluate system risk level, according to the company, is to check whether the device’s webpage is directly accessible from the internet without any extra network variation. “If yes, the system should be considered at high risk,” the advisory says.”
What Can Users Do to Stay Safe?
Hikvision recommends that all customers update the firmware immediately. Beyond that, they also suggest that customers:
- “Minimize port numbers exposed to the internet.
- Avoid common port numbers and reconfigure them to customized ports.
- Enable IP filtering.”
Watchful_IP also added:
“I’d recommend you do not expose any IoT device to the internet, no matter who it is made by - or in which country the device is made (including U.S, Europe, etc.). Use a VPN for access if needed. Block outbound traffic too if at all possible - I also like to give these devices the wrong gateway (router) IP.”
Privacy Concerns Surround Hikvision
In 2018, President Donald Trump forbid government agencies from using Hikvision equipment, citing concerns surrounding privacy, espionage, and security.
Data Breach Today added,
“In the U.K. now, British politician David Alton, in response to Hikvision’s disclosure, tweeted that the “Home Office Ministers will meet the Biometrics and Surveillance Camera Commissioner to discuss the issues raised in his correspondence with Hikvision.”
Although there is a lot of suspicion around Chinese tech companies like Hikvision as an entry point into corporate networks, Watchful_IP explains, “You wouldn’t do it like this. And not all firmware types are affected.” The researcher said that if that were the case, all versions of the firmware would have contained that flaw.