Staff Writer
Hikvision has identified a critical vulnerability in certain internet protocol cameras produced by the video surveillance company, leaving multiple models of Hikvision cameras vulnerable to a remote takeover.
In an advisory issued on September 19, Hikvision confirms the vulnerability, tagged CVE-2021-36260, is a command injection vulnerability in the web server of multiple Hikvision cameras.
“Due to insufficient input validation, an attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands,” the advisory reads.
The vulnerability is rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).
Headquartered in Hangzhou, China, Hikvision manufactures and supplies video surveillance equipment. Hikvision is majority-owned by the Chinese Government via majority shareholder China Electronics Technology HIK Group.
Despite the US Government blacklisting Hikvision in 2019, it is estimated Hikvision has a 40% global surveillance camera market share. In addition to Hikvision branded cameras, other businesses buy Hikvision cameras and rebrand them.
Hikvision’s vulnerability advisory lists scores of vulnerable models. But because of the rebranding practice, many more rebranded camera models are also potentially at risk. Video surveillance research company IPVM says 100 million-plus cameras worldwide are at risk.
An Australian Cyber Security Centre (ACSC) alert issued on Wednesday says the vulnerability could allow a cyber actor to take full control of the cameras, saying;
“The cyber actor could then access device functionality or target other devices on the same network in order to steal information or install malware.”
A security researcher called Watchful_IP identified the vulnerability in June and notified Hikvision. A patch was issued simultaneously with this week’s security advisory. Watchful_IP notes this is a critical vulnerability, calling it “a zero click unauthenticated remote code execution vulnerability affecting a large number of cameras.”
“This permits an attacker to gain full control of a device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.”
Watchful_IP notes, in addition to complete compromise of the camera, internal networks can then be accessed and attacked.
“Only access to the http(s) server port (typically 80/443) is needed. No username or password is needed, nor do any actions need to be initiated by the camera owner. It will not be detectable by any logging on the camera itself,” Watchful_IP adds.
Hikvision cameras and rebranded Hikvision cameras are used at sensitive and critical infrastructure sites worldwide.
The security researcher stresses the vulnerability is not a Chinese Government-mandated backdoor cyberattack. However, IPVM calls the vulnerability a “powerful way” for bad actors, including governments, to access surveillance networks that would be undetectable by the Hikvision device’s own logging.
Hikvision has updated firmware available on its official website that protects against the CVE-2021-36260 vulnerability.
The ASCS advises as part of cyber security best practice, Australian owners should, if possible, prevent such devices from being accessed from anywhere on the internet.