A significant security vulnerability has been identified in over 80,000 Hikvision surveillance cameras worldwide. These cameras, produced by Hangzhou Hikvision Digital Technology, a Chinese state-owned enterprise, are used in more than 100 countries. Despite the U.S. Federal Communications Commission (FCC) labeling Hikvision a security risk in 2019, their products remain widespread.
In the Fall of 2021, a critical command injection flaw in these cameras, designated as CVE-2021-36260, was disclosed. The National Institute of Standards and Technology (NIST) rated this vulnerability 9.8 out of 10, indicating its severity. Nearly a year later, a large number of these devices remain unpatched, leaving thousands of organizations vulnerable.
Stay One Step Ahead of Cyber Threats
Recent research has uncovered efforts by hackers, particularly on Russian dark web forums, to exploit this vulnerability. There’s evidence of collaboration in exploiting Hikvision cameras and selling leaked credentials. The potential damage from these breaches is not fully known, but there is speculation that Chinese and Russian threat groups could exploit these vulnerabilities for motives including geopolitical gains.
The issue highlights a broader problem with Internet of Things (IoT) devices. David Maynor, a senior director at Cybrary, points out that Hikvision cameras have systemic vulnerabilities, including default credentials that are easy to exploit. These devices lack the capability for effective forensic analysis to confirm if an attacker has been removed. Hikvision has not shown significant improvement in its security development cycle.
This security challenge is not unique to Hikvision but is endemic in the IoT industry. Paul Bischoff from Comparitech explains that securing IoT devices is not as straightforward as securing apps on a phone. Updates for these devices are not automatic and require manual installation, a step many users fail to take. Additionally, IoT devices often do not alert users about their insecure or outdated status, unlike smartphones that prompt for updates.
Cybercriminals exploit these vulnerabilities using search engines like Shodan or Censys to find susceptible devices. The situation is worsened by the fact that Hikvision cameras often use default passwords, which many users do not change. The combination of weak security measures, lack of user awareness, and insufficient oversight raises concerns about the future security of these cameras.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional