![]() ![]() Hikvision started publishing firmware updates for affected devices. Hikvision issued a memo about the vulnerability to partners. Hikvision confirmed vulnerability and promised firmware update. Hikvision notified of the backdoor, technical details provided. Chinese domestic market cameras contain the backdoor as well. There are no attempts to hide the backdoor code which would certainly be expected in case of a deliberately planted backdoor. It is plausible, that a developer forgot to remove a piece of test code and it went unnoticed for years. Hikvision indicated that it was a piece of debug code inadvertently left by one of developers. The vulnerability start ed to quietly disappear from hew firmware released in Jan/Feb of 2017, after Hikvision leadership made public comments that no such backdoor exists and after similar backdoors were reported in other manufacturers' products. It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years. Once you understand the code flow, the backdoor code really stands out. Only one of the four (HikCGI) has an additional piece of code with a very simple logic of "if this exists, then skip all authentication". All four contain very similar authentication and authorization code. There are four handlers in a typical Hikvision camera firmware that process API requests: ISAPI, PSIA, HikCGI, and Genetec. Other Hikvision products have similarly weak encryption mechanisms. While the files are encrypted, the encryption is easily reversible, because Hikvision chose to use a static encryption key, which is derived from the password "abcdefg". Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code or render hundreds of thousands of connected devices permanently unusable with just one simple http call.Īnd worst of all, one can download camera configuration:Ĭonfiguration backup files, unfortunately, contain usernames and plain-text passwords for all configured users. ![]() ![]() Obtain a camera snapshot without authentication:Īll other HikCGI calls can be impersonated in the same way, including those that add new users or flash camera firmware. Retrieve a list of all users and their roles: Virtually all Hikvision products come with a superuser account named "admin", which can be easily impersonated. The HikCGI protocol handler checks for the presence of a parameter named "auth" in the query string and if that parameter contains a base64-encoded "username:password" string, the HikCGI API call assumes the idntity of the specified user. Hikvision camera API includes support for proprietary HikCGI protocol, which exposes URI endpoints through the camera's web interface. If you do not understand what this paragraph says or not entirely sure that your camera is an export English-language model, do not attempt to upgrade it. Attempting to upload English firmware into such cameras could result in a boot loop that can only be recovered from by flashing original Chinese-language firmware over TFTP. If an update is available for your devlice, you should install it as soon as possible.īe aware that many Hikvision cameras sold online as "Multilanguage" or "English, not upgradeable" are in fact modified Chinese-language (domestic market) cameras. Hikvision released firmware updates for many camera models where backdoor code is removed. Keep in mind that many Hikvision IP cameras come with UPNP enabled by default and can expose themselves to the Internet automatically. Because the vulnerability is trivial to exploit, it is recommended that you immediately upgrade or disconnect all Hikvision products from the Internet or untrusted networks, or at least implement network access control rules that only allow trusted IP addresses to initiate connections to vulnerable devices. In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users. ![]() Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. The vulnerability has been present in Hikvision products since at least 2014. Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account. Change Mirror Download Access control bypass in Hikvision IP Cameras ![]()
0 Comments
Leave a Reply. |