Back in September, Hikivision discovered a vulnerability in its cameras and provided an update to fix it. An investigation has now shown that at least 80,000 cameras have yet to be upgraded, providing entry points for attacks.
Vulnerability in entering commands in the web interface
The vulnerability discovered is a command injection vulnerability in the camera’s web interface. Attackers can use this to execute arbitrary commands – thus gaining access to camera recordings. At least two exploits of the vulnerability are available to the public on the Internet.
Hikevision reacted quickly after the vulnerability became known and published a list of affected models. Additionally, the company educated about the nature of the vulnerability and eventually offered a firmware update that could be used to close it.
However, Cyfirma has now discovered that many users have not taken advantage of the firmware update offer yet. The security firm examined a sample of 285,000 devices that can be accessed online. 80,000 are still vulnerable. If the sample is representative, this means that about 28 percent of Hikivision cameras are still easily compromised.
The 80,000 affected cameras are deployed in more than 2,300 facilities in different countries. Most of the cameras are located in China, followed by the United States, Vietnam, the United Kingdom, Ukraine, Thailand, South Africa, France and the Netherlands.
Cyfirma warns of attacks
On the occasion of the investigation, Cyfirma especially warned about attacks from China and Russia. In this context, the company also noted that several leaked camera entries are on sale on Russian forums. Cyfirma further warned that access to cameras could also be used to enforce geopolitical goals.
Administrators are strongly advised to update their cameras to the latest firmware. In addition, it is ideally recommended to outsource IoT devices such as cameras to a separate network or isolate it through a firewall to avoid endangering the rest of the network in the event of a successful attack on the respective device.
The case shows once again that CCTV deployed to increase security can sometimes achieve the exact opposite. In addition to lack of maintenance and security weaknesses, the companies behind the cameras are also a risk in some cases; For example, it recently became known that Amazon cameras were transmitting data to the police without consent.