Rapid7 Labs discovered three vulnerabilities in Hikvision DVRs that an attacker could remotely exploit to take complete control of the device. After Hikvision failed for months to respond to the disclosure, Rapid7 published a Metasploit exploit module. "No authentication is required to exploit this vulnerability and the Metasploit module successfully demonstrates gaining full control of the remote device."
Hikvision DVRs were among the many unsecured security cameras and devices with default passwords, allowing anyone to view the surveillance footage. “Apart from the fact that these devices come with a default administrative account ‘admin’ with password ‘12345’, it also contains several quickly found vulnerabilities that ultimately lead to full remote compromise,” explained Rapid7 Labs security researcher Mark Schloesser. Rapid7 found about 150,000 remotely accessible devices across the public IPv4 address space.
CVE-2014-4878, CVE-2014-4879, CVE-2014-4880 leave the devices open to denial of service attacks, remote code execution, and could allow attackers to remotely delete surveillance footage. “We did not put together exhaustive statistics on this, but the networks these devices appear in are mostly allocated to dial-up [and] broadband ISPs,” Schloesser told SCMagazine. “The most affected countries are India (21K), China (20K) and Korea (15K), with the U.S. following in fourth place (12k).”
Hikvision, described as a “leader in cutting-edge video surveillance solutions," recently "custom-tailored innovative Video Management System (VMS) software,” that was credited with protecting New York. The PR dealt with Hikvision customizing iVMS-5000 software, which allowed the client “to remotely link the NYPD” to private security personnel. But unless security personal take advantage of changing the password from the default (pdf), then anyone with an Internet connection can watch the surveillance feed from “8,000 Hikvision cameras in approximately 30 housing complexes spanning all five boroughs of New York City and extending to Omni properties in Boston as well.”
Ironically, Jeffrey He, president of Hikvision USA, claimed Hikvision's “focus is not merely security products, but total security solutions for the broad variety of vertical markets we serve.” Yet no one from Hikvision bothered to reply to Rapid7’s attempt to contact the vendor regarding the vulnerabilities that would allow an attacker to gain full control of the devices and exploit them remotely.
The vendor was first contacted about the flaws on September 15, according to the disclosure timeline. In October, the flaws were disclosed to CERT Coordination Center and then assigned CVE identifiers. Rapid7 told the public about the vulnerabilities on November 19.
SANS Institute researcher Johannes Ullrich previously discovered that many Hikvision DVRs were being exploited by "The Moon" worm, infected devices were part of a botnet and were being used for bitcoin mining and code scanning for Synology disk stations. Ullrich said, “The main exploit vector was the default root password of ‘12345’ which never got changed.”
At the time of SANS discovery, Hikvision promised to “protect the users’ interests” before the Hikvision Security Response Center condemned “the hacking action which damages the user’s interests taking flaw test as its excuse, including but not limited to the stealing of the user privacy and virtual property, hacking the business system, and maliciously spread the security flaws.” Ummm, no hacking is needed to steal user privacy if the vendor allows the weak default password to be used. Yet Hikvision said it “pays great importance on its own security, and has taken the user security as its responsibility since the day it is found.”
Although Rapid7 exploited Hikvision-DS-7204-HVI-SV DVR with firmware V2.2.10 build 131009, Schloesser said “other devices in the same model range are affected too.” In fact, when considering Core Security found multiple other vulnerabilities in Hikvision IP cameras, Rapid7 said “it is likely that all products offering identical features are affected by these issues.”
“In order to mitigate these exposures, until a patch is released,” Rapid7 advised, “Hikvision DVR devices and similar products should not be exposed to internet without the usual additional protective measures, such as an authenticated proxy, VPN-only access, et cetera.”
After Rapid7’s disclosure of more ways to exploit Hikvision, Ullrich said:
At this point, device manufacturers just "don't get it". The vulnerabilities found in devices like the Hikvision DVRs are reminiscent of 90s operating systems and server vulnerabilities. Note that many devices are sold under various brandnames and Hikvision may not be the only vulnerable brand.
Put another way on the Internet Storm Center StormCast, “Hikvision: Broken and Dangerous DVRs don't keep you safe.”