Back in September, Hikivision discovered a security vulnerability in its cameras and provided an update to fix it. An investigation now showed that at least 80,000 cameras have yet to be updated, providing entry points for attacks.
Command injection vulnerability in web interface
The vulnerability found is a command injection vulnerability in the camera’s web interface. Attackers can use this to execute arbitrary commands – and thus gain access to the cameras’ recordings. At least two exploits for the vulnerability are publicly available on the Internet.
Hikivison reacted quickly after the vulnerability became known and published a list of affected models. In addition, the company had educated about the nature of the vulnerability and eventually provided a firmware update that could be used to close it.
However, Cyfirma has now found out that numerous users have not taken advantage of the firmware update offer so far. The security company examined a sample of 285,000 devices that are accessible via the Internet. 80,000 still had the vulnerability. If the sample is representative, that means about 28 percent of Hikivision cameras are still easily vulnerable.
The 80,000 affected cameras are spread across more than 2,300 facilities in different countries. Most of the cameras are located in China, followed by the U.S., Vietnam, UK, Ukraine, Thailand, South Africa, France and the Netherlands.
Cyfirma warns of attacks
On the occasion of the investigation, Cyfirma warned in particular against attacks from China and Russia. In this context, the company also pointed out that numerous leaked accesses to the cameras were for sale in Russian forums. Access to the cameras, Cyfirma further warned, could also be used to enforce geopolitical goals.
Those responsible are strongly advised to update their cameras to the latest firmware. In addition, they are advised to ideally outsource IoT devices such as the cameras to a separate network or isolate them via firewall to avoid compromising the rest of the network in the event of a successful attack on the device in question.
The case shows once again that surveillance cameras deployed with the aim of increasing security can sometimes achieve the exact opposite. In addition to a lack of maintenance and security vulnerabilities, the companies behind the cameras also pose a risk in some cases; for example, it recently became known that Amazon’s cameras were passing on data to the police without consent.