Security cameras show 'HACKED' instead of live feed video

Details about an access control bypass in Hikvision IP cameras were posted on Full Disclosure, now some owners are seeing HACKED on camera displays instead of live feed imagery.

Security cameras show 'HACKED' instead of live feed video
wolfblitzer69

HACKED — That is what is shown on all camera displays instead of live feed video for some Hikvision security camera owners. If it happened to you, then say hello to the backdoor in your security camera.

It’s not just happening to Hikvision-branded IP cameras either, as the backdoor is in “many white-labeled camera products sold under a variety of brand names.”

Apparently, enough time has passed for attackers to get into the game. On Sept. 12, security researcher “Monte Crypto” posted the access control bypass in Hikvision IP cameras on the Full Disclosure mailing list.

“Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account,” Monte Crypto warned. “The vulnerability poses a severe risk [and] is trivial to exploit.”

A photo example of “HACKED” replacing the cameras’ live video feed was posted by Reddit user wolfblitzer69. Yet a little searching proves he is far from the only one.

The first thing a person trying to help would likely suggest is to change the default or weak password, but that won’t fix the problem this time. Monte Crypto explained, “In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users.”

Back in May, the Department of Homeland Security’s ICS-CERT issued an advisory about remotely exploitable vulnerabilities in Hikvision cameras; these were not flaws that required an uber hacker, as it took a “low skill level to exploit.”

Five months ago, ICS-CERT warned, “Successful exploitation of these vulnerabilities could lead to a malicious attacker escalating his or her privileges or assuming the identity of an authenticated user and obtaining sensitive data.”

Nevertheless, when Monte Crypto released the full disclosure he/she said, “Hundreds of thousands of vulnerable devices are still exposed to the internet at the time of publishing.”

Hacked cam? Consider unplugging that puppy from the internet. Monte Crypto recommended that you:

Immediately upgrade or disconnect all Hikvision products from the internet or untrusted networks, or at least implement network access control rules that only allow trusted IP addresses to initiate connections to vulnerable devices. Keep in mind that many Hikvision IP cameras come with UPNP enabled by default and can expose themselves to the internet automatically. Hikvision released firmware updates for many camera models where backdoor code is removed. If an update is available for your device, you should install it as soon as possible.

Firmware may brick some cameras: Brick fix

Regarding the firmware update, Monte Crypto warned:

Be aware that many Hikvision cameras sold online as “Multilanguage” or “English, not upgradeable” are in fact modified Chinese-language (domestic market) cameras. Attempting to upload English firmware into such cameras could result in a boot loop that can only be recovered from by flashing original Chinese-language firmware over TFTP. If you do not understand what this paragraph says or [are] not entirely sure that your camera is an export English-language model, do not attempt to upgrade it.

While the full disclosure is new, the vulnerabilities in Hikvision cameras are not. Monte Crypto notified Hikvision in March. Six days later, Hikvision published a vulnerability notice and starting putting out new firmware updates.

Put another way: After some individuals tried to update the firmware and found out they could not, IP Cam Talk user alastairstevenson explained that Hikvision “implemented a ‘downgrade block’ to stop users fixing their cameras by installing older, working firmware. You can, however, fix this, after quite a lot of reading, by using the 'brick-fix tool' from here: Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.”

Hikvision vulnerability details

The full disclosure vulnerability notice includes details about a superuser admin account in all Hikvision products, an example of how to retrieve users and roles, how to obtain a camera snapshot without authentication, as well as how to download the camera configuration.

IPVM published this Hikvision backdoor exploit demo video:

Monte Crypto pointed out that “the vulnerability has been present in Hikvision products since at least 2014.” It is up to you to decide if it was a “planted backdoor or accidental bug.”

Read more:

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.