Critical Hikvision flaw could be remotely exploited to hijack cameras, DVRs and accounts

For a long time, just hearing “Hikvision” would make me shudder; mostly that was because people using the security cameras failed to change the defaults of admin and 12345, meaning they were unknowingly live streaming if a person knew where to look. Although Hikvision introduced the Hik-Connect cloud service in January 2017, that didn’t do away with all the security problems.

In May 2017, ICS-CERT issued an advisory for remotely exploitable vulnerabilities in Hikvision cameras that required only a “low skill level to exploit.” Later on that same year, after details about exploiting Hikvision IP cameras were posted on Full Disclosure, some owners were seeing “HACKED” on camera displays instead of the live video feed they had expected to see.

wolfblitzer69

Well, here we are again with a critical bug related to Hikvision being posted on the Full Disclosure mailing list. Vangelis Stykas published the full writeup titled, “I spy with my little eye… #hakvision” on Medium. This time around the authentication security flaw was centered on Hikvision’s hik-connect.com. If the vulnerability was exploited, it would allow attackers to access, manipulate and hijack other users’ devices.

It all started after Stykas saw a tweet on a really slow Friday. When he started playing around with his Hikvision DVR, he said it required a firmware update, which introduced the Hik-connect cloud service to “help you access your camera without port forwarding on your router.”

After hunting for a bug, Stykas and fellow tinker George Lavdanis ultimately discovered there was no validation on cookie values. Since they didn’t find an easy way to obtain other users’ IDs from hik-vision.com, they resorted to using Ezviz.

So what is Ezviz? According to the about page, it “is the consumer and residential-focused subsidiary of Hikvision, the world’s largest manufacturer of video surveillance solutions. Ezviz builds upon Hikvision’s expertise and knowledge to bring robust, commercial-quality video products to consumers and the smart-home market.”

They discovered that one of the features on Ezviz allowed then to “mark a user as a friend with no interaction needed by the other user just by knowing the email or phone that the other user used upon registration.”

After “friending” someone without their knowledge or acceptance, then they could get the user ID they were after. Stykas wrote, “So now we can login as any user as long as we have his email, phone number or username (endpoint was also returning data for username although there was no UI for it) and impersonate him.”

How the Hikvision bug can be exploited

Poking around to learn what could be done with Hik-connect and Ezviz, they determine the bug could be exploited to:

• See devices of the users, live video and playback from the device.
• Change the user’s email, phone number and password to effectively lock them out of their device.
• Take over the user’s account after resetting their password. After that, even if the user tried factory resetting their device, it would not be “unbound” from the attacker’s account without contacting Hikvision. Stykas added, “If we change the password we can use the devices menu on the Hik-connect android app and manage the device (update firmware and brick it or do whatever we want) without any password given.”
• A stealthy option is for an attacker to add a share on their account so that the victim would be clueless that someone else was also watching what happened on their devices.

In the end, they weren’t really sure how many cameras had been registered; there are over 1 million Hik-connect installs on Google Play and who knows how many from Apple’s App Store.

Stykas tweeted:

Because I keep getting this question WE HAVE NO IDEA how many cameras are registered. We can only tell that both android apps have over a million installs. Also we have no way of knowing if this was hijacking of intended (admin or backdoor) behavior or a bug…

— Vangelis tix Stykas (@evstykas) April 24, 2018

Hikvision releases a fix

If you are looking for a bit of a bright side, then that would be found in Hikvision’s response.

Companies with proper security disclosure procedures that answer at Friday night in less that an hour. It seems that we are getting there folks…

— Vangelis tix Stykas (@evstykas) April 20, 2018

The vulnerability report was sent on Saturday, and Hikvision released a fix on Tuesday, April 24.

Stykas listed the following under postmortem:

If you are a developer never EVER trust anything from the users. Filter, check and sanitize external input.

If you are an end user, try to keep your devices updated and limit your IoT devices via network segmentation. This vulnerability is a nice example of how a service that was developed to help towards extra security (no port forwarding and no IoT exposed on internet) backfired spectacularly. We don’t know of any way to protect against these kind of attack other than use only products from well-known vendors (which may also have issues of course but would have better monitoring and will respond -and not ignore everything like trackmageddon vendors-) or not use those devices at all.