Tens of thousands of internet-connected IP cameras from China-based Hikvision remain unpatched and exploitable despite the release of a fix for a critical security flaw almost a year ago.
Cyfirma researchers recently a report [PDF] They claim they’ve found more than 80,000 cameras online in more than 100 countries, with ports open and no protection against them CVE-2021-36260a command injection vulnerability that can be exploited by anyone with HTTP access to TCP ports 80 or 443 of an affected camera.
The Hikvision bug was rated as serious with a CVSS score of 9.8 out of 10 and was deemed serious enough by the US Cybersecurity and Infrastructure Security Agency (CISA) to include it on their list of “must patch” vulnerabilities earlier this year, adding that the vulnerability is already being exploited.
So we have thousands of publicly-facing devices – home cameras no less – that can easily be exploited to gain control over them, and have been exploited, presumably to squeeze them into botnets, launch attacks on other networks, spy on owners, and soon.
In a report last December, researchers from Fortinet said that the Hikvision vulnerability was attacked by “numerous payloads”, including variants of the Mirai botnet.
Cyfirma said it also discovered several instances of criminals collaborating online to exploit the Hikvision vulnerability. “We have reason to believe that Chinese threat groups like MISSION2025/APT41, APT10 and their subsidiaries, as well as unknown Russian threat actor groups could potentially exploit vulnerabilities in these devices,” Cyfirma said.
Since it is as easy to execute as it has been known to be in the past and its merits have been further debated, it is safe to assume that unpatched Hikvision cameras are already compromised.
Patches for affected Hikvision devices, of which there are more than 70 models, are available available on the manufacturer’s website, where Hikvision urges its distributors to “work with your customers to ensure proper cyber hygiene and install the updated firmware.”
In terms of where most of the affected devices are located, Cyfirma said most were found in China, followed by the US, Vietnam, the UK and Ukraine.
“Open vulnerabilities and ports in such devices will only increase the impact on affected organizations and the economic and governmental performance of their countries. It is of paramount importance to patch the vulnerable software of Hikvision camera products to the latest version,” said Cyfirma.
This isn’t Hikvision’s first exposure to bad publicity in recent years. In 2019, the US put the company on a denial-of-trade list for allegedly helping the Chinese government repress Uyghur Muslims in the country by supplying surveillance cameras.
Since then, America has also considered broader ban on Hikvision by restricting US investments in the company and freezing its US-held assets.
Similar discussions are taking place in the UK, where several lawmakers backed a campaign on the matter in July Prohibit the sale or use of Hikvision or Dahua cameras for the same human rights-based reasons as the US. ®
https://www.theregister.com/2022/08/24/hikvision_camera_patch/ 80,000 Hikvision Cameras Still Vulnerable to Critical Error • The Register