Posted on October 2, 2017 at 9:57 AM
A backdoor in Hikvision security cameras was recently exploited which led to compromised devices displaying the term HACKED.
Owners of Hikvision security cameras recently noticed an alarming change in the display of the camera. There was a sudden change in the live feed display where the usual footage was replaced with the word HACKED.
While some camera models managed to escape this latest attack, affected owners could experience some damage due to the recently discovered backdoor in the device.
In May earlier this year, the Department of Homeland Security’s ICS-CERT published a warning to all Hikvision owners. The warning addressed the presence of vulnerabilities that could be exploited remotely. The vulnerabilities that the ICS-CERT found did not require a high level of skill on the part of the hacker, and when hacked, it would give the attacker high-level privileges. Exploiting these vulnerabilities could also enable the hacker to impersonate the authentic user and allow them to steal sensitive information.
It appears that since this warning, hackers have managed to gain access to certain models of the Hikvision cameras. Hacked models display the word HACKED where the live footage would usually be.
The backdoor used to hack Hikvision devices was noticed by several people before, including a security researcher with the alias of Monte Crypto. In September, Monte Crypto posted access control bypass in IP cameras from Hikvision on a Full Disclosure mailing list.
Monte Crypto then warned users that most Hikvision devices have a backdoor that can easily allow a malicious attack to impersonate the authentic user to gain access to the device.
According to a post by Monte Crypto, the vulnerability poses a severe risk to users and is easy to exploit. Currently, thousands of cameras are at risk.
In Monte Crypto’s post on Full Disclosure, he explained the vulnerability. In all Hikvision devices, there is a superuser admin account. The superuser account gives information regarding issues such as how to retrieve users and roles, how to download camera configuration, as well as how to get certain camera snapshots without needing authentication.
According to Monte Crypto, these vulnerabilities have been present since 2014.
Several Hikvision users took to social media and online platforms to raise questions about their hacked devices. A Reddit user “wolfblitzer69” posted an image of where the live footage was replaced with the display word HACKED.
Research has discovered that this hack extends beyond Hikvision cameras. This backdoor was also present in several “white labeled camera products”.
There are bound to be several negative repercussions of this attack, especially considering that the attack tampered with security instruments. According to Monte Crypto, a hacker can easily gain full administrative access by exploiting the vulnerability, as well as being able to retrieve plain-text passwords for configured users. Hacked users may have some difficulty in rectifying the damage. According to Monte Crypto, it will take much more than merely changing weak passwords.
Affected users have been advised to disconnect the device from the internet or untrusted networks. Users can also implement more network access control precautions, such as only allowing the trusted IP address to make connections to vulnerable devices.
All Hikvision IP cameras are equipped with the UPnP function, meaning that devices automatically get connected to the internet. Hikvision has addressed the backdoor problem by releasing firmware updates for several of their camera models. This update will effectively remove all backdoors.