Hikvision Has "Highest Level of Critical Vulnerability," Impacting 100+ Million Devices

Hikvision has admitted a 9.8 vulnerability that is "the highest level of critical vulnerability—a zero-click unauthenticated remote code execution" per the researcher, Watchful_IP, who discovered this. IPVM estimates it impacts 100+ million devices.

While Watchful_IP assessed this is "definitely NOT" a "Chinese Government-mandated backdoor," PRC government-created and -controlled Hikvision poses great risk to users around the world as its government backing has driven it to become the most widely used video surveillance manufacturer globally.

Cybersecurity concerns are a long-standing issue for Hikvision, e.g., it was US government federally banned by the 2019 NDAA and the US government is planning to ban FCC authorizations for Hikvision, so this admission comes at a critical time for the company.

How It Works

The researcher describes it as simple to exploit:

Only access to the http(s) server port (typically 80/443) is needed. No username or password needed nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself.

Neither Hikvision nor the researcher is releasing a full Proof of Concept, but Hikvision describes it as the result of "send[ing] a specially crafted message".

A CVE has been reserved (CVE-2021-36260), but no information has yet to be published yet. [Update 9/22/2021: the CVE has been filled]

PRC Government Has Vulnerability Information For Weeks

The PRC government has had this vulnerability information as all PRC companies are mandated by PRC law to provide vulnerabilities to the government since September 1 (CORRECTION: this post initially said the government had the info for "months", however, the PRC law went into effect September 1, 2021):

The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days

Watchful_IP says that Hikvision confirmed reproducing the vulnerability on June 23, 2021, so even assuming the PRC government did not have this for years, the PRC government has had it for weeks at least.

This is a powerful way for adversaries, including the PRC government, to access networks around the world that would be undetectable by the Hikvision device's own logging.

Update Bashis Has Found And Reproduced On His Own

Bashis has found the vulnerability on his own and reproduced it. Bashis is the cybersecurity researcher who discovered numerous Dahua and other video surveillance manufacturer vulnerabilities. The fact that he was able to figure it out so quickly indicates that other experts, including governments and black hat hackers, will likely be able to do so as well. Bashis is not releasing the details.

Root Access to Attack Internal Devices or DDoS

This vulnerability provides total control of the underlying 'computer' in these devices with unrestricted root shell access, per Watchful_IP:

This permits an attacker to gain full control of device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.

This means, as the researcher called out, that the vulnerability can be used to "access and attack" internal networks as well as launch denial of service attacks across the Internet.

Vast Array of Models Impacted

The vulnerability affects a vast array of Hikvision devices, hundreds of models, primarily cameras, with Hikvision listing 80+ groupings. The total number of models, though, is even far greater. For example, three of the groupings are of the broadly used DS-2CVxxx1, DS-2CVxxx5, DS-2CVxxx6, (screencap attached) that covers hundreds of models alone. Additionally, Hiwatch generally is impacted (e.g., HWI-xxxx) as well as many, many others. Review the list of impacted models.

Firmware to Fix Available

For models that Hikvision has confirmed to be impacted, new firmware to fix the vulnerability is available.

OEMs Impacted

Because Hikvision has OEMed so widely (see the Hikvision OEM Directory), this will impact dozens or perhaps hundreds of brands around the world.

Worse, Hikvision OEM partners often try to keep hidden their relationship with Hikvision, so many OEMs will not acknowledge this and many buyers will never realize.

100+ Million Devices

We estimate 100+ million devices globally are impacted by this vulnerability making it, by far, the biggest vulnerability to ever hit video surveillance. The combination of its critical nature (9.8 / "zero-click unauthenticated remote code execution") and Hikvision's massive market size make this risk unprecedented.

For background, back in 2016, Hikvision said they manufactured "more than 55M cameras" and the annual output has grown substantially since. Hikvision has therefore shipped a few hundred million cameras and tens of millions of recorders during the time frame the vulnerability covers.

2017 Hikvision Backdoor Comparison

This is the worst Hikvision vulnerability since Hikvision's backdoor was discovered in 2017 where Hikvision included a magic (ostensibly secret) string that allowed anyone with that string to perform admin operations, without having the device's admin credentials.

Dahua 2021 Comparison

Just a few weeks ago, Dahua disclosed its own new critical vulnerabilities. However, Hikvision's vulnerability is worse as the new Dahua ones 'just' allow for admin access with Hikvision's give complete root access.

Hikvision CSO "Debunks"

Just three days before Hikvision admitted this critical vulnerability, Hikvision's EMEA CSO posted a blog post about why vulnerabilities are not the same as backdoors:

Port Forwarding Still Recommended

Hikvision's cybersecurity "Best Practices" continues to recommend using port forwarding which puts those devices at the highest risk of being hacked.

This "best practice" was written after Hikvision's 2017 backdoor was discovered and widely exploited and is still the head "best practice" on Hikvision's site today.

In it, while Hikvision warns about the risks of port forwarding, they tell users that if they want 'quick and steady' remote access to their Hikvision devices (and most do), that they "may have to choose" port forward:

If P2P or VPN solutions fail to meet the needs of users, who want to have a quick and steady access to the specified port service of the device through the Internet, users may have to choose the traditional 'port forwarding' scheme.

IPVM has long warned about Hikvision's tactics here, e.g., Hikvision Hardening Guide Recommends Port Forwarding and P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding.

Don't Expose, Says Watchful_IP

Watchful_IP, contrary to Hikvision and in line with actual cybersecurity professionals, recommends not to port forward, saying:

I’d recommend you do not expose any IoT device to the Internet no matter who it is made by

Unfortunately, so many Hikvision users do so because Hikvision continues to recommend doing it for "quick and steady access" to their devices.

FCC Risk

This will hurt Hikvision and its 90+ partners' petitions the US government that claim Hikvision is not a security threat. Beyond the threat of being a PRC-government-controlled entity, this new massive vulnerability will raise fresh concerns about Hikvision's (lack of) security.

GDPR Risk

Hikvision's EMEA CSO, in last week's blog post, argued that end-users, not manufacturers, are responsible under GDPR:

the end-users who buy these cameras are responsible for the data/video footage they generate. They are, in other words, the data custodians who process the data and are in control of the video footage, which is required to be kept private by law (under the GDPR). Secret access to video footage on these devices is impossible without the consent of the end-user.

The final line is simply factually false because, as Hikvision's newest vulnerability reveals, secret access to Hikvision devices is quite possible, either by intent or failure of Hikvision's R&D, compounded by Hikvision's continued recommended use of port forwarding.

Failure for Hikvision

This critical vulnerability, discovered by an independent researcher, is a failure for Hikvision. The massive company that reports nearly $10 billion USD annual revenue and alleges 20,000 R&D engineers has faced incredible scrutiny for years over its cybersecurity and either choose to allow or could not find this vulnerability that a single researcher found.

Given that Hikvision buried this disclosure over a weekend, Hikvision likely hopes the public will ignore this. How this impacts the company's global scrutiny remains to be seen.