Hikvision: Chinese Surveillance Camera Vulnerability Exposes Zero-Click Network Compromise

By Anthony Eich on September 30, 2021

Executive Summary

A critical vulnerability has been found in the firmware of surveillance devices manufactured by Hikvision, a Chinese based tech company. The vulnerability can be exploited remotely and allows access to the device as well as the network that the device is connected to, through a root shell. Once Hikvision was notified of the discovery in June 2021, the company took steps to inform the public of the problem, and they also released an updated a version of the firmware that will fix the problem. Since Hikvision is the largest manufacturer of surveillance cameras and devices, their products represent a significant segment of those types of devices deployed world-wide. Any facility that uses these devices is under a high threat to their network security. If the exploit is executed an attacker can use the cameras, microphones, and other compromised devices to turn the surveillance around on the end-users. The breached networks and devices connected to that network are also likely targets. Due to the origin of these devices being from China, and the company having ties to the Chinese military, the implications of global espionage are quickly becoming a concern for any government or organization that uses these products.

Background

On September 22nd, 2021, China-based Hikvision published a finding on its website notifying the public of a critical vulnerability in the firmware installed on their surveillance devices allows for a zero-click, unauthenticated, remote code execution (RCE) that can give an attacker an unrestricted root shell [2]. Classified as CVE-2021-36260 by MITRE Corporation, it has been given an initial base score of 9.8 in the Common Vulnerability Scoring System (CVSS) [1].  Exploiting this vulnerability, a cyber attacker can take full control of a device, gaining more control than the end-user, and even access the internal network. An attacker only needs to have access to either http(s) port 80 or 443, both or one of which are typically open on most networks. From there, the infiltrator can have free reign to execute any malicious code that they choose. The bug was discovered by security researcher Watchful IP and reported immediately to Hikvision with recommendations for a patch. The unpatched devices are susceptible to remote exploitation with no authentication required. No action is needed from the end user, thus the designation as a zero-click vulnerability. Once access is gained, the attacker can render the device inoperable, access the user data with read and write privileges, attack the internal network, and even render a physical attack on the site [6].

Impact

The firmware that is affected by this vulnerability has been installed on devices as far back as 2016, potentially affecting well over 70 Hikvision device models and upwards of 300 million devices installed globally as part of government and private surveillance infrastructures [4]. Many of these devices are used to monitor sensitive sites, and this vulnerability can allow for major breaches of data of all classifications in numerous industries. When Hikvision was informed of the bug, the company took action to execute remediation, posting a patch to the firmware on their website. However, the patch will need to be manually downloaded and installed on devices in order to mitigate the vulnerability, and at the time of this writing is only accessible on some servers. This leaves a gap between the availability of the patch and the probability of rapid deployment of the mitigation. Therefore, while this vulnerability is now known, it would take a concerted effort by end users to not only research to find that the vulnerability exists, but then further effort would be needed

Significance

Founded in 2001, Hikvision-or Hangzhou Hikvision Digital Technology Co., Ltd.-is the largest manufacturer of video surveillance equipment in the world. The company is Chinese state-owned and provides products to both military and civilian organizations [7]. It is advertised that Hikvision has over 2,400 partners in 155 countries and regions, and claim to produce over 150,000 surveillance devices daily, and more than 55 million devices annually [3]. These devices have been installed en-masse throughout major cities and locals not only in China but around the world. This deployment has been used to create a surveillance state in major cities in China such as Shanghai, Hangzhou, and Urumqi, and raises the question if the exploit has been used by the People’s Liberation Army (PLA) to surreptitiously do the same outside of China. These devices have integrated technologies such facial recognition and license plate scanners, all network connected, with data being fed into decentralized databases. In May of 2021 the manufacturer was the focus of an Italian news expose, claiming that the devices, when installed, communicate with PLA held command and control servers [5]. The United States government has enacted several bans against the Hikvision, including one prohibiting US companies from owning stock in companies linked to the PLA, and another prohibiting the installation of surveillance products from companies based in The People’s Republic of China [7]. With this newest development in the continuous cyber conflict between China and their prime target, the United States, it is likely that more sanctions against Hikvision and other companies of the sort will be enacted in the near future.  

References

[1] CVE. (2021, 7 8). CVE-2021-36260. Retrieved 9 30, 2021, from CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260

[2 ]Hickvision. (2021, 9 19). Security Notification – Command Injection Vulnerability in Some Hikvision products. Retrieved 9 30, 2021, from Hikvision: https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/

[3] McHale, A. (2017, 9 11). Number Of Video Cameras Sold + Hikvision Manufactured Number. Retrieved 9 30, 2021, from IPVM: https://ipvm.com/forums/video-surveillance/topics/looking-for-information-on-number-of-video-cameras-sold

[4] Paganini, P. (2021, 9 22). Hikvision cameras could be remotely hacked due to critical flaw. Retrieved 9 30, 2021, from Security Affairs: https://securityaffairs.co/wordpress/122474/hacking/hikvision-cve-2021-36260-flaw.html

[5] Rollet, C. (2021, 5 17). Italian State News Investigates Hikvision. Retrieved 9 30, 2021, from IPVM: https://ipvm.com/reports/hik-italy

[6] Watchful_IP. (2021, 6 20). Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260). Retrieved from Watchful_IP: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html#is-this-a-chinese-government-mandated-backdoor

[7] Wikipedia. (2021). Hikvision. Retrieved 9 30, 2021, from Wikipedia: https://en.wikipedia.org/wiki/Hikvision