Peeking Through the Keyhole: How Cybercriminals Exploit Unpatched Chinese Surveillance Cameras

A substantial number of cameras have not applied a crucial security patch that’s been available for nearly a year, leaving countless institutions vulnerable.

Recent studies show that a command injection defect, which has been present for nearly a year, has left more than 80,000 Hikvision security cameras worldwide exposed to potential risks.

Hikvision, formally known as Hangzhou Hikvision Digital Technology, is a company owned by the Chinese government that specializes in the production of video surveillance gear. They have a broad customer base that extends to over 100 different countries, even including the United States. This is despite the fact that in 2019, the FCC classified Hikvision as a potential threat to the national security of the U.S.

In the previous autumn, a vulnerability involving command injection in Hikvision cameras came to light, known as CVE-2021-36260. The National Institute of Standards and Technology (NIST) classified this security breach as “critical”, scoring it a whopping 9.8 out of 10.

Even with the seriousness of the security flaw and almost a year since it’s been discovered, there are still more than 80,000 devices that haven’t been fixed yet. Throughout this period, the researchers have found several cases of hackers wanting to work together to take advantage of Hikvision cameras using the command injection vulnerability. This is particularly the case in Russian black market online forums, where stolen login details are available for purchase.

The magnitude of the harm that’s been inflicted remains uncertain. The individuals who penned the report were only able to hypothesize that “Chinese danger collectives such as MISSION2025/APT41, APT10 and their associates, along with unidentified Russian danger actor groups could possibly take advantage of weaknesses in these gadgets to achieve their objectives (these could incorporate particular geo-political objectives).”

The Peril in IoT Gadgets

It’s tempting to label those who neglect to update their software as lax, especially when we hear stories about it. However, the situation is often more complex than it appears.

David Maynor, who holds the position of Senior Director of Threat Intelligence at Cybrary, made it known that the cameras produced by Hikvision have been susceptible to threats for a considerable period due to several factors. He pointed out that their products are riddled with easy to manipulate systemic weaknesses or even worse, they employ default login details. There isn’t a reliable method to conduct investigations or confirm that a breach has been effectively addressed. Additionally, there hasn’t been any noticeable shift in Hikvision’s approach indicating a heightened emphasis on security in their product development process.

Many of the issues are pervasive across the sector, and not unique to Hikvision. As Paul Bischoff, a privacy enthusiast from Comparitech, pointed out in an email, securing IoT devices such as cameras can be much more challenging than securing a mobile app. Unlike mobile apps, updates aren’t automated; they must be manually downloaded and installed by users, and there’s a high chance that many users may not get the notification. Moreover, IoT devices often don’t provide any signs that they’re unsecured or outdated. While your mobile will notify and probably auto-install updates when you restart it, IoT devices unfortunately lack this level of user-friendliness.

Unbeknownst to users, cyber crooks can utilize search engines such as Shodan or Censys to hunt for their susceptible gadgets. Bischoff mentioned that the issue can be amplified by complacency, considering that Hikvision cameras are shipped with a limited set of pre-set passwords, and a large number of users neglect to modify these original passwords.

The future of these myriad cameras remains uncertain due to lackluster security measures and inadequate monitoring and control.

Site Footer