Hikvision DVRs sporting bugs that allow device hijacking

A while back, SANS ISC CTO Johannes Ullrich discovered that cybercrooks were targeting Hikvision Digital Video Recorders (DVRs) in order to infect them with bitcoin-mining malware. They were successful because the DVRs come with a default administrative account “admin” with password “12345,” and these are often left unchanged by users.

Digital Video Recorders are usually used to record surveillance footage inside and outside office buildings and private houses and, unfortunately, default accounts and passwords are not their only weak spot.

Mark Schloesser, a researcher with Rapid7 Labs, has discovered three buffer overflow bugs (CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880) affecting Hikvision-DS-7204-HVI-SV digital video recorder device with firmware V2.2.10 build 131009, and likely other devices in the same model range.

These bugs can be exploited remotely and without the need for authentication to gain full control of the device, as they proved by writing a Metasploit module taking advantage of the last one.

“Prior to this research, CVE-2013-4977 was discovered by Anibal Sacco and Federico Muttis from Core Exploit Writers Team, affecting multiple Hikvision devices,” Schloesser noted, adding that the aforementioned device Rapid 7 Labs researchers tested is still vulnerable to the other researchers’ attack.

The compromised DVRs can be roped into a botnet, or be used as a proxy for the attacker to gain access into the DVR’s local network and compromise it further. The researchers point out that at least 150,000 of these devices can currently be found on the Internet and can be accessed remotely.

The researcher notified Hikvision of these issues in September, but have yet to receive a response.

“In order to mitigate these exposures, until a patch is released, Hikvision DVR devices and similar products should not be exposed to internet without the usual additional protective measures, such as an authenticated proxy, VPN-only access, et cetera,” they advised, adding that it would be a good idea for users to also contact Hickvision and urge them to fix these problems.

Share this
You are reading

Hikvision DVRs sporting bugs that allow device hijacking