New research shows that over 80,000 Hikvision cameras are vulnerable to a critical command injection flaw that's easily exploitable via specially crafted messages sent to the vulnerable web server. The flaw was assigned CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021, but researchers say tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update.
Hikvision is one of the world’s largest providers of video surveillance products.
Paul Bischoff, privacy advocate with Comparitech:
“IoT devices like cameras aren't always as easy or straightforward to secure as an app on your phone. Updates are not automatic; users need to manually download and install them, and many users might never get the message. Furthermore, IoT devices might not give users any indication that they're unsecured or out of date. Whereas your phone will alert you when an update is available and likely install it automatically the next time you reboot, IoT devices do not offer such conveniences. Hackers can easily find devices running vulnerable firmware or software using an IoT search engine like Shodan. From there, they can hijack the devices to enlist them as part of a botnet, mine cryptocurrency, or launch further attacks through the camera's network. In this case, the problem is exacerbated by the fact that Hikvision cameras come with one of a few predetermined passwords out of the box, and many users don't change these default passwords.” Chris Hauk, consumer privacy champion at Pixel Privacy:
“Exploits like those being used to take over Hikvision cameras rely on users not setting strong passwords or using the default passwords out of the box. Users should always update their cameras and other IoT devices with the latest firmware, set a secure password, and in corporate cases, keep their IoT devices isolated from their main network.”