![]() ![]() Ironically, this is literally the next generation of the tool, following the previous version using Hikvision's cracked security codes.ģ00,000+ Estimated Hikvision Devices Publicly Vulnerable This password tool can just as easily maliciously change and takeover other's cameras. ![]() Examining the source code of this tool shows the "auth=YWRtaW46MTEK" string being utilized to change user passwords. Hikvision Password Reset Helper allows a user to enter an IP address for a camera, retrieve of a list of users, and selectively reset the password for any user. It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years.Ī tool to reset user passwords (including the admin user) was released within days of the exploit announcement. It was a piece of debug code inadvertently left by one of developers The researcher, Monte Crypto, who has called this a backdoor consistently, says Hikvision told him that: Post your examples and experiences in the comments. Get unauthorized device info: įor more examples of Hikvision CGI commands, see the HikCGI Integration Guide, HikCGI Image Display. Get an unauthorized snapshot from the camera: ![]() However, using the backdoor string, that will not matter as you can simply bypass authentication, for example: IPVM has put a vulnerable Hikvision camera online for members to experiment with. This vulnerability is significantly more critical than other recent cyber security announcements in the security industry (e.g.: Dahua Suffers Second Major Vulnerability, ONVIF / gSOAP Vulnerability, Axis Camera Vulnerabilities From Google Researcher Analyzed), due to the ease of exploit, the number of impacted devices, and the fact that many impacted devices (e.g., 'grey market') cannot be upgradeable to patched firmware. Hikvision released a firmware fix in March 2017 though IPVM stats show 60%+ of Hikvision cameras are still vulnerable (detailed below).ĭHS' ranking of this vulnerability as a 10/10 is even more understandable now that the simplicity of compromising these devices has been proven. Render hundreds of thousands of connected devices permanently unusable with just one simple http call.Īnd worst of all, one can download camera configuration:Īny accessible Hikvision camera with affected firmware is vulnerable to complete takeover or bricking. Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code or Obtain a camera snapshot without authentication:Īll other HikCGI calls can be impersonated in the same way, including those that add new users or flash cameraįirmware. All that needed was appending this string to Hikvision camera commands:Īs the researcher explained in his disclosure: Retrieve a list of all users and their roles: Hikvision included a magic string that allowed instant access to any camera, regardless of what the admin password was. Inside this post, we examine how the exploit works, how it is being used, how what percentage of devices are vulnerable, and Hikvision's failure to respond to the exploit's release. We also show using password reset tool to take over a camera: We produced the following video, showing just how simple it is to utilize this exploit to retrieve an image snapshot and system information from a camera. Plus, IPVM has set up a vulnerable Hikvision IP camera so members can test and better understand the exploit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |