For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security and in particular leading security cameras (as part of project Vizavis). In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.
As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several leading vendors. These vulnerabilities were disclosed to the vendors, in accordance with responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded and enough time is given to patch the devices.
One of the vendors for which we found vulnerable devices was Hikvision, when our team discovered a vulnerability in Hikvision security cameras. Exploiting the discovered vulnerability, an adversary who successfully obtains the address of the camera, can gain access to the camera if residing on the same network or if the camera has direct interface with the internet. VDOO has responsibly disclosed this vulnerability and engaged with Hikvision’s security team to quickly solve the matter.
To the best of our knowledge, this vulnerability was not exploited in the field, and therefore, did not lead to any concrete security threat or privacy violation to Hikvision customers. The Hikvision team acted promptly to submit a CVE (CVE-2018-6414) and create patch for this vulnerability and started a campaign to proactively push the update to the relevant devices.
VDOO is committed to share, in an open and professional manner, the technical details of vulnerabilities discovered by our teams for the benefit of the users, the community of developers, security researchers and connected-devices manufacturers. Due to the risk such publications might impose on connected-device users, we will always provide the common 90 days for fixes before making the technical details publicly available.
Technical details on the Hikvision vulnerability will be published when the 90 days are exhausted, allowing enough time for patching.
We strongly recommend for Hikvision customers who did not update their camera’s firmware to do so immediately as described here.