For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.
As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, in accordance with responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded.
One of the vendors for which we found vulnerable devices was Hikvision. Our team discovered a vulnerability in Hikvision security cameras. Exploiting the discovered vulnerability, an adversary who successfully obtains the IP address of the camera can remotely execute code with root privileges on the camera (via LAN or internet). VDOO has responsibly disclosed this vulnerability (CVE-2018-6414) and engaged with Hikvision’s security team to solve the matter.