Vulnerable by Design: 80,000 Chinese Surveillance Cameras Remain Unpatched

The Alarming Discovery

A shocking discovery has revealed that over 80,000 Hikvision surveillance cameras worldwide are still vulnerable to an 11-month-old critical command injection flaw, leaving thousands of organizations exposed. This alarming finding highlights the ongoing threat posed by IoT devices and the lack of security in many connected systems.

Hikvision, a Chinese state-owned manufacturer of video surveillance equipment, has been manufacturing cameras for customers across over 100 countries, including the United States. However, in 2019, the FCC labeled Hikvision “an unacceptable risk to U.S. national security” due to concerns about their products’ potential use in espionage and cyber attacks.

The Severity of the Flaw

The vulnerability, identified as CVE-2021-36260, was first revealed last fall and has been rated critical by NIST with a score of 9.8 out of 10. Despite the severity of this flaw, it appears that many organizations have failed to patch their devices, leaving them open to exploitation.

Researchers have discovered multiple instances of hackers seeking to collaborate on exploiting Hikvision cameras using this vulnerability in Russian dark web forums, where leaked credentials are being sold. While the extent of the damage is still unclear, it’s likely that Chinese threat groups and unknown Russian actors could use these vulnerable devices for nefarious purposes, including geo-political espionage.

Systemic Issues Contributing to the Problem

According to David Maynor, senior director of threat intelligence at Cybrary, Hikvision cameras have been vulnerable due to systemic issues, such as default credentials and easy-to-exploit vulnerabilities. Furthermore, the lack of automated security updates and poor user engagement has contributed to this problem.

“This is not just a Hikvision issue,” says Maynor. “The IoT industry faces significant challenges in securing devices like cameras, which are often not straightforward to secure as mobile apps.”

The Complexity of Securing IoT Devices

Paul Bischoff, a privacy advocate with Comparitech, notes that IoT devices require manual updates and monitoring, unlike mobile apps, which often update automatically. This lack of visibility and oversight makes it difficult for users to detect vulnerabilities or ensure their devices are up-to-date.

The situation is further complicated by the fact that many Hikvision cameras come with predetermined passwords, which users may not change. Cybercriminals can use search engines like Shodan or Censys to scan for vulnerable devices, making it easier for them to target these cameras.

The Need for Collective Action

As the situation remains uncertain, it’s clear that the security of IoT devices like surveillance cameras requires a concerted effort from manufacturers, organizations, and individuals. Until then, the risk of exploitation will continue to pose a significant threat to our digital lives.

Key Takeaways

• Over 80,000 Hikvision surveillance cameras worldwide are vulnerable to an 11-month-old critical command injection flaw.
• The vulnerability has been rated critical by NIST with a score of 9.8 out of 10.
• Chinese and Russian threat groups may exploit these vulnerable devices for geo-political purposes.
• The IoT industry faces significant challenges in securing devices like cameras due to systemic issues, lack of automated security updates, and poor user engagement.

Recommendations

• Organizations must prioritize patching their Hikvision surveillance cameras immediately to prevent exploitation.
• Manufacturers should improve the security of their products by implementing better default credentials, automatic security updates, and robust user engagement strategies.
• Users must take responsibility for monitoring their devices and updating them regularly to prevent vulnerabilities.