By 
UPDATE: 2023-11-29 — Today, Hikvision has issued a patch, available on its Hikvision website or firmware download center, to fix a vulnerability (CVE-2023-28811) in Hikvision NVRs/DVRs.
Even for people that work in technology, it is understandably easy to shrug at the occasional news about hacks, exploits, and vulnerabilities. However, those that have purchased Hikvision products for their business or home may want to consider doing otherwise. As per a recent revelation made by IPVM earlier in December of 2022, many Hikvision security cameras under the brand Ezviz feature a massive vulnerability where breaches by malicious parties are relatively easy. Particularly troubling due to the potential harm it might cause, this should be a cause for worry for those that may be affected. Fortunately for you, we’ve put together everything you need to know on the subject so you can take action if needed, read on in this A1 Security Cameras article to learn more!
The problem and the Hikvision cameras compromised
Upfront, the problems initially discovered in a Bitdefender article mainly concern Hikvision Ezviz cameras that can be used wirelessly or through a cloud system. While not naming Hikvision in the original post, four technical problems that may similarly affect other original and EOL CCTV hardware were identified. These vulnerabilities can be found in the following systems:
- Direct object reference
- Initialization processes
- Password storage
- Stack-based buffering
Upon further investigation, the problem was found in other Hikvision products like HWC-C220-D and DS-2CD2141G1-IDW1D. What all four vulnerabilities lead to is potential access for malicious parties to affected security camera systems. If the CCTV apparatus is connected to other systems within a business or home, the problem could snowball into the massive problem of a broader compromise.
According to Bitdefender, affected Ezviz models included CS-CV248, CS-C6N-A0-1C2WFR, CS-DB1C-A0-1E2W2FR, CS-C6N-B0-1G2WF, and CS-C3W-A0-3H4WFRL with each having firmware version V5.3.0. When questioned by IPVM, Hikvision stated that the current hardware and security cameras offered are not affected. However, there is no fix at the time of writing that will provide a patch for the Hikvision vulnerability.
Past Hikvision vulnerabilities
Despite being the most popular CCTV manufacturer worldwide and fourth in the United States (according to IPICA), Hikvision is no stranger to having problems with its own cameras and EOL products. With another critical vulnerability discovered in 2021 and banned in 2019 by the United States government, the brand has certainly started off the 2020 decade stumbling beside its competitors.
The 2021 Hikvision vulnerability proved so bad that Malwarebytes authored an article on the subject. Existing since 2016 and later being patched in 2021, the problem only required malicious parties to know the HTTP server port and then allowed them to bypass username and password authentication. When gaining entry, anyone could have total control over the Hikvision camera. While it was eventually patched before 2022, the problem heightened suspicions that the vulnerability was not necessarily a bug but a feature designed for the Chinese Communist Party.
While seemingly unrelated to those unfamiliar with the CCTV industry, companies like Hikvision and Dahua are indeed connected to the Chinese government in more ways than one. In fact, both regularly partnering with the PRC’s military to develop more advanced weaponry and technology. Not necessarily proof of malicious intent, but worth noting.
Hikvision compared to other top CCTV brands
For reference, the recent Hikvision vulnerability isn’t necessarily unique to even the top CCTV brands. However, it would be remiss of us at A1 Security Cameras to not at least provide you with a reference for how other CCTV brands handle vulnerabilities and hacks so you can have the best possible information going forward when considering the next steps to take. Here are a few brands to think about in this regard.
In a past article authored by A1 Security Cameras, Axis Communications has proven to handle vulnerabilities and hacking threats promptly. The brand offers multiple resources for cybersecurity and regularly offers patches for anything wrong detected. However, the brand itself is clear that patches should be downloaded as quickly as possible to avoid any problems.
Bosch actually makes very clear any vulnerabilities the brand detects and offers them in a comprehensive list on its site. Moreover, the brand has a dedicated team for reporting such problems with the PSIRT team. In most cases, Bosch produces updates to handle vulnerabilities and problems leading to hacking.
Hanwha Vision (formerly Samsung Hanwha Techwin) keeps several policies and instructions for purchasers of their products. Furthermore, like Bosch and Axis, Hanwha Techwin has a team that reviews incoming reports at every opportunity.
Affected Versions and Fixes by Latest Update
DVR Affected Versions
Product Name | Affected Versions | Fix Download | |
DVR | iDS-EXXHUH DS-EXXHGH iDS-EXXHQH DVR-EXXHUH DVR-EXXHGH DVR-EXXHQH iDS-72XXHQH-M(C) iDS-72XXHUH-M(C) iDS-72XXHQH-M(E) iDS-72XXHUH-M(E) iDS-72XXHTH-M(C) HW-HWD-72XXMH-G4 HW-HWD-62XXMH-G4 HL-DVR-216Q-K2(E) DS-71XXHGH-M(C) DS-72XXHGH-M(C) DS-71XXHGH-K(S) DS-72XXHGH-K(S) HL-DVR-1XXG-K(S) HL-DVR-2XXG-K(S) HL-DVR-1XXG-M(C) HL-DVR-2XXG-M(C) HW-HWD-51XXH(S) HW-HWD-51XXH-G HW-HWD-51XXMH-G iDS-71xxHQH-M(C) iDS-71xxHQH-M(E) iDS-72xxHQH-M/E(C) iDS-72xxHQH-M/E(E) HL-DVR-2XXQ-M(C) HL-DVR-2XXQ-M(E) HW-HWD-61XXMH-G4 HW-HWD-61XXMH-G4(E) iDS-71xxHUH-M(C) iDS-72xxHUH-M/E(C) iDS-71xxHUH-M(E) iDS-72xxHUH-M/E(E) HL-DVR-2XXU-M(C) HL-DVR-2XXU-M(E) HW-HWD-71XXMH-G4 HW-HWD-71XXMH-G4(E) | Build date before 230821(Version before V4.1.60 are not affected) | Version build date after 230821 Hikvision Web site or Firmware Download Center |
NVR | NVR-2xxMH-C(D) NVR-1xxMH-C(D) HW-HWN-42xxMH(D) HW-HWN-41xxMH(D) DS-71xxNI-Q1(C) DS-71xxNI-Q1(D) HL-NVR-1xxMH-D(C) HL-NVR-1xxMH-D(D) HW-HWN-21xxMH(C) HW-HWN-21xxMH(D) DS-76xxNI-Q1(C) DS-76xxNI-Q2(C) DS-76xxNI-K1(C) HW-HWN-41xxMH(C) HW-HWN-42xxMH(C) HL-NVR-1xxMH-C(C) HL-NVR-2xxMH-C(C) DS-77xxNI-I4(B) | Build date before 230821(Version before V4.1.60 are not affected) | Version build date after 230821 Hikvision Web site or Firmware Download Center |
