{"id":5070,"date":"2022-12-31T10:08:36","date_gmt":"2022-12-31T10:08:36","guid":{"rendered":"https:\/\/www.a1securitycameras.com\/blog-x\/?p=5070"},"modified":"2023-12-22T15:36:56","modified_gmt":"2023-12-22T15:36:56","slug":"hikvision-vulnerability","status":"publish","type":"post","link":"https:\/\/www.a1securitycameras.com\/blog\/hikvision-vulnerability\/","title":{"rendered":"Hikvision Vulnerability: Is your System at Risk?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

UPDATE<\/strong><\/span>:\u00a0 2023-11-29 <\/b>— Today, Hikvision has issued a patch, available on its Hikvision website<\/a> or\u00a0 firmware download center<\/a>, to fix a vulnerability (CVE-2023-28811<\/a>) in Hikvision NVRs\/DVRs.<\/p>

Even for people that work in technology, it is understandably easy to shrug at the occasional news about hacks, exploits, and vulnerabilities. However, those that have purchased\u00a0Hikvision\u00a0<\/a>products for their business or home may want to consider doing otherwise. As per a recent\u00a0revelation made by IPVM<\/a>\u00a0earlier in December of 2022, many\u00a0Hikvision security cameras<\/a>\u00a0under the brand Ezviz feature a massive vulnerability where breaches by malicious parties are relatively easy. Particularly troubling due to the potential harm it might cause, this should be a cause for worry for those that may be affected. Fortunately for you, we\u2019ve put together everything you need to know on the subject so you can take action if needed, read on in this A1 Security Cameras article to learn more!<\/p>

\u00a0<\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The problem and the Hikvision cameras compromised<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Upfront, the problems initially discovered in a\u00a0Bitdefender\u00a0<\/a>article mainly concern Hikvision Ezviz cameras that can be used wirelessly or through a cloud system. While not naming Hikvision in the original post, four technical problems that may similarly affect other original and EOL CCTV hardware were identified. These vulnerabilities can be found in the following systems:<\/p>\n

    \n
  1. Direct object reference<\/li>\n
  2. Initialization processes<\/li>\n
  3. Password storage<\/li>\n
  4. Stack-based buffering<\/li>\n<\/ol>\n

    Upon further investigation, the problem was found in other Hikvision products like HWC-C220-D and DS-2CD2141G1-IDW1D. What all four vulnerabilities lead to is potential access for malicious parties to affected security camera systems. If the CCTV apparatus is connected to other systems within a business or home, the problem could snowball into the massive problem of a broader compromise.\u00a0<\/p>\n

    According to Bitdefender, affected Ezviz models included CS-CV248, CS-C6N-A0-1C2WFR, CS-DB1C-A0-1E2W2FR, CS-C6N-B0-1G2WF, and CS-C3W-A0-3H4WFRL with each having firmware version V5.3.0. When questioned by IPVM, Hikvision stated that the current hardware and security cameras offered are not affected. However, there is no fix at the time of writing that will provide a patch for the Hikvision vulnerability.<\/p>\n

    \n
    \u00a0<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Past Hikvision vulnerabilities<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Despite being the most popular CCTV manufacturer worldwide and fourth in the United States (according to IPICA<\/a>), Hikvision is no stranger to having problems with its own cameras and EOL products. With another\u00a0critical vulnerability<\/a>\u00a0discovered in 2021 and\u00a0banned in 2019<\/a>\u00a0by the United States government, the brand has certainly started off the 2020 decade stumbling beside its competitors.\u00a0<\/p>\n

    The 2021 Hikvision vulnerability proved so bad that\u00a0Malwarebytes authored an article<\/a>\u00a0on the subject. Existing since 2016 and later being patched in 2021, the problem only required malicious parties to know the HTTP server port and then allowed them to bypass username and password authentication. When gaining entry, anyone could have total control over the Hikvision camera. While it was eventually patched before 2022, the problem heightened suspicions that the vulnerability was not necessarily a bug but a feature designed for the Chinese Communist Party.\u00a0<\/p>\n

    While seemingly unrelated to those unfamiliar with the CCTV industry, companies like Hikvision and Dahua are indeed connected to the Chinese government in more ways than one. In fact, both regularly\u00a0partnering with the PRC\u2019s<\/a>\u00a0military to develop more advanced weaponry and technology. Not necessarily proof of malicious intent, but worth noting.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Hikvision compared to other top CCTV brands<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    For reference, the recent Hikvision vulnerability isn\u2019t necessarily unique to even the\u00a0top CCTV brands<\/a>. However, it would be remiss of us at A1 Security Cameras to not at least provide you with a reference for how other CCTV brands handle vulnerabilities and hacks so you can have the best possible information going forward when considering the next steps to take. Here are a few brands to think about in this regard.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Axis\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    In a\u00a0past article<\/span><\/a>\u00a0authored by A1 Security Cameras, Axis Communications has proven to handle vulnerabilities and hacking threats promptly. The brand offers multiple\u00a0resources for cybersecurity<\/span><\/a>\u00a0and regularly offers patches for anything wrong detected. However, the brand itself is clear that patches should be downloaded as quickly as possible to avoid any problems.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"bosch\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Bosch<\/a>\u00a0actually makes very clear any vulnerabilities the brand detects and offers them in a\u00a0comprehensive list<\/span><\/a>\u00a0on its site. Moreover, the brand has a dedicated team for reporting such problems with the\u00a0PSIRT team<\/span><\/a>. In most cases, Bosch produces updates to handle vulnerabilities and problems leading to hacking.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Hanwha\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Hanwha Vision<\/a>\u00a0(formerly\u00a0Samsung Hanwha Techwin) keeps several\u00a0policies and instructions<\/span><\/a>\u00a0for purchasers of their products. Furthermore, like Bosch and\u00a0Axis<\/a>, Hanwha Techwin has a team that reviews incoming reports at every opportunity.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Affected Versions and Fixes by Latest Update<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    DVR Affected Versions<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Product Name<\/b><\/p><\/td>

    		Affected Versions<\/b><\/td>

    Fix Download<\/b><\/p><\/td><\/tr>

    DVR<\/p><\/td>

    iDS-EXXHUH<\/p>

    DS-EXXHGH<\/p>

    iDS-EXXHQH<\/p>

    DVR-EXXHUH<\/p>

    DVR-EXXHGH<\/p>

    DVR-EXXHQH<\/p>

    iDS-72XXHQH-M(C)<\/p>

    iDS-72XXHUH-M(C)<\/p>

    iDS-72XXHQH-M(E)<\/p>

    iDS-72XXHUH-M(E)<\/p>

    iDS-72XXHTH-M(C)<\/p>

    HW-HWD-72XXMH-G4<\/p>

    HW-HWD-62XXMH-G4<\/p>

    HL-DVR-216Q-K2(E\uff09<\/p>

    DS-71XXHGH-M(C)<\/p>

    DS-72XXHGH-M(C)<\/p>

    DS-71XXHGH-K(S)<\/p>

    DS-72XXHGH-K(S)<\/p>

    HL-DVR-1XXG-K(S)<\/p>

    HL-DVR-2XXG-K(S)<\/p>

    HL-DVR-1XXG-M(C)<\/p>

    HL-DVR-2XXG-M(C)<\/p>

    HW-HWD-51XXH(S)<\/p>

    HW-HWD-51XXH-G<\/p>

    HW-HWD-51XXMH-G<\/p>

    iDS-71xxHQH-M(C)<\/p>

    iDS-71xxHQH-M(E)<\/p>

    iDS-72xxHQH-M\/E(C)<\/p>

    iDS-72xxHQH-M\/E(E)<\/p>

    HL-DVR-2XXQ-M(C)<\/p>

    HL-DVR-2XXQ-M(E)<\/p>

    HW-HWD-61XXMH-G4<\/p>

    HW-HWD-61XXMH-G4(E)<\/p>

    iDS-71xxHUH-M(C)<\/p>

    iDS-72xxHUH-M\/E(C)<\/p>

    iDS-71xxHUH-M(E)<\/p>

    iDS-72xxHUH-M\/E(E)<\/p>

    HL-DVR-2XXU-M(C)<\/p>

    HL-DVR-2XXU-M(E)<\/p>

    HW-HWD-71XXMH-G4<\/p>

    HW-HWD-71XXMH-G4(E)<\/p><\/td>

    Build date before 230821(Version\u00a0 before\u00a0 V4.1.60\u00a0 are not affected)\u00a0<\/p><\/td>

    Version build date after 230821 Hikvision Web site<\/a> or Firmware Download Center<\/a><\/p><\/td><\/tr>

    NVR<\/p><\/td>

    NVR-2xxMH-C(D)<\/p>

    NVR-1xxMH-C(D)<\/p>

    HW-HWN-42xxMH(D)<\/p>

    HW-HWN-41xxMH(D)<\/p>

    DS-71xxNI-Q1(C)<\/p>

    DS-71xxNI-Q1(D)<\/p>

    HL-NVR-1xxMH-D(C)<\/p>

    HL-NVR-1xxMH-D(D)<\/p>

    HW-HWN-21xxMH(C)<\/p>

    HW-HWN-21xxMH(D)<\/p>

    DS-76xxNI-Q1(C)<\/p>

    DS-76xxNI-Q2(C)<\/p>

    DS-76xxNI-K1(C)<\/p>

    HW-HWN-41xxMH(C)<\/p>

    HW-HWN-42xxMH(C)<\/p>

    HL-NVR-1xxMH-C(C)<\/p>

    HL-NVR-2xxMH-C(C)<\/p>

    DS-77xxNI-I4(B)<\/p><\/td>

    Build date before 230821(Version\u00a0 before\u00a0 V4.1.60\u00a0 are not affected)\u00a0<\/p><\/td>

    Version build date after 230821 Hikvision Web site<\/a> or Firmware Download Center<\/a><\/p><\/td><\/tr><\/tbody><\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Hikvision Categories<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t
    Hikvision Security Cameras<\/a><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t
    Hikvision IP Security Cameras<\/a><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t
    Hikvision HD CCTV Security Cameras<\/a><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t
    Hikvision Security Camera Systems<\/a><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t
    Hikvision Video Recorders<\/a><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t
    Hikvision Access Control<\/a><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t
    Hikvision Accessories<\/a><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

    UPDATE:\u00a0 2023-11-29 — Today, Hikvision has issued a patch, available on its Hikvision website or\u00a0 firmware download center, to fix a vulnerability (CVE-2023-28811) in Hikvision NVRs\/DVRs. Even for people that work in technology, it is understandably easy to shrug at the occasional news about hacks, exploits, and vulnerabilities. However, those that have purchased\u00a0Hikvision\u00a0products for their […]<\/p>\n","protected":false},"author":2,"featured_media":5079,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[105],"tags":[184,252],"class_list":["post-5070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-brand-updates","tag-hikvision","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/posts\/5070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/comments?post=5070"}],"version-history":[{"count":27,"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/posts\/5070\/revisions"}],"predecessor-version":[{"id":14084,"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/posts\/5070\/revisions\/14084"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/media\/5079"}],"wp:attachment":[{"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/media?parent=5070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/categories?post=5070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.a1securitycameras.com\/blog\/wp-json\/wp\/v2\/tags?post=5070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}