A critical vulnerability in Hikvision security cameras, first disclosed in 2017, is being actively exploited by hackers to gain unauthorized access to sensitive information.
SANS researchers observed a recent surge in malicious activity targeting a specific flaw, identified as CVE-2017-7921, which carries a critical severity score of 10.0 on the CVSS scale.
The exploit attempts are characterized by suspicious web requests to specific URLs on vulnerable cameras, such as /System/deviceInfo?auth=YWRtaW46MTEK.
The base64 encoded string in the request YWRtaW46MTEK, decodes to admin:11. This suggests that attackers are not using a sophisticated backdoor but are rather attempting to brute-force devices with weak and easily guessable passwords.
Hikvision Camera Vulnerability Exploited
The core of the issue lies in a vulnerability in the firmware of numerous Hikvision camera models that allows improper authentication. This flaw allows a remote, unauthenticated attacker to bypass security measures and escalate their privileges, effectively gaining control over the device.
By sending a specially crafted request, an attacker can download the camera’s configuration file, which may contain user credentials, or even change user passwords to lock out legitimate owners.
While Hikvision has released firmware patches to address this vulnerability, hundreds of thousands of devices remain unpatched and exposed on the internet.
The problem is compounded by the fact that many other manufacturers rebrand and sell Hikvision cameras under their own names, making it difficult for users to identify if their devices are affected.
A successful exploit can have severe consequences. Attackers can not only view live and recorded footage but also use the compromised camera as a pivot point to launch further attacks against the internal network.
The downloaded configuration files, though encrypted, use weak encryption with a static key, making it possible for attackers to decrypt them and harvest user credentials.
The current wave of attacks appears to be taking advantage of poor security practices by users. The use of a simple password like “11” may be due to the limited user interface on some Hikvision DVRs, which often feature only a numeric on-screen keyboard, making it cumbersome to enter complex alphanumeric passwords.
While placing credentials in a URL is discouraged due to the risk of them being logged, it is a convenient feature that allows for creating direct login links.
To mitigate the risk, owners of Hikvision cameras are strongly advised to update their devices’ firmware to the latest version. It is also crucial to use strong, unique passwords and to avoid exposing the camera’s management interface directly to the internet.
If remote access is necessary, it should be done through a secure VPN connection.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
