IT and Network Security is a tough arena. Keeping networks, systems and data secure from what can only be called a total onslaught of malware and other malicious attacks, is a difficult task. What makes the task even more difficult is the general indifference of (especially) SMEs to the potential harm that can be caused by attacks and their results – data exfiltration (and subsequent public release), encrypted files from ransomware and destruction of electronic/IT systems.
Considering the almost daily reporting of attacks on governmental, public and private companies, it’s a mystery as to why there is this malaise from many who rely on critical systems and information to run their companies.
It’s also a task made more difficult by 3rd party suppliers who have a. no interest in their clients’ security and b. have no skills in that area.
I’ve been trying to teach surveillance installers (DVRs, cameras, access control, etc.) the importance of securing their systems for many years. The message mostly gets lost when an installer says they need a port forward to their equipment so that it can be exposed and accessed publicly. They simply can’t understand the simple concept that if something is publicly accessible, it will be attacked.
Unfortunately the chickens came home to roost this weekend past with the expose of HikVision’s incredibly poor security, and a resulting CVE 9.8 vulnerability (pretty much as bad as it gets) that allows for a zero-click unauthenticated (read that carefully and understand the implications) remote code execution.
This vulnerability provides total control of the underlying ‘computer’ in these devices with unrestricted root shell access, per Watchful_IP:
This permits an attacker to gain full control of device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.
This means, as the researcher called out, that the vulnerability can be used to “access and attack” internal networks as well as launch denial of service attacks across the Internet.
HikVision (HK) specifically (and their army of 3rd party installers) has been a particular bugbear of mine over the years, especially as they have little regard for their customers’ security. Proof positive, this is their standard response when clients enquire how to access their cameras remotely:
Hikvision’s cybersecurity “Best Practices” continues to recommend using port forwarding which puts those devices at the highest risk of being hacked. This “best practice” was written after Hikvision’s 2017 backdoor was discovered and widely exploited and is still the head “best practice” on Hikvision’s site today.
In it, while Hikvision warns about the risks of port forwarding, they tell users that if they want ‘quick and steady’ remote access to their Hikvision devices (and most do), that they “may have to choose” port forward:
If P2P or VPN solutions fail to meet the needs of users, who want to have a quick and steady access to the specified port service of the device through the Internet, users may have to choose the traditional ‘port forwarding’ scheme.
So while indicating the security issues with port forwarding, they still recommend it as a solution. The irony is of course off the scale.
A very big issue with this vulnerability is that HikVision have a large 3rd party OEM partnership with hundreds of companies rebranding HK products which could (and probably will) lead to many OEM systems not being patched, and remaining vulnerable.
HikVision aren’t the only surveillance company to be hit with vulns recently. Just a few weeks ago, Dahua disclosed its own new critical vulnerabilities. However, Hikvision’s vulnerability is worse as the new Dahua ones ‘just’ allow for admin access while Hikvision’s issue gives complete root access.
One also has to consider what the relationship between HK and PRC (China) is. It’s clear that PRC has known about and had access to this vuln for weeks if not longer through their local vuln reporting systems, potentially allowing them to attack and get access to corporate and other surveillance systems for quite some time. This is a powerful way for adversaries, including the PRC government, to access networks around the world that would be undetectable by the Hikvision device’s own logging.
FYI, 3 days before the vuln admission by HK, HK’s EMEA CSO wrote an interesting blog entry about why vulnerabilities are not the same as backdoors. Pot, kettle …
Let’s be absolutely clear about it – you never expose internal services to the public internet unless:
- you can keep that service up to date with patches and bug fixes
- have a means to protect that service from attacks (eg. IPS, DoS protection, WAF)
- have that system internally segmented away from your other systems
Even considering the above, there are certain systems and services that should not be exposed public, full stop. IoT in general is one of those categories.
Just don’t do it! Spread the news. And if a 3rd party installer asks you to open your firewall for their service, just say no. Use a VPN instead.