Updated DVR systems from Hikvision have vulnerabilities that open the door to hacking, security researchers have warned.
Digital Video Recorders (AKA Network Video Recorders), such as those from the likes of Hikvision, are used to record surveillance footage of office buildings and surrounding areas.
However, the range of vulnerabilities in Hikvision's kit create a means to remotely delete recorded footage, an attack that defeats the purpose Hikvision security cameras. Compromised DVR systems might be used as a waypoint to hack into local networks containing pwned DVR's. Compromised DVRs might thereafter be used to attack point of sale devices, workstations and servers, or other targets.
Hacked DVRs might be abused as a part of a botnet, a potential abuse that cybercrooks have already latched onto. For example, insecure Hikvision DVRs were abused in a (mostly ineffective) scam to mine Bitcoins back in April.
Security researchers at Rapid7 discovered that 150,000 of Hikvision DVRs devices could be accessed remotely. Rapid7 warns that DVRs exposed to the internet are routinely targeted for exploitation. "This is especially troubling given that a similar vulnerability (CVE-2013-4977) was reported last year, and the product still appears unpatched out of the box today," researchers at the firm behind the Metasploit penetration testing tool conclude.
A blog post (extract below) by Rapid7, the firm behind the Metasploit penetration testing tool, explains the vulnerabilities at play in greater depth.
[Hikvision] DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision's RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post serves as disclosure of the technical details for those vulnerabilities. In addition, a remote code execution through a Metasploit exploit module has been published.
No authentication (login) is required to exploit this vulnerability. The Metasploit module demonstrates how unpatched security bugs would enable hackers to gain control of a vulnerable device while sitting behind their keyboard, potentially thousands of miles away.
Rapid7 attempted to contact Hikvision several times since September but the company provided no response, prompting a decision to go public.