More than 80,000 CCTV cameras made by Chinese-state-owned company Hikvision have been exposed online after owners failed to install a firmware update released last year, or left default passwords in place when first setting the devices up, a new study has found.

Cameras made by Hikvision are being left with default passwords and unpatched, study finds (Photo: Ignatiev/iStock)
Cameras made by Hikvision are being left with default passwords and unpatched, study finds (Photo by Ignatiev/iStock)

A flaw known as CVE-2021-36260, first spotted last year, is easily exploitable via a crafted message sent to the vulnerable web server linked to the camera. It was addressed by Hikvision via a firmware update in September that was made available to the owners of more than 280,000 installed cameras that had been left vulnerable.

A whitepaper by cybersecurity company CYFIRMA describes 2,300 organisations in 100 countries, covering about 80,000 CCTV cameras still haven’t patched their systems with the Hikvision update, despite known exploits of this flaw being found in the wild.

One of these exploits was published in October and another in February this year showing evidence that it could be used by hackers of all skill levels and widely shared within hacker forums. In December last year, a Mirai-based Botnet used this exploit to spread itself and enlist the systems into a DDoS swarm.

In its whitepaper, CYFIRMA says Russian-language forums are selling network entrance points that rely on exploitable Hikvision cameras for use in botnetting or as lateral movement into other parts of a network.

Cyberwarfare target

Out of 285,000 Hikvision web servers analysed by CYFIRMA about 80,000 were still vulnerable to exploitation with most in China and the US, but others were also found in the UK, Ukraine and France. There were more than 2,000 endpoints left exposed due to a lack of patching.

There are multiple hackers exploiting this unpatched flaw so there isn’t a single specific pattern to the exploitation, but CYFIRMA says there is evidence of state hackers involved. This includes the APT41 and APT10 groups from China as well as Russian hackers that specialise in cyberespionage.

"Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale," CYFIRMA wrote in the whitepaper. "These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization's environment."

CYFIRMA had previously seen groups launching a cyberespionage campaign called "think pocket", which exploited a popular connectivity product. This campaign was targeting industries including telecom, energy, defense, research and government organisations in the US, Japan, UK and Australia. The attacks using the Hikvision exploit mirrors those seen in this previous campaign.

"Given the current geopolitical driven cyberwarfare brewing across the world, we suspect an uptick in cyberattacks from various nation-state threat actors on critical infrastructure, state entities, defence organizations, and many more," the researchers wrote.

"Open vulnerabilities and ports in such devices will only compound the impact on targeted organizations and their countries economic and state prowess. It is paramount to patch the vulnerable software of the Hikvision camera products to the latest version."

Default passwords left in place

The vulnerability wasn't the only problem facing the owners of these cameras. Hackers were also exploiting the fact many had weak passwords or in some cases had even left the default passwords in place and not reset them as recommended during the initial setup.

Jake Moore, global security advisor for cybersecurity vendor ESET, said a combination of weak passwords and a vulnerability issue that could be easily exploited created a damaging “double hit”. He told Tech Monitor: “The latest firmware patch is immediately required for anyone operating these cameras and it goes without saying that strong passwords are vital.”

Hikvision cameras can be found in their millions on government and official buildings around the world, with an estimated one million on buildings in the UK alone. UK sites include government and publicly-owned property. There has been a push against their use in the UK, in part due to Hikvision's implication in aiding Chinese oppression in Xinjiang province in China but also because of the company's close links to the Chinese government.

Recently the Department for Work and Pensions (DWP) removed Hikvision from its buildings and the Department for Health and Social Care cancelled its contract with the company to provide CCTV at its sites. In July, a group of 67 MPs and Lords called for a nationwide ban on both Hikvision and another Chinese company, Dahua surveillance technology.

The UK government has responded to the rising concern about these companies, telling the BBC that it “takes the security of our citizens, systems and establishments very seriously and have a range of measures in place to scrutinise the integrity of our arrangements”.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Oracle faces lawsuit over "global surveillance" of five billion people