Read Time:1 Minute, 55 Second

Thousands of cameras have failed to fix 11-month-old CVE, leaving many companies unprotected.

Hikvision, short for Hangzhou Hikvision Digital Technology, is a Chinese state-owned video surveillance equipment company. Their subscribers come from over 100 nations, including the United States, amidst the FCC’s categorisation of Hikvision as “an unjustifiable danger to U.S. national security” in 2019.

The CVE-2021-36260 was revealed last Fall as a common injection flaw in Hikvision cameras. It had a high score in terms of vulnerability and was given a “critical” 9.8 out of 10 mark by the National Institute of Standards and Technology.

Despite the disturbingly high level of vulnerability and almost a year since this happened, there remain 80,000 affected devices that are still unrepaired. Researchers found “many cases of hackers trying to collaborate on attacking Hikvision cameras using the command injection vulnerability”, particularly on Russian dark web forums where stolen accounts were being sold.

According to David Maynor, senior director of threat intelligence at Cybrary, Hikvision cameras have been susceptible for a long time for a range of reasons. “Their product has easily exploitable systemic weaknesses or uses default passwords. There is no foolproof method to undertake forensics or confirm that an intruder has been removed. Furthermore, we have not witnessed any change in Hikvision’s stance to indicate an enhancement in security during their development cycle.

IoT devices, like cameras, are not necessarily as simple to safeguard as an app on your phone,” Paul Bischoff, privacy advocate at Comparitech, noted in an email statement. 

Updates are not automated; users must actively download and install them, and many users may never receive the notification.” IoT devices may also not alert consumers if they are unsecured or outdated. Whilst your phone will notify you when an update is ready and will most likely install it automatically the next time you reboot, IoT devices do not.

The root of this concern lies with laziness, as Bischoff noted. Hikvision cameras come with a predetermined password, and the user must change it into something more secure.

With a solution for this susceptibility being not in sight, will you put your company at risk and be vulnerable to perpetrators, or will you take the road less and change your passcode while you still can?

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
MFA Bypass Attack Previous post The Rise of MFA Bypass Attacks: What You Need to Know
uber Next post Teen Hacker Infiltrates Uber and Announces Data Breach