For HomeFor BusinessFor Partners
Smart Home
1 min read

Privilege Escalation in Hikvision IP Cameras; Not All Can Update

Ionut ILASCU

March 21, 2017

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Privilege Escalation in Hikvision IP Cameras; Not All Can Update

Hikvision, a supplier of video surveillance solutions, released a security bulletin for a privilege escalation vulnerability that affects more than 200 of its IP cameras. An attacker could exploit the glitch and get on the device as a user with elevated rights.

This security warning is different from the one published at the beginning of the month. Previously, the company warned of automated online attacks targeting NVRs and DVRs running on firmware pre-dating March 2015 with default port and login information. The company could do nothing but recommend its customers apply newer firmware and use stronger passwords.

In a letter to its customers and partners, Hikvision says the privilege escalation vulnerability affects seven of its IP camera series running specific firmware versions. The company also states the flaw is exploitable under “fairly uncommon circumstances.” It says that, in most set-ups, the devices do not face the Internet directly and are connected to a NVR (network video recorder) or a video management software solution. However, many people today resort to professional surveillance cams and configure them to be accessible over the web.

Rumors started circulating about a backdoor in Hikvison IP cameras some time before the company took action. IPcamtalk forum user montecrypto on March 5 said he had informed the company about the vulnerability and that they had until March 20 to fix the issue and “explain why the backdoor is there,” or details would be published.

In a later post, montecrypto says Hikvision reacted quickly and that their “privilege escalation” label is technically correct, since the vulnerability allows attackers to “remotely escalate their privileges from anonymous web surfer to admin.” Montecrypto warns that applying new firmware does not fix the problem for all users, such as owners of multi-language cameras, who cannot install an update because the language would change to Chinese.

As of the moment it published the security notice, Hikvision had no knowledge of malicious action related to the vulnerability. To eliminate the cybersecurity risk, the Chinese supplier rolled out firmware updates for all IP camera models affected.

Photo credit: Jack Moreh for Freerangestock.

tags

Smart Home

Author

Right now Top posts

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond
Scam How to Tips and Tricks

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond

April 01, 2024

2 min read
Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts
Spam Industry News Threats

Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts

November 28, 2023

4 min read
Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting
Protecting Your Important How to Tips and Tricks

Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting

November 08, 2023

4 min read
3 in 5 travel-themed spam emails are scams, Bitdefender Antispam Lab warns
Industry News Spam

3 in 5 travel-themed spam emails are scams, Bitdefender Antispam Lab warns

August 10, 2023

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

Ukraine claims it hacked Russian Ministry of Defence, stole secrets and encryption ciphers
Industry News

Ukraine claims it hacked Russian Ministry of Defence, stole secrets and encryption ciphers
Graham CLULEY

March 06, 2024

2 min read
Crimemarket Taken Down by German Authorities
Industry News

Crimemarket Taken Down by German Authorities
Silviu STAHIE

March 05, 2024

1 min read
Judge Orders NSO Group to Surrender Pegasus Source Code to Meta
Industry News

Judge Orders NSO Group to Surrender Pegasus Source Code to Meta
Silviu STAHIE

March 04, 2024

1 min read

Bookmarks

loader