Cyber security specialists are warning companies and home users to update the firmware of their security cameras after a “critical” vulnerability in was detected in millions of cameras from the world’s largest IP camera manufacturer, Hikvision.

The vulnerability allows a malicious outsider to access and control at least 79 different models of networked Hikvision video cameras, which can potentially be used to jump laterally onto the victim’s network – exposing a company’s entire network to compromise.

Attackers can potentially get more access privileges than even the legitimate owner has, and because the exploit uses standard HTTP ports (80 and 443), unauthorised access will not be detectable by the camera.

Attackers only need to be able to access the camera’s built-in web server, often left accessible to the Internet to make it easier for administrators to monitor or control the cameras.

In such situations, secure passwords are meant to restrict access to the online cameras – but the newly-discovered command-injection vulnerability allows attackers to bypass these mechanisms because the camera’s web server doesn’t properly check and validate the information sent to it.

The ‘zero-click’ remote code execution (RCE) vulnerability – which means it can be exploited by attackers without the user having to do anything at all – has been deemed serious enough that it has been given a Common Vulnerability Scoring System (CVSS) severity score of 9.8 out of 10.

It was reported to Hikvision in June by a UK-based security researcher called Watchful IP, with Hikvision working to patch and verify a fix that is contained in recently-updated firmware – which users are urged to install as soon as possible.

The vulnerability may also affect equipment from other brands that have licensed Hikvision’s core security-camera platform, whom the company urged to contact its users directly.

Hikvision “has committed to continuing to work with third-party white-hat hackers and security researchers to find, patch, disclose and release updates to products in a timely manner,” the company noted on its blog.

Device risks amplified

The risk posed by insecure IP cameras and other Internet of Things (IoT) devices has expanded at dizzying pace in recent years, with security firm Kaspersky recently reporting that IoT ‘honeypots’ had recorded more than 1.5 billion attacks in the first half of this year – more than double the 639 million during the last half of 2020, and 15 times the attack volumes recorded during similar exercises in the first half of 2019.

Security firm ZScaler, for its part, reported in July that sampling last December saw 833 IoT malware attacks blocked every hour on its network alone – up 700 per cent compared to the previous year – with IP cameras comprising 1.8 per cent of the targets.

Previous warnings that Hikvision may be a stooge of the Chinese government – supported by ownership analyses but vociferously denied by the company in the latest update – have raised eyebrows after previous investigations found the company’s cameras were still being used in some of the most sensitive parts of the Australian government.

US authorities last year banned government contractors from buying products from Hikvision, Chinese camera rival Dahua, or equipment from telecommunications companies Huawei Technologies, Hytera Communications Corp, or ZTE corp.

Last month, US authorities moved towards a complete ban on sales of the companies’ products in that country – including a revocation of FCC authorisation that could mandate the removal and replacement of millions of security cameras.

The companies’ fortunes have been closely tracked by the likes of the Australian Strategic Policy Institute (ASPI), which noted that Hikvision had expanded its global presence significantly during the COVID-19 pandemic thanks to improvements in temperature sensing and monitoring of mask mandate compliance.

Hikvision security cameras are intrinsic to China’s state-run surveillance system, and are similarly entrenched in public-surveillance systems and businesses across the world.

The window between the publication of a new vulnerability and its exploitation by cybercriminals is a fraught time for companies, with the inevitable delays on deploying patches creating a window of opportunity for malicious nation-state actors and ransomware-toting cybercriminals.

In the wake of a significant Microsoft Exchange vulnerability earlier this year and observed delays as many Australian companies failed to patch their systems quickly, security firm Radware warned that the situation had “evolved into a global hacking spree now impacting hundreds of thousands of organisations worldwide”.