80,000 internet-connected cameras still vulnerable after critical patch offered

Tens of thousands of internet-facing IP cameras made by China-based Hikvision remain unpatched and exploitable despite a fix being issued for a critical security bug nearly a year ago.

Researchers at Cyfirma recently published a report [PDF] claiming they found more than 80,000 cameras in more than 100 countries online, with ports open and no protection against CVE-2021-36260, a command-injection vulnerability exploitable by anyone with HTTP access to TCP ports 80 or 443 of an affected camera.

Awarded a CVSS score of 9.8 of 10 in severity, the Hikvision bug was considered serious enough for the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its list of "must patch" security flaws early this year, adding that the vulnerability is already being exploited.

Thus, we have thousands of publicly exposed devices – home cameras, no less – that are easy to exploit to gain control of, and have been exploited, presumably to press gang them into botnets, launch attacks on other networks, snoop on owners, and so on.

In a report last December, researchers at Fortinet said that the Hikvision vulnerability was being targeted by "numerous payloads," including variants of the Mirai botnet.

Cyfirma's said it also discovered multiple instances of criminals collaborating online to exploit the Hikvision vulnerability. "We have reasons to believe that Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit vulnerabilities in these devices," Cyfirma said. 

Being as simple as it is to execute, its past known use, and continued discussion of its merits, it's safe to assume that unpatched Hikvision cameras are already compromised.

• Calls for bans on Chinese CCTV makers Hikvision, Dahua expand
• San Francisco cops want real-time access to private security cameras for surveillance
• One to watch: Open-source code that measures your exposure to CCTV
• IKEA: Cameras were hidden in the ceiling above warehouse toilets for 'health and safety'

Patches for affected Hikvision devices, of which there are more than 70 models, are available on the maker's website, where Hikvision urges its distributors to "work with your customers to ensure proper cyber hygiene and install the updated firmware." 

In terms of where most affected devices are located, Cyfirma said most it found were in China, followed by the US, Vietnam, the UK, and Ukraine.

"Open vulnerabilities and ports in such devices will only compound the impact on targeted organizations and their countries economic and state prowess. It is paramount to patch the vulnerable software of the Hikvision camera products to the latest version," Cyfirma said. 

This isn't Hikvision's first brush with bad publicity in the past few years. In 2019, the US placed the biz on a trade deny-list over allegations it helped the Chinese government repress Uyghur Muslims in the country by supplying cameras for surveillance. 

Since then, America has also considered a wider ban on Hikvision through restrictions on US investment in the company as well as freezing its assets held in the US. 

Similar discussions are being had in the UK, where several lawmakers backed a campaign in July to ban the sale or use of Hikvision or Dahua cameras for the same human rights-based reasons as the US. ®