HACKERS can DELETE SURVEILLANCE DVRS remotely – report

Password bypass

The security researchers are calling on Hikvision to provide fixes and workarounds that address the latest round of vulnerabilities in its equipment.

Until a patch is administered users of Hikvision gear are urged to contact their vendor. Manufacturers that white-label Hikvision components and software are urged to do the same.

El Reg dropped a note to the China-based manufacturer's security response email address, requesting a comment on Rapid7's advisory. We'll update this story as and when we hear back.

A Russian website offering feeds from insecure CCTV cameras and net-connected home security cameras made the news on Thursday following a warning from data privacy watchdogs at the ICO. That security weakness stemmed from failure to change default passwords whereas Rapid7's warning relates to DVR vulnerabilities. Just changing the password wouldn't work in this case, according to Rapid7.

"The Hikvision DVRs we researched can be hacked regardless of the password being changed because of the three vulnerabilities we found inside them - this makes them even more vulnerable than the CCTV cameras because the DVRs can still be exploited by attackers even if the user changes the default password," explained Mark Schloesser, a security researcher at Rapid7. "In this case the only solution is for Hikvision to administer a patch." ®

Update

Asked to respond to Rapid7's research, Hikvision supplied a statement urging customers to change their default passwords.

Hikvision’s products are delivered with the default user name and password credentials in order to give convenience for the end users to facilitate the first-time operation; therefore, it is strongly recommended that users must change them with unique access credentials during the first login and on a frequent basis. For instructions on changing the default admin and password credentials, please refer to the product’s updated user manual or consultant with the local technical support by emails or by phones.

In addition, Hikvision releases its firmware periodically for keeping the products up-to-date. Please be sure you have the latest firmware version for your own product.

Mark Schloesser, the security researcher at Rapid7 who carried out the original research was dissatisfied with this response, arguing it sold users short by failing to resolve the security issues it originally highlighted.

“This doesn’t directly respond to our disclosure - the only relevant part is that HikVision says users should update the firmware," Schloesser explained. "Basically even if you 'advise' users to change the default password and even if you release an update for the firmware, these kinds of products will always have a high percentage of people who don't change the defaults and or install updates."

The current process needed to be revamped, he added.

"We need a change on the manufacturer side to solve the issues. For example the devices can be configured with a secure default password that's printed on the device - or require the user to set it when first installing the device. For the firmware side it should be possible to have the devices auto-update using signed secure updates - this is done for several other device categories and software already.”