Cybercriminals Exploit Chinese Surveillance Cameras for Financial Gain
A multitude of surveillance cameras, numbering in the tens of thousands, have neglected to address a critical security vulnerability that has persisted for 11 months, consequently leaving numerous organizations susceptible to potential breaches.
Recent research findings reveal that a staggering 80,000 Hikvision surveillance cameras worldwide remain vulnerable to an 11-month-old flaw that enables command injection attacks.
Hikvision, an abbreviation for Hangzhou Hikvision Digital Technology, represents a Chinese government-owned enterprise specializing in the production of video surveillance equipment. Despite the Federal Communications Commission (FCC) denoting Hikvision as “an unacceptable risk to U.S. national security” in 2019, their clientele spans across more than 100 countries, including the United States.
In the autumn of the previous year, the discovery of a command injection vulnerability in Hikvision cameras prompted the assignment of the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-36260. This particular exploit received a critical severity rating of 9.8 out of 10 from the National Institute of Standards and Technology (NIST).
Alarming as it may be, even after nearly a year has elapsed since the exposure of this vulnerability, a substantial number of affected devices, exceeding 80,000 in quantity, remain unpatched. Disturbingly, researchers have unearthed multiple instances of hackers seeking to collaborate in exploiting the command injection flaw present in Hikvision cameras. These collaborative efforts have predominantly materialized within Russian dark web forums, where leaked credentials associated with the vulnerable devices have been offered for sale.
The full extent of the damage inflicted thus far remains uncertain. The authors of the report could merely speculate that various threat groups originating from China, such as MISSION2025/APT41, APT10, and their affiliates, alongside unidentified Russian threat actors, possess the potential to exploit the vulnerabilities present in these devices for their own objectives, which may include geopolitical considerations.
The Vulnerabilities Inherent in IoT Devices
When confronted with accounts such as this, it is tempting to attribute the negligence of individuals and organizations who fail to patch their software to mere laziness. However, the reality is often far more complex.
According to David Maynor, the senior director of threat intelligence at Cybrary, Hikvision cameras have remained vulnerable due to a multitude of factors, and this susceptibility has persisted for a considerable period. Maynor asserts that the products manufactured by Hikvision contain systemic vulnerabilities that are easily exploitable, or even worse, rely on default credentials. Furthermore, the absence of effective means to conduct forensic analysis or verify the complete removal of an attacker further compounds the security challenges. Significantly, no discernible indication of an enhanced security posture within Hikvision’s development cycle has been observed.
This problem transcends Hikvision alone, afflicting the entire industry. Paul Bischoff, a privacy advocate affiliated with Comparitech, emphasized the inherent difficulties in securing Internet of Things (IoT) devices such as cameras, noting that they do not possess the same ease of securing as applications on mobile phones. Unlike smartphones, which promptly notify users of available updates and often install them automatically upon reboot, IoT devices necessitate manual downloading and installation of updates, a task that many users overlook. Moreover, IoT devices frequently fail to provide any indications of being unsecured or outdated, further exacerbating the issue.
While unsuspecting users remain oblivious, cybercriminals can exploit vulnerable devices by scanning for them using search engines like Shodan or Censys. The problem is further compounded by users’ negligence, as Bischoff highlighted, due to the fact that Hikvision cameras are shipped with a limited set of predetermined passwords, and a significant number of users neglect to modify these default credentials.
