From Hikvision to Hackvision: Critical vulnerability patched in CCTV cloud service

Chinese vendor issues fix within 24 hours.

Hikvision has patched a critical authentication vulnerability in its CCTV cloud service that could enable attackers to view live camera feeds and launch a full account takeover.

The Chinese video surveillance solutions manufacturer recently introduced a new cloud service – hik-connect.com – that allows users to access their camera streams without port forwarding on their routers.

While the firmware update was developed to help improve user security, independent researchers Vangelis Stykas and George Lavdanis found that it performed no validation on cookie values, resulting in numerous critical security issues.

“Changing the user ID cookie value with another user ID results into you being logged in as that user,” Stykas explained. “It is possible to determine the user ID just by knowing their email, phone number, or username they used when registering.

“After that, you can view the live feed of the camera, manipulate the DVR, change the user’s email, phone number, or password, and effectively lock the user out of the account without leaving them an option to reuse that device – even after a factory reset.”

In addition to the threat of account takeover or unauthorized third parties being able to covertly view live streams, the researchers said attackers could have enumerated Hikvision cloud IDs with existing email, phone, or user lists.

This could, Stykas told The Daily Swig, lead to a “mass compromise or huge data leak”.

“This vulnerability is a nice example of how a service that was developed to help towards extra security – no port forwarding and no IoT exposed on internet – backfired spectacularly,” he said.

Majority-owned by the Chinese government, Hikvision’s IoT surveillance products are sold in more than 100 countries worldwide.

For its part, Stykas praised the vendor for its “excellent response” to the vulnerability.

He said: “They fixed everything and reached out in less than 24 hours, which is pretty impressive.”

A full technical write-up from the researchers can be found here.