Unplug and update your Hikvision security cameras and NVRs now

Disclosure: This post contains affiliate links. If you click through and make a purchase, I’ll earn a commission, at no additional cost to you. Read my full disclosure here.
Advertisement

Over 100 million Hikvision devices, namely their security cameras and network video recorders (NVR), have the “highest level of critical vulnerability”. What that means for you, as an owner of any Hikvision devices that might be exposed to the internet, is that you must immediately disconnect them from your network and install a firmware update.

Advertisement

Hikvision security cameras are popular within the community, mainly because of their low price and support of the Real Time Streaming Protocol (RTSP), allowing for an easy integration with Home Assistant and NVR applications such as Blue Iris and Frigate. Hikvision owners aware of the risks such devices bring with them, will have placed them on their own VLAN, blocked from the internet. There will, however, be plenty of users that do not use a privacy and security minded setup. It is the latter group that are currently at risk of having their privacy invaded.

What the Hikvision security vulnerability means for you

The security vulnerability putting you at risk is one of the worst I have come across since I started writing on the subject. It is potentially worse than what previously happened to eufy security cameras. Hikvision has released a statement on what it allows attackers to do. Basically, anyone can access your Hikvision security camera and NVR, without a username or password, and the device won’t even log the access.

Advertisement

Only access to the http(s) server port (typically 80/443) is needed. No username or password needed[,] nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself.

Hikvision spokesperson

It was the security researcher, Watchful_IP, who specializes in ARM based embedded IoT, who made and published the discovery. Thankfully, Hikvision was fast to react and published a series of firmware updates within a day.

Should you be using Hikvision in the first place?

If you don’t know much about Hikvision, it is high-time to educate yourself on what it means to buy their security cameras and NVRs. Hangzhou Hikvision Digital Technology Co., Ltd. is owned by the Chinese government, and the U.S. government has in the past placed the manufacturer and supplier of video surveillance equipment under sanctions. In March of this year, the FCC (Federal Communications Commission) stated that Hikvision equipment and services “pose an unacceptable risk to U.S. national security”.

Advertisement

It has been reported that Hikvision supplies “thousands of cameras that monitor mosques, schools, and concentration camps in Xinjiang”. The European Union has banned any Hikvision products from being used on any of the parliament’s premises, due to the unacceptable risk that the manufacturer “contributing to serious human rights abuses”. Furthermore, in June 2021 South Korea banned their products for one year and the Indian Navy has destroyed and replaced their existing Hikvision security cameras.

IPMV.com who reported on the current security vulnerability, has long been critical of Hikvision. They claim that the Chinese Central Government created and control the company. They also conclude that Hikvision is all too keen to obscure that fact. The choice whether you buy their products is yours, but keep these few paragraphs in the back of your mind when you do so.

Advertisement

Integrating Airthings Wave Plus with Home Assistant using ESPHome

Home Assistant Amber is coming to integrate all your devices

Advertisement
Liam Alexander Colman, the author and maintainer of Home Assistant Guides.

About Liam Alexander Colman

Liam Alexander Colman has been using Home Assistant for various projects for quite some time. What started of with a Raspberry Pi quickly became three Raspberry Pis and eventually a full-blown server. I now use Unraid as my operating system, and Home Assistant happily runs in a Docker container. My personal setup includes many Zigbee devices as well as integrations with existing products such as my Android TV box. Read on to find out more on how I got started with Home Assistant.

Leave a comment

Advertisement