Over 100 million Hikvision devices, namely their security cameras and network video recorders (NVR), have the “highest level of critical vulnerability”. What that means for you, as an owner of any Hikvision devices that might be exposed to the internet, is that you must immediately disconnect them from your network and install a firmware update.
Hikvision security cameras are popular within the community, mainly because of their low price and support of the Real Time Streaming Protocol (RTSP), allowing for an easy integration with Home Assistant and NVR applications such as Blue Iris and Frigate. Hikvision owners aware of the risks such devices bring with them, will have placed them on their own VLAN, blocked from the internet. There will, however, be plenty of users who do not use a privacy and security minded setup. It is the latter group that are currently at risk of having their privacy invaded.
What the Hikvision security vulnerability means for you
The security vulnerability putting you at risk is one of the worst I have come across since I started writing on the subject. It is potentially worse than what previously happened to eufy security cameras. Hikvision has released a statement on what it allows attackers to do. Basically, anyone can access your Hikvision security camera and NVR, without a username or password, and the device won't even log the access.
Only access to the http(s) server port (typically 80/443) is needed. No username or password needed[,] nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself.
Hikvision spokesperson
It was the security researcher, Watchful_IP, who specializes in ARM based embedded IoT, who made and published the discovery. Thankfully, Hikvision was fast to react and published a series of firmware updates within a day.
Should you be using Hikvision in the first place?
If you don't know much about Hikvision, it is high-time to educate yourself on what it means to buy their security cameras and NVRs. Hangzhou Hikvision Digital Technology Co., Ltd.is owned by the Chinese government, and the U.S. government has in the past placed the manufacturer and supplier of video surveillance equipment under sanctions. In March of this year, the FCC (Federal Communications Commission) stated that Hikvision equipment and services “pose an unacceptable risk to U.S. national security”.
It has been reported that Hikvision supplies “thousands of cameras that monitor mosques, schools, and concentration camps in Xinjiang”. The European Union has banned any Hikvision products from being used on any of the parliament's premises, due to the unacceptable risk that the manufacturer “contributing to serious human rights abuses”. Furthermore, in June 2021 South Korea banned their products for one year and the Indian Navy has destroyed and replaced their existing Hikvision security cameras.
IPMV.com who reported on the current security vulnerability, has long been critical of Hikvision. They claim that the Chinese Central Government created and control the company. They also conclude that Hikvision is all too keen to obscure that fact. The choice whether you buy their products is yours, but keep these few paragraphs in the back of your mind when you do so.
