In an unprecedented security alert, over 100 million Hikvision devices, encompassing security cameras and Network Video Recorders (NVRs), have been identified as harbouring the “highest level of critical vulnerability.” For owners of Hikvision equipment with internet access, the directive is clear and urgent: disconnect these devices from your network and promptly apply a firmware update to safeguard your privacy.
Contents
Internet Access: A Gateway for Intruders
Hikvision's security cameras have gained traction for their affordability and compatibility with Real Time Streaming Protocol (RTSP), facilitating smooth integration with Home Assistant and NVR applications like Blue Iris and Frigate. Many users, understanding the inherent security risks, wisely segregate these devices on a dedicated VLAN, effectively barring internet access. Yet, a significant portion of users, perhaps unaware of these precautions, remain exposed to potential privacy breaches.
Unravelling the Severity of the Hikvision Security Flaw
The discovered security flaw in Hikvision devices is alarmingly severe, eclipsing past vulnerabilities seen in other security camera systems, including eufy. According to Hikvision, this vulnerability allows unauthorized access to your security devices without needing a username or password, bypassing any form of logging that could alert the owner.
“Only access to the http(s) server port (typically 80/443) is needed. No username or password needed, nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself,” a Hikvision spokesperson explained.
Credit for uncovering this critical flaw goes to Watchful_IP, a security researcher specializing in ARM-based IoT systems. Their discovery prompted Hikvision to swiftly release firmware updates to mitigate the issue.
Reassessing Hikvision's Position in Your Security Setup
The background of Hikvision, officially Hangzhou Hikvision Digital Technology Co., Ltd., owned by the Chinese government, raises significant ethical and security concerns. The company has faced sanctions from the U.S. government and scrutiny over its equipment's use in monitoring activities in Xinjiang.
It has been reported that Hikvision supplies “thousands of cameras that monitor mosques, schools, and concentration camps in Xinjiang”. The European Union has banned any Hikvision products from being used on any of the parliament's premises, due to the unacceptable risk that the manufacturer “contributing to serious human rights abuses”. Furthermore, in June 2021, South Korea banned their products for one year and the Indian Navy has destroyed and replaced their existing Hikvision security cameras.
IPMV.com, who reported on the current security vulnerability, has long been critical of Hikvision. They claim that the Chinese Central Government created and controls the company. They also conclude that Hikvision is all too keen to obscure that fact. The choice whether you buy their products is yours, but keep these few paragraphs in the back of your mind when you do so.
Conclusion
This urgent call to action for Hikvision device owners underscores the importance of staying vigilant and proactive in securing digital and physical assets. By updating your Hikvision devices promptly and reevaluating their place in your security setup, you can better protect your privacy and align your choices with broader ethical considerations.