Archive for September 25, 2022

Access To Tens Of Thousands Of Chinese Made Cameras Available For Sale By Hackers…. Yikes!

Posted in Commentary with tags on September 25, 2022 by itnerd

This is not only bad, it’s also a textbook example of why you need to stay on top of patching your IoT gear.

Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260. The exploit was given a “critical” 9.8 out of 10 rating by NIST. The higher the number, the worse it is and in this case, this is as close to worst case scenario as you can get without hitting 10.

Now here’s the problem. New research indicates that a year later, 80,000 or so cameras are out there in the world unpatched. And what’s worse, access to these cameras are for sale by hackers:

Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment.

That’s bad. Really Bad. The vendor did put out alerts for this along with firmware updates. But because people have a tendency to what I call “install and forget” about IoT gear, here we are talking about it. Thus my advice to anyone who owns one of these cameras is to drop what you’re doing and update them now. And my advice to anyone who has IoT gear of any sort is to make sure you stay on top of your firmware updates so that way nobody tries to use your IoT gear to pwn you.