Access control bypass in Hikvision IP Cameras
Full disclosure
Sep 12, 2017

Synopsis:
---------------
Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since at least 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing. In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users.

Risk and Mitigation:
--------------------
The vulnerability poses a severe risk. Because the vulnerability is trivial to exploit, it is recommended that you immediately upgrade or disconnect all Hikvision products from the Internet or untrusted networks, or at least implement network access control rules that only allow trusted IP addresses to initiate connections to vulnerable devices. Keep in mind that many Hikvision IP cameras come with UPNP enabled by default and can expose themselves to the Internet automatically. Hikvision released firmware updates for many camera models where backdoor code is removed. If an update is available for your devlice, you should install it as soon as possible.

Be aware that many Hikvision cameras sold online as "Multilanguage" or "English, not upgradeable" are in fact modified Chinese-language (domestic market) cameras. Attempting to upload English firmware into such cameras could result in a boot loop that can only be recovered from by flashing original Chinese-language firmware over TFTP. If you do not understand what this paragraph says or not entirely sure that your camera is an export English-language model, do not attempt to upgrade it.


Vulnerability details:
----------------------
Hikvision camera API includes support for proprietary HikCGI protocol, which exposes URI endpoints through the camera's web interface. The HikCGI protocol handler checks for the presence of a parameter named "auth" in the query string and if that parameter contains a base64-encoded "username:password" string, the HikCGI API call assumes the idntity of the specified user. The password is ignored.

Virtually all Hikvision products come with a superuser account named "admin", which can be easily impersonated.  For example:

Retrieve a list of all users and their roles:
    http://camera.ip/Security/users?auth=YWRtaW46MTEK

Obtain a camera snapshot without authentication:
    http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK


All other HikCGI calls can be impersonated in the same way, including those that add new users or flash camera firmware. Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code  or render hundreds of thousands of connected devices permanently unusable with just one simple http call.

And worst of all, one can download camera configuration:
    http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK

Configuration backup files, unfortunately, contain usernames and plain-text passwords for all configured users. While the files are encrypted, the encryption is easily reversible, because Hikvision chose to use a static encryption key, which is derived from the password "abcdefg". Other Hikvision products have similarly weak encryption mechanisms.


Planted backdoor or accidental bug?
-----------------------------------
Make your own judgment.

There are four handlers in a typical Hikvision camera firmware that process API requests: ISAPI, PSIA, HikCGI, and Genetec. All four contain very similar authentication and authorization code. Only one of the four (HikCGI) has an additional piece of code with a very simple logic of "if this exists, then skip all authentication". Once you understand the code flow, the backdoor code really stands out. It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years. The vulnerability start ed to quietly disappear from hew firmware released in Jan/Feb of 2017, after Hikvision leadership made public comments that no such backdoor exists and after similar backdoors were reported in other manufacturers' products.

Hikvision indicated that it was a piece of debug code inadvertently left by one of developers.

It is plausible, that a developer forgot to remove a piece of test code and it went unnoticed for years. There are no attempts to hide the backdoor code which would certainly be expected in case of a deliberately planted backdoor. Chinese domestic market cameras contain the backdoor as well.


Timeline:
---------------
March 5, 2017:
    Backdoor discovered.
March 6, 2017:
    - Hikvision notified of the backdoor, technical details provided.
March 7. 2017:
    - Hikvision confirmed vulnerability and promised firmware update.
March 12, 2017:
    - Hikvision issued a memo about the vulnerability to partners.
    - Hikvision started publishing firmware updates for affected devices.
May 4, 2017:
    - ICS-Cert released advisory ICSA-17-124-01
Sep 11, 2017:
    Vulnerability details released in the full disclosure distribution list.


References:
------------
HikCGI protocol:
    http://www.Hikvisioneurope.com/portal/?dir=portal/Integration%20and%20Development%20Materials/03--Protocol/01--HIKCGI%20Protocol

My bitcoin address (buy me a beer):
    1N9fKwsy7AphUHZJshCp4L7RJG5CvuXnAk