80,000+ Hikvision Cameras Remain Unpatched
According to researchers from Cyfirma, more than 80,000 Internet-facing IP cameras are vulnerable to command injection attacks. A patch has for the vulnerability has been available since September 2021. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw (CVE-2021-36260) to its Known Exploited Vulnerabilities catalog in January 2022.
Only 80,000? These types of cameras, not just from Hikvision, have been a major source of "internet background radiation" ever since Mirai started spreading about 10 years ago. Without automatic updates, they will only become safe once their electronic fails.
It is confusing: Hikvision is NOT on the sanctions list barring import, but it IS on the OFAC Non-SDN Menu-Based Sanctions List (NS-MBS List) under the “Strong” category, whatever that means. Bottom line: check if Hikvision equipment in use or any planned procurements and considered replacing or banning since sanctions are a high risk, let alone this vulnerability issue.
Think of that security camera as a computer, where vulnerabilities could be leveraged to pivot onto your network. Yeah, that means you need to think about patching them. What's worse, not all manufacturers are as judicious about providing patches. Think twice about directly exposing them to the Internet, then isolate them onto a separate VLAN and use the strongest possible credentials, verifying no default passwords remain.
People seem to miss that there may be a Cyber-Physical component to this. While we are mired in the “What if” of Cyber and these patches, there is a real danger that not only are these systems able to be used as a pivot point inside your network but these cameras can be abused to look at people, places, locations and be used to potentially move from a cyber-attack into a real-world physical attack. We shouldn’t lose sight of that.
Those appliances (e.g., cameras) that must, or may be, attached to the public networks have a higher security requirement than those (e.g., baby monitors, TVs, refrigerators) that are intended to run only on private networks. Such appliances should be purpose-built and avoid any and all gratuitous functionality.