Hikvision DVRs sporting bugs that allow device hijacking

  • 21 November 2014
  • 0 replies
  • 314 views

Userlevel 7
Author: Zeljka Zorz/ HNS Managing Editor/ Posted on 21 November 2014.
 
A while back, SANS ISC CTO Johannes Ullrich discovered that cybercrooks were targeting Hikvision Digital Video Recorders (DVRs) in order to infect them with bitcoin-mining malware. They were successful because the DVRs come with a default administrative account "admin" with password "12345," and these are often left unchanged by users.

Digital Video Recorders are usually used to record surveillance footage inside and outside office buildings and private houses and, unfortunately, default accounts and passwords are not their only weak spot.

Mark Schloesser, a researcher with Rapid7 Labs, has discovered three buffer overflow bugs (CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880) affecting Hikvision-DS-7204-HVI-SV digital video recorder device with firmware V2.2.10 build 131009, and likely other devices in the same model range.

These bugs can be exploited remotely and without the need for authentication to gain full control of the device, as they proved by writing a Metasploit module taking advantage of the last one.

 
 
 
full article

0 replies

Be the first to reply!

Reply