About the Hikvision Zombification

A few days ago, news spread that a type of Hikvision DVRs had been hacked, and had essentially been turned into zombies – doing the bidding of their new masters. This sort of thing is not new in the hacker community. A while ago, I asked if video surveillance systems were next, pointing to the Shodan search engine that were – at the time – focusing on SCADA systems and such, and recently the black-hat video of some IP cameras being hacked showed up in my twitter feed.

How does it work?

Most modern devices, that have internet capabilities, are based on some existing OS or kernel. It could be embedded Linux, Windows CE, Windows XP Embedded, QNX or a bunch of other alternatives, although the kernel is modified quite heavily to suit the device capabilities. Once the kernel runs on the device, you can write applications for it, or you can use existing apps that will run on the kernel you’ve chosen. A common app is called “curl” which grabs “stuff” off the internet using HTTP(S), you could also add an RTSP server to your device – if it is based on linux you might use gStreamer (I believe Axis uses gStreamer today), and so on. Basically, the device is not that different from your PC – it has a OS/Kernel and then some “apps” that runs in the background.

The first thing a hacker will try to do, is to get “root access”. The term “root” means the super, master, administrator who can do everything on a *nix box. To get root access, the hacker might try to extract the password by feeding the HTTP server with some carefully crafted URLs or they might examine the firmware (like in the video above) but sometimes things are a lot easier: Sometimes people put things on the internet, and leave the DEFAULT root password in place. For the Hikvision DVRs the password was 123456, and naturally this is public knowledge. Axis, very cleverly I might add, no longer have a default password! But MOST systems do. You can imagine how dangerous this is – yet every day people put things on the Internet with the default password enabled, or using simple passwords such as 123456 or PASSWORD.

So, the hacker writes a small app that will run on the kernel that the Hikvision DVR comes with. He/She then goes to the shodanhq.com server and searches for Hikvision servers (or runs a scan via some other method). Once the list of servers is retrieved, you go through them one by one, trying to log in with 123456. If you get in, great, if not, go to the next server.

Now I don’t know the hack in question in detail, so I don’t know the steps taken to upload AND schedule running your custom code, even if you are root. But somehow the hacker got the binary uploaded and the kernel started executing the code.  The little app mines bitcoins (which might explain why some dirty nerds have millions of dollars tied up in MtGox accounts), and it also tries to hack into a Synology device.

So Hikvision or Synology is to blame?

NO, I don’t think it’s fair to blame them for the poor choices their customers make. One of our customers used to reject the idea of having a RJ45 connector exposed to the outside world, let alone exposing a video surveillance system to the Internet. The Internet is a slum and when you put “stuff” on the Internet, bad people will come by and try to break in. Not changing the default password is a terrible thing to do – if you live in a slum, would you leave your doors unlocked, or perhaps install this sort of thing

Am I a Target?

Do you have a server open to the internet? If so, yes, you too are a target – and people will try to break in. It’s a constant battle to keep people out.

What can I do?

Assuming you HAVE to expose a device to the internet you can observe the following:

  • Use good passwords
  • Use non-standard ports.
  • Try to keep up to date on firmware and security patches.
  • Check on your systems ever so often.

None of these steps will make your system totally safe, but it will be like locking your doors and windows properly before leaving your house. With enough commitment, someone will most likely find a way in.


2 thoughts on “About the Hikvision Zombification

  1. […] Let me start by stating that last week’s Dyn attack was predictable. […]

  2. […] you are not going to get away with #1 and #3 for very long. The hackers at blackhat are not like mortal programmers, they understand assembly code, and will locate a hardcoded […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: