A threat concerning the misuse of Hikvision Intercoms for invasive behaviour on neighbour’s has been discovered. While millions of people install intercoms for surveillance purpose, and detect intruders; vulnerabilities when found in them, can be exploited by threat actors, and used in spying their targets via interconnected devices.
The vulnerability which was detected enables threat actors, to utilize the Hikvision smart intercom as a spying device. In a recent published article researchers from Skylight Cyber warned that the potential of the device being used for spying purposes, should be one of great concerns for business owners and organizations, as threat actors would certainly gain unauthorized access, and certainly bridge privacy of persons they spy on.
The research was specifically conducted on Hikvision devices, as they are commonly available brand, and users’ choice. The two intercom products tested by the researchers are: DS-KH6210-L, and DS-KH6320-WTE1. The devices were tested inside an apartment, in order to obtain facts on the device interaction with other connected devices such as cameras, door controllers, and other intercoms, which are used in a sophisticated environment. Also, port mirroring was configured between the devices, to enable traffic capturing both inbound and outbound.
Mirroring Threat Actors Approach:
The researchers from Skylight Cyber indicated that methods utilized by threat actors in conducting a malicious attack, are not that complex, as potential attacker doesn’t require much tools to execute a malicious act.
CEO of Skylight Cyber Adi Ashkenazy describes the steps as:
“An attacker would need network access to deploy this attack, and given that these systems are generally not connected to the internet, this means physical access to the target building. Once you have physical access, you need to connect to an ethernet port, which can be done through either an apartment in the building or the lobby.”
Given the ease of using various social engineering tactics, such as tailgating in this context, it is unquestionable that attackers could exploit this approach to gain physical access to buildings and infrastructure where this surveillance device is deployed.
Adi further emphasized that:
“In terms of equipment, you just need an Ethernet cable and a laptop, and we’d throw in a screwdriver for good measure. The overall level of expertise required to deploy the attack is quite low.”
Describing the simplicity of this attack, when an attacker has access to buildings equipped with Hikvision devices such as intercoms, and when the targeted building is of interest to the threat actor, the attacker can bypass security by following these steps: Firstly, they disconnect the intercom’s Ethernet cable from the wall, and then connect it to their laptop using a standard Ethernet cable. If this connection is successful, the attacker gains access to the network.
The next stage is equally straightforward, as the attacker only needs to execute a series of scripts from a GitHub repository to attempt to brute force the admin credentials. Once they have successfully obtained these credentials, they can log into the targeted intercom device, effectively breaking through its protected shell.
A single command from an external laptop will enable an individual to gain full access to a device, and use any of its function, including the microphone on the intercom.
Adi in addition describes the situation as:
“Once you have that level of access you can eavesdrop on anyone else in the building that has an intercom.”
Although at the time of this disclosure, no report of the attack being experienced in the wild, and in order to protects its customers and brand, Hikvision has applied a patch, which can be downloaded from their official website.
Furthermore, Skylight Cyber describes the action taken by Hikvision, as a swift response. They said:
“Hikvision was quite quick to respond, so hats off to them on that. However, as far as we know, they have been selective in terms of the fix. Focusing on the authentication bypass, and leaving the shell escape in place.”
However, there comes a limitation, as potential tenants are not able to mitigate the patch themselves due to the requirement of having the admin credentials and access to apply the update. They have to rely solely on the technician to apply the security updates as the process is done manually. Therefore, businesses and buildings that haven’t applied this security updates certainly will remain vulnerable.
Skylight Cyber researchers, describe the situation as one they:
“Believe that might be exploited in the wild until it is patched to a significant extent, which is why we didn’t release the full exploitation kit.”
Please do let us know in the comment section what are your thoughts about this.