Hacked Hikvision IP Camera Map

by | Dec 20, 2017 | Uncategorized

Author: Brian Karas, Published on Dec 18, 2017

The interactive map below shows a sample of hacked and vulnerable Hikvision IP cameras across the USA. Hover over a marker to see an image from that camera:

 

This map helps visually demonstrate how wide the practical impact and risk of easy to exploit vulnerabilities. The devices mapped above all suffer from the Hikvision IP Camera backdoor, demonstrated in the video below:

Hikvision cameras vulnerable to the backdoor exploit are accessible across the US. Many of these cameras have already been exploited, altered to show “HACKED” in place of the camera name as one example:

Additional Details

There are ~1,800 yellow markers for vulnerable cameras, and ~600 red markers for “HACKED” cameras (note in some cases, the OSD text is disabled, so while the camera name has been altered, it may not be shown in the image). Lady era https://www.lifestyle-pharmacy.com/product/lady-era/

The average firmware found on the vulnerable cameras had a build date over 2 years old, showing that many users do not update firmware once a device is setup.

Methodology To Create Map

Get Video Surveillance News In Your Inbox

This is how IPVM built the interactive map. Device IPs were exported from Shodan, the result of a search for Hikvision cameras in the US. Each device was evaluated against 3 key criteria:

  • Was it located in the US, based on results of an IP Geo Lookup
  • Was it a Hikvision device, – Hikvision OEM’s were excluded
  • Did the camera have its name changed to some variation of “HACKED”

If the above criteria were met, a snapshot image using a public URL (/onvif-http/snapshot?auth=YWRtaW46MTEK) was taken and logged, along with latitude/longitude coordinates provided by the IP geo lookup. These scans were done during the first week of December 2017, though some devices had inaccurate time stamps that may indicate other dates. Generic phentermine https://adipex-phentermine.net/

IP address geolocation services typically do not provide precise locations, so camera locations shown will be accurate to a general area but not the exact location.

The geolocation data was used to plot points, using Google Maps, with the snapshots associated with each camera/location to be displayed when hovering over the point.

OEMs Add more

This map shows only Hikvision-branded cameras, if OEMs are included (see 80+ Hikvision OEM Directory), the map would have 5,000+ points in the US alone.

Only Data From Shodan

Additionally, while Shodan has a large number of Hikvision devices in its database, Shodan does not represent all of the internet-accessible Hikvision devices. Devices are added (or removed) daily, IP addresses may have changed, or units may have been temporarily offline during scans. While it is impossible to estimate what percentage of accessible Hikvision devices are in Shodan’s database, we can guarantee there are more vulnerable/hacked devices than just those shown on the map.

Excludes Bricked / Hacked Offline Cameras

Many Hikvision IP cameras have been reported as being brought offline, either to update firmware and resolve the vulnerability, or to remove remote connectivity to them when users realize the risks of placing vulnerable cameras on the internet.

These cameras, by definition, are excluded, since they can no longer be reached.

Only Shows People Who Have Not Fixed

Reports of Hikvision cameras having ‘HACKED’ text, or exhibiting other symptoms of hacking have been circulating for the past few months, e.g.:

IPVM discussion of Hikvision cameras resetting:

An ipcamtalk thread from a user experiencing their Hikvision camera being hacked:

Other ipcamtalk threads from users experiencing cameras being factory reset via the backdoor exploit: 123.

As such, the number of Hikvision cameras that have been hacked in some way are certainly far greater, since this map only shows IP cameras that have not been fixed by December 2017. The reports of hacking peaked in October and November (following the September disclosure here), giving users a month, or more, to notice and resolve these issues.

Improving Cybersecurity Lessons

Users should consider the following lessons: