The interactive map below reveals a concerning landscape of hacked and vulnerable Hikvision IP cameras spanning across both the USA and Europe. By simply hovering over any marker, you can witness a live image captured directly from that compromised camera.
A visual representation of vulnerable Hikvision IP cameras in Europe and the USA, highlighting the widespread security risks.
[Note: Originally published focusing on the USA on December 18th, this report and map have been expanded to include and showcase vulnerable cameras located within Europe.]
This map serves as a stark visual demonstration of the extensive practical implications and inherent risks associated with easily exploitable vulnerabilities in widely used IP camera systems. The devices pinpointed on the map are all susceptible to the well-documented Hikvision IP Camera backdoor. The severity and ease of exploitation are clearly illustrated in the video demonstration provided below:
Across both the US and Europe, numerous Hikvision cameras are vulnerable to this backdoor exploit. A significant number of these cameras have already fallen victim to exploitation, evidenced by alterations such as displaying “HACKED” in place of the standard camera name. This is a clear indicator of unauthorized access and manipulation.
Delving Deeper into the Vulnerability
The data compiled for this interactive map reveals approximately 3,400 yellow markers indicating cameras with known vulnerabilities, contrasted with around 700 red markers signifying cameras that have been actively “HACKED.” It’s important to note that in some instances, the On-Screen Display (OSD) text function may be disabled, meaning that while the camera name might have been altered by malicious actors, this change may not be immediately visible in the camera’s image feed.
Analysis of the firmware versions on these vulnerable cameras revealed an alarming trend: the average firmware build date was over two years old. This clearly illustrates a critical issue: many users neglect to perform essential firmware updates on their devices after the initial setup, leaving them exposed to known security threats.
Methodology Behind the Interactive Map
The creation of this interactive map involved a meticulous process of data collection and analysis. IP addresses of devices were initially extracted from Shodan, a powerful search engine for internet-connected devices. This data was the result of a comprehensive global search for Hikvision cameras. Each device identified underwent a rigorous evaluation based on three key criteria:
- Geographic Location: Determination of whether the device was located within the US or Europe, based on the results provided by an IP Geo Lookup service.
- Manufacturer Verification: Confirmation that the device was indeed a Hikvision camera, explicitly excluding devices from Hikvision Original Equipment Manufacturers (OEMs).
- “HACKED” Status: Detection of whether the camera’s device name had been modified to a variation of “HACKED,” indicating a potential security breach.
For devices meeting all of the above criteria, a snapshot image was captured using a publicly accessible URL path (/onvif-http/snapshot?auth=YWRtaW46MTEK). This snapshot, along with latitude and longitude coordinates obtained from the IP geo lookup, was then logged for mapping purposes. These scans were conducted throughout December 2017, although some devices exhibited inaccurate timestamps, potentially indicating activity on different dates.
It is crucial to understand that IP address geolocation services provide approximate locations. Therefore, camera locations displayed on the map are accurate to a general area but not precise to the exact physical address.
The geolocation data was then utilized to plot points on Google Maps. The captured snapshots were linked to each camera location, enabling users to view the camera’s image by hovering over the corresponding point on the interactive map.
GDPR Implications in Europe
The European Union’s General Data Protection Regulation (GDPR) [link no longer available], which took effect on May 25, 2018, introduces significant implications for data security and privacy. GDPR outlines potential substantial fines for organizations that expose data capable of directly or indirectly identifying an EU citizen without explicit consent. By distributing cameras equipped with a hard-coded backdoor vulnerability, Hikvision created a scenario where EU citizens were exposed to potential data breaches without their knowledge or consent. While Hikvision has stated that they addressed the backdoor vulnerability upon becoming aware of it, the fact remains that millions of cameras with this critical flaw were shipped and deployed, many of which remain operational across Europe today. A large proportion of owners of these affected cameras are likely unaware of the existence of this backdoor and the ongoing risks it poses to their security and privacy.
The Wider OEM Landscape
This map specifically highlights Hikvision-branded cameras. If cameras manufactured by Hikvision OEMs were to be included (refer to the 80+ Hikvision OEM Directory), the number of vulnerable devices would dramatically increase. It is estimated that the map would feature over 5,000 points in the US alone, with a considerably larger number across Europe, underscoring the truly widespread nature of this security issue.
Shodan Data Limitations
It is important to acknowledge that the data presented is derived from Shodan’s database, which, while extensive, does not represent the entirety of internet-accessible Hikvision devices. Devices are constantly being added to and removed from Shodan’s index, IP addresses can change, and some units might have been temporarily offline during the scanning process. Therefore, while it’s impossible to provide a precise figure, it is almost certain that the actual number of vulnerable and compromised devices is significantly higher than what is depicted on this map.
Exclusion of Offline or Bricked Cameras
A significant number of Hikvision IP cameras have been reported as being taken offline for various reasons. These reasons include performing firmware updates to remediate the vulnerability or intentionally disconnecting them from the internet to mitigate the risks associated with operating vulnerable devices online.
By definition, these offline cameras are excluded from this map as they are no longer reachable for scanning and verification.
A Snapshot in Time: December 2017
The number of Hikvision cameras that have experienced some form of unauthorized access is undoubtedly much greater than what is currently shown. This map provides a snapshot of vulnerable IP cameras that remained unpatched as of December 2017. Reports of hacking incidents peaked in October and November of that year, following the public disclosure of the vulnerability in September. This period provided users with at least a month to become aware of and address these critical security issues.
Anecdotal evidence and user reports of Hikvision cameras exhibiting “HACKED” text or other symptoms of compromise have been circulating for several months prior to this report, as illustrated in the examples below:
IPVM discussion forum thread regarding Hikvision cameras resetting to default settings:
A Hikvision camera displaying a “HACKED” on-screen display, a clear sign of unauthorized access and exploitation of security vulnerabilities.
An ipcamtalk forum thread from a user detailing their experience with a hacked Hikvision camera:
User discussion in an online forum highlighting the real-world impact of Hikvision camera vulnerabilities and the challenges faced by affected users.
Further ipcamtalk forum threads from users reporting instances of their cameras being factory reset through exploitation of the backdoor: 1, 2, 3.
Key Cybersecurity Takeaways
These findings underscore critical lessons for users regarding the cybersecurity of their video surveillance systems:
- Manufacturer Trust: Exercise caution and due diligence in selecting video surveillance manufacturers, ensuring they demonstrate both a commitment to security and technical competence.
- Firmware Updates: A Priority: Implement a proactive approach to regularly updating your device firmware. Timely updates are crucial for patching known vulnerabilities and maintaining system security.
- UPnP Risks: Be aware of the potential security risks associated with manufacturer default UPnP (Universal Plug and Play) settings. (See Hikvision UPnP Hacking Risk).
- Avoid Port Forwarding: Refrain from using port forwarding for your devices, despite some vendor recommendations. (Contrary to Hikvision Hardening Guide Recommends Port Forwarding).
- VPNs for Enhanced Security: Strongly consider employing VPNs (Virtual Private Networks) to create secure connections for your video surveillance systems. (Explore VPNs for Video Surveillance).
By understanding these risks and implementing these preventative measures, users can significantly enhance the security posture of their IP camera systems and protect themselves from potential exploitation and unauthorized access.
