Hikvision Intercoms Allow Snooping on Neighbors

A concerning Internet of Things cyberattack vector has been uncovered — one that can turn the neighboring devices of a Hikvision smart intercom into spying devices. 

In a recent blog post on the attack, researchers at Skylight Cyber warned that the potential of such devices to be used in spyware attacks should be of concern for businesses and organizations because an attacker could potentially gain access to an individual's life, denying their privacy.

Hikvision devices were specifically chosen for this research because they're readily available and because the brand is popular. Researchers tested on two intercom products, DS-KH6210-L and DS-KH6320-WTE1; among other things, they tested the devices inside an apartment to observe how they would interact with other devices found in a normal complex, such as door controllers, cameras, and other intercoms. Port mirroring was configured within the device to allow the researchers "to capture all traffic entering and leaving the device."

The Layout of a Breach Scenario

Completing an attack isn't all that difficult to do, according to Skylight Cyber researchers, as a potential attacker doesn't actually need all that many tools to conduct a malicious act. 

"An attacker would need network access to deploy this attack, and given that these systems are generally not connected to the Internet, this means physical access to the target building," says Adi Ashkenazy, CEO at Skylight Cyber. "Once you have physical access, you need to connect to an Ethernet port, which can be done through either an apartment in the building or the lobby."

He adds, "In terms of equipment, you just need an Ethernet cable and a laptop, and we'd throw in a screwdriver for good measure. The overall level of expertise required to deploy the attack is quite low."

In a situation in which an apartment building or office uses Hikvision devices, specifically its intercoms, and someone has an interest on spying — eavesdropping — on a tenant, the attacker would need to unplug the intercom's Ethernet cable from the wall and instead plug the device into a laptop, using a regular Ethernet cable. At this point, the individual would have the necessary network access to begin this covert breach. 

Then, "you run a script that's available on our GitHub to brute-force the admin password of any target device in the network (your neighbors' intercoms)," Ashkenazy says. "Once you have the admin password, you log in to the target intercom device and break out of the protected shell, in one of several ways [covered in the research]." 

By running a single command from a laptop, an individual can gain complete access to a device and can use any of its functions, including the microphone.

The Significance of the Potential Spyware

Should an attacker with a cable, laptop, and screwdriver on hand manage to brute-force a path to an admin password and break the protected shell, securing unrestricted access, the worst-case scenario is that they would be able to open the microphone on the device. 

"Once you have [that] level of access, you can eavesdrop on anyone else in the building that has an intercom," Ashkenazy adds.

The upside is that the team has not seen evidence of such attacks in the wild, and Hikvision has applied a patch that can be downloaded on its website. However, obstacles to patching remain.

"Hikvision [was] quite quick to respond, so hats off to them on that. However, as far as we know, they have been selective in terms of the fix, focusing on the authentication bypass, and leaving the shell escape in place," according to Skylight Cyber. 

Furthermore, a potential tenant wouldn't be able to mitigate and patch themselves because of their lack of access to the admin password, so patching is serviced by technicians and the process is manual, meaning that these updates are not applied as often as necessary. So it's a good bet that many individuals and businesses will continue to remain exposed.

"We believe that this might be exploited in the wild until this is patched to a significant extent, which is why we didn't release the full exploitation kit," the researchers add.

Moving forward, businesses and property owners have options for mitigating IoT security risks — "whether it's working with reputable vendors, reviewing the security architecture of the products, or making sure that they are regularly patched," as Skylight Cyber notes. "Just to be clear — there are likely thousands of apartment buildings around the world that are currently exploitable, meaning that every apartment in the building is susceptible to eavesdropping."