Vulnerable Chinese Cameras in the Philippines: A Gateway for Hackers to Your Network

Wilson Chua
3 min readApr 4, 2023

Security research firm Shodan shows 3,291 HikVision cameras in the Philippines could be vulnerable to the “Watchful IP” bug. This bug allows hackers to remotely control them.

According to Security Week: “The vulnerability can be exploited to gain root access and take full control of a device. An attacker could also use compromised devices to access internal networks.” Aka: If left unpatched or unprotected, hackers have a “access keys” to your network via the camera devices and do further damage.

The bug was discovered way back in June 2021. It can be argued that by now, HikVision would have fixed this. So we take a closer look at these devices.

While Quezon City and Lipa City had the most HikVision Cameras connected to the Internet, I chose my hometown, Dagupan City to find 5 installed cameras:

Five vulnerable Hikvision Cameras deployed in Dagupan

These 5 HikVision Cameras are likely to be vulnerable to the ‘Watchful IP” vulnerability as their firmware shows it to be below the patched version: V5.5.800. It is likely that most of the other 3291 devices are also equally vulnerable. This is bad.

Background:
My interest was piqued when our monitoring saw a spike in attacks on our own HikVision Camera using TCP port 8:

The Dashboard shows that PLDT owned IP addresses accounted for about 16,426 incidents. Of these incidents, one device (IP:49.150.46.42) made the majority of the attacks (12,165 attempts on our network) using TCP Port 8. Why port 8 and not port 80? I wasn’t sure. If you know why, please comment and share!

I reached out to sir Angel Redoble (PLDT Group’s head of security) and shared this with him. I also alerted him to this IP address. This IP could also be actively exploiting or attacking other HikVision Cameras.

Pending resolution from PLDT side, we should update the firmware to remove the vulnerability. Network admins could also block outside access by limiting the IP addresses to only those authorized to do so.

One final thought:

If you feel safe from hackers because you think you are not *big* enough of a target, think again. So called internet research companies are constantly probing ALL networks and devices for weaknesses. Their results are open for the public to see. This includes the hackers. This also includes security researchers. In short both the bad actors and the good guys have access to a list of vulnerable devices.

I suspect that is how the hacker found our vulnerable HikVision camera. And so I personally think that so called internet research companies MUST ask for permission first - before they scan AND before they release the results to the public. Give me a chance to correct my gaps before letting hackers know about it.

Your thoughts are welcome! Please continue the conversation and connect with me on Twitter: https://twitter.com/wilsonchua

--

--