<div dir="ltr"><div dir="ltr">On Wed, Aug 10, 2022 at 5:15 PM Mark Steffen <<a href="mailto:mark@steffen.ca">mark@steffen.ca</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">I’m sure there have been vulnerabilities but if you are part of the DOD supply chain you are banned from using Hikvision cameras and others containing certain chipsets.  Seems like most people are moving to Verkada (which has had it’s own non-security related scandals, lol).</div></blockquote><div><br></div><div><div>Hikvision had a vulnerability where the camera is vulnerable to remote hijacking. <br></div><div><br></div><div><a href="https://www.forbes.com/sites/leemathews/2021/09/22/widely-used-hikvision-security-cameras-vulnerable-to-remote-hijacking/">https://www.forbes.com/sites/leemathews/2021/09/22/widely-used-hikvision-security-cameras-vulnerable-to-remote-hijacking/</a></div><div><br></div><div><a href="https://ipvm.com/reports/hikvision-36260">https://ipvm.com/reports/hikvision-36260</a></div><div><br></div><div>And that flaw was patched <br></div><div><br></div><div><a href="https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/">https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/</a></div><div><br></div><div>And it is not relevant in this case, since the cameras do not have their own internet accessible IP address.</div><div>They are isolated because there is an NVR that terminates them. </div><div><br></div><div>And now that I think about it, the Lorex cameras are Dahua OEM, not Hikvision. <br></div> </div></div></div>