Honeywell equIP and Performance Series IP Cameras
Monitor7.5ICS-CERT ICSA-19-304-03Oct 31, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Honeywell equIP and Performance Series IP camera models lack authentication controls on their video streaming and configuration interfaces. An attacker who can reach the camera over the network can view live video, recorded footage, and potentially access camera settings without providing any credentials. CWE-306 indicates missing or improper authentication enforcement. Honeywell states firmware updates are available, though many older models may not receive patches due to end-of-life status.
What this means
What could happen
An attacker with network access to these cameras could view live or recorded video feeds without authentication, potentially exposing facility layouts, operational activities, or sensitive areas. This could enable reconnaissance for physical or cyber attacks on the facility.
Who's at risk
Water authorities and utilities operating Honeywell equIP and Performance Series IP cameras for facility monitoring, perimeter security, or equipment surveillance. This includes indoor and outdoor dome, turret, and box camera models (H-series, HB-series, HC-series, HD-series, HF-series, HM-series, and HDZ Performance series). Any facility using these cameras for security or operational awareness is affected.
How it could be exploited
An attacker on the network (either from the internet if cameras are exposed, or from inside your network) sends unauthenticated requests directly to the camera's web interface or API. The camera accepts the request without requiring a login, returning video streams or configuration data. No special tools are needed—basic HTTP requests are sufficient.
Prerequisites
- Network access to the camera's IP address and port (typically HTTP port 80 or 443)
- Camera must be reachable from attacker's network segment (internet-facing or same LAN)
- No valid credentials required
Remotely exploitableNo authentication requiredLow complexity attackAffects surveillance systems (potential safety/security impact)No patch available (end-of-life products)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (49)
49 pending
ProductAffected VersionsFix Status
H2W2GR1: <1.000.0000.18.20190409<1.000.0000.18.20190409No fix yet
H3W2GR1: <1.000.HW00.21.20190812<1.000.HW00.21.20190812No fix yet
H3W2GR1V: <1.000.0000.18.20190409<1.000.0000.18.20190409No fix yet
H3W2GR2: <1.000.HW00.21.20190812<1.000.HW00.21.20190812No fix yet
H3W4GR1: <1.000.HW00.21.20190812<1.000.HW00.21.20190812No fix yet
Remediation & Mitigation
0/4
Do now
0/2HARDENINGPlace cameras behind a firewall or network DMZ and restrict access to a management network only; do not expose cameras directly to the internet
HARDENINGIf remote access to cameras is required, enforce it through a VPN tunnel so only authenticated users can reach the camera network
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate camera firmware to the version specified by Honeywell (contact Honeywell support or visit mywebtech.honeywell.com for your specific camera model)
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate camera systems from critical control network segments
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5a0ed8f1-e832-4ed3-865d-8ef2284f0102