OTPulse

Honeywell equIP and Performance Series IP Cameras and Recorders

MonitorCVSS 7.5ICS-CERT ICSA-19-304-04Oct 31, 2019
Honeywell
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

Honeywell equIP and Performance Series IP cameras and network recorders contain an authentication bypass vulnerability (CWE-294) that allows unauthenticated access to affected devices. The vulnerability affects a large family of IP camera and video recorder models across multiple product lines including H-series, HB-series, HC-series, HD-series, HE-series, HF-series, HM-series, HS-series, and HEN-series devices. Honeywell has indicated that firmware updates are available but notes that high skill level is required to exploit this vulnerability.

What this means
What could happen
An unauthenticated attacker on your network could bypass authentication controls and gain administrative access to your Honeywell IP cameras and video recorders, allowing them to disable monitoring, manipulate video feeds, or extract recorded footage that may contain sensitive facility security information.
Who's at risk
Organizations operating Honeywell equIP and Performance Series IP video surveillance systems should be concerned. This affects IP cameras and network video recorders used for facility monitoring and security across water utilities, electric utilities, wastewater treatment plants, and other critical infrastructure operators that rely on Honeywell surveillance equipment for perimeter or facility monitoring. The vulnerability impacts dozens of camera and recorder models across multiple product families.
How it could be exploited
An attacker with network access to the camera or recorder (either from the internet or internal network) can send requests that bypass authentication mechanisms to gain administrative access. Once authenticated, the attacker could modify camera settings, disable recording, delete video footage, or reboot devices to disrupt surveillance coverage.
Prerequisites
  • Network access to the IP camera or recorder (HTTP/HTTPS port access)
  • No valid credentials required
remotely exploitableno authentication requiredno patch availableaffects security systems
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (170)
170 pending
ProductAffected VersionsFix Status
H4W4PRV2: <1.000.HW01.1.190814<1.000.HW01.1.190814No fix yet
H4W4PRV3: <1.000.HW01.1.190813<1.000.HW01.1.190813No fix yet
H4W8PR2: <1.000.HW01.3.20190820<1.000.HW01.3.20190820No fix yet
HBD2PER1: <1.000.HW01.3.20190820<1.000.HW01.3.20190820No fix yet
HBD3PR1: <1.000.HW01.1.190814<1.000.HW01.1.190814No fix yet
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDIsolate vulnerable Honeywell IP cameras and recorders from direct internet access or place them behind a firewall/DMZ with restricted inbound access
WORKAROUNDImplement VPN or other secure remote access controls if remote monitoring connections are required to the network segment containing Honeywell surveillance equipment
HARDENINGChange default credentials on all Honeywell IP cameras and recorders if they have not been modified from factory defaults
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXDownload and install Honeywell firmware updates for all affected camera and recorder models from https://mywebtech.honeywell.com/Home
Long-term hardening
0/1
HARDENINGSegment your surveillance network from other critical systems using firewalls and access control lists to limit attacker movement if a camera is compromised
View full CISA ICS-CERT advisory
API: /api/v1/advisories/78c0fc5f-e2ad-4e8d-a953-424921b13de9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Honeywell equIP and Performance Series IP Cameras and Recorders | CVSS 7.5 - OTPulse