Honeywell equIP and Performance Series IP Cameras and Recorders

Monitor7.5ICS-CERT ICSA-19-304-04Oct 31, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Honeywell equIP and Performance Series IP cameras and network recorders contain an authentication bypass vulnerability (CWE-294) that allows unauthenticated access to affected devices. The vulnerability affects a large family of IP camera and video recorder models across multiple product lines including H-series, HB-series, HC-series, HD-series, HE-series, HF-series, HM-series, HS-series, and HEN-series devices. Honeywell has indicated that firmware updates are available but notes that high skill level is required to exploit this vulnerability.

What this means

What could happen

An unauthenticated attacker on your network could bypass authentication controls and gain administrative access to your Honeywell IP cameras and video recorders, allowing them to disable monitoring, manipulate video feeds, or extract recorded footage that may contain sensitive facility security information.

Who's at risk

Organizations operating Honeywell equIP and Performance Series IP video surveillance systems should be concerned. This affects IP cameras and network video recorders used for facility monitoring and security across water utilities, electric utilities, wastewater treatment plants, and other critical infrastructure operators that rely on Honeywell surveillance equipment for perimeter or facility monitoring. The vulnerability impacts dozens of camera and recorder models across multiple product families.

How it could be exploited

An attacker with network access to the camera or recorder (either from the internet or internal network) can send requests that bypass authentication mechanisms to gain administrative access. Once authenticated, the attacker could modify camera settings, disable recording, delete video footage, or reboot devices to disrupt surveillance coverage.

Prerequisites

Network access to the IP camera or recorder (HTTP/HTTPS port access)
No valid credentials required

remotely exploitableno authentication requiredno patch availableaffects security systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (170)

170 pending

ProductAffected VersionsFix Status

H4W4PRV2: <1.000.HW01.1.190814<1.000.HW01.1.190814No fix yet

H4W4PRV3: <1.000.HW01.1.190813<1.000.HW01.1.190813No fix yet

H4W8PR2: <1.000.HW01.3.20190820<1.000.HW01.3.20190820No fix yet

HBD2PER1: <1.000.HW01.3.20190820<1.000.HW01.3.20190820No fix yet

HBD3PR1: <1.000.HW01.1.190814<1.000.HW01.1.190814No fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDIsolate vulnerable Honeywell IP cameras and recorders from direct internet access or place them behind a firewall/DMZ with restricted inbound access

WORKAROUNDImplement VPN or other secure remote access controls if remote monitoring connections are required to the network segment containing Honeywell surveillance equipment

HARDENINGChange default credentials on all Honeywell IP cameras and recorders if they have not been modified from factory defaults

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDownload and install Honeywell firmware updates for all affected camera and recorder models from https://mywebtech.honeywell.com/Home

Long-term hardening

0/1

HARDENINGSegment your surveillance network from other critical systems using firewalls and access control lists to limit attacker movement if a camera is compromised

CVEs (1)

CVE-2019-18226

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/78c0fc5f-e2ad-4e8d-a953-424921b13de9