Firmware developed by Shenzhen Hichip Vision Technology contains an intellectual property protection feature which was designed to deactivate cloned devices (IP cameras). Unfortunately this feature can be used to damage any device that uses this firmware. It could be activated by sending specially crafted multicast message. Firmware will remove three files from itself when receiving this message. After successful attack, the device is without its features like video streaming or embedded configuration website. There is no easy way to restore removed features from an attacked device. Vulnerability was tested on device with firmware V11.4.8.1.1-20170926.
A specially crafted multicast message only can deactivate a given copyrighted camera and it's clone ones, but it can't deactivate other copyrighted cameras. We used this intellectual property protection feature only in some special kind of cameras in 2017 for a very short time, it only affects about several thousand 'clone' cameras. When we realized that it maybe hurt not only the illegal factory but also the innocent end users, we removed it soon.
Software created by Shenzhen Hichip Vision Technology is utilized in cameras rebranded by other companies. I have not discovered a straightforward, secure, and dependable method to verify your camera. If you trigger vulnerability then you will brick your camera. But… on the tested camera I found that vulnerable applications serve additional service on UDP port 8002. This service has another vulnerability - CVE-2020-9529. You can use the tool hisearcher.py to check if your camera has this service. If you found service on port 8002, then you can assume that you have also hidden service on UDP port 12129. As an alternative solution you could try to block sending data to port 12129 in your network router. If you are an advanced user you could try some binary patching of ipc_server on your own.
The vulnerability can be found in an application located at /mnt/mtd/ipc/ipc_server. This program serves two hidden services. First on UDP port 8002 (which is affected by the bug CVE-2020-9529). Second on UDP port 12129, affected by the CVE-2022-23382. Service is waiting for multicast data sent to address 239.255.255.252. Full frame is constructed from 32 bytes of data:
unlink(”/mnt/mtd/ipc/modules/hi3518ebase.ko”);
unlink(”/mnt/mtd/ipc/conf/configencode.ini”);
unlink(”/mnt/mtd/ipc/chksensor”);