Exploiting IP-video Surveillance Systems Is Not Only a Cybersecurity Threat

By Roni Gavrilov, OTORIO Research Team

New Vulnerability in Qognify NiceVision Exposes Facilities to Physical and Cybersecurity Threats

OTORIO research team has recently discovered a severe vulnerability in Qognify NiceVision, an IP-video surveillance system. The vulnerability, known as CVE-2023-2306 and has a CVSS score of 10, the highest criticality, poses both physical and cybersecurity threats to facilities.

Qognify, part of Hexagon, offers a portfolio of video management software and enterprise incident management solutions for various sectors, including manufacturing, transportation, airports, retail, logistics, critical infrastructure, government, and others. 

Qognify NiceVision, one of their portfolio products, is an IP-video surveillance system used to manage large-scale deployments of CCTV cameras. The product supports a wide range of CCTV camera models from a large number of manufacturers. This product is commonly used in facilities such as airports, where surveillance security cameras are deployed at every corner.

The vulnerability exists in the MSSQL database server of Qognify NiceVision. The database server listens on TCP port 1433 (which is remotely accessible on all interfaces) and contains hard-coded credentials. An attacker can use those hard-coded credentials to connect the Qognify NiceVision database, read from, and write to different tables in this database.

One of the tables in the database contains information about all the CCTV cameras managed by the product, including the camera IP and Mac addresses, firmware version, manufacturer, and model. In addition, this table also contained the username and password for the camera web interface - although those fields were encrypted, we could easily decrypt them with another vulnerability we found (both issued under CVE-2023-2306).

By exploiting this vulnerability, an attacker could achieve double impact:

1. Cyber security impact - Having the IP address, username, and password for all the cameras managed by the platform, the attacker can perform a lateral movement in the network to other assets or get access to sensitive information.
2. Physical security impact - With authenticated access to cameras across the facility, the attacker can shut down cameras, change the camera angle, freeze the video stream from the camera, or even replace the video stream of the camera (as presented at BlackHat USA 2013).

The discovery of this vulnerability joins another vulnerability discovered by the OTORIO research team on the Axis Communications' access control product and underscores the importance of promptly applying patches and enhancing cybersecurity measures for physical security systems such as access control, IP-video surveillance, fire detection, and others.

The vulnerability was responsibly disclosed and mitigated by the vendor, and both Qognify and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories to ensure organizations are informed about the vulnerability.