But that convenience comes with a cost. ONVIF's widespread adoption has created a massive attack surface across physical security infrastructure, and many of the protocol's vulnerabilities stem from implementation choices that prioritize compatibility over security.
ONVIF operates primarily through XML SOAP messages transmitted over HTTP. This design choice enables broad compatibility, yet it creates several security challenges that every security professional should understand.
At the heart of many ONVIF security issues is WS-UsernameToken authentication, which is a legacy authentication mechanism that, while technically deprecated in favor of more secure methods, it remains widely supported and often enabled by default on modern devices.
Here's how WS-UsernameToken works: Instead of sending passwords in plaintext, it creates a digest (fixed size hash of some input data) using:
- A username
- A random nonce (number used once)
- A timestamp (when the request was made)
- The password
These elements are hashed together using SHA-1 to create a PasswordDigest:
Digest = BASE64(SHA1(BASE64_DECODE(Nonce) + Created + Password))Let's break this down with a concrete example. Suppose we have:
Nonce: LKqI6G/AikKCQrN0zqZFlg== (base64-encoded random value)
Created: 2024-10-08T14:30:00Z (ISO 8601 UTC timestamp)
Password: SecurePass123 (the actual password)
The digest calculation proceeds as follows:
- Decode the nonce from base64 to get raw bytes
- Concatenate: [decoded nonce bytes] + "2024-10-08T14:30:00Z" + "SecurePass123"
- Hash this concatenated value using SHA-1
- Encode the resulting hash in base64
The result might be: tuOSpGlFlIXsozq4HFNeeGeFLEI=
This digest is what gets transmitted in the SOAP header. Here's what a complete ONVIF authentication header looks like in practice:
On paper, the ONVIF authentication scheme looks like it should stand up to replay attacks. Each request includes two safeguards meant to keep old credentials from being reused. First, there's the nonce, a random string that's supposed to be unique every time. If a server keeps track of which nonces it has already seen, it can spot duplicates and reject them. Then there's the timestamp, which defines how long a request should remain valid. The standard suggests about five minutes before a request goes stale, so even if someone captures a valid authentication header, it should expire quickly.
In practice, these mechanisms often fail not because of anything related to cryptography, but because of the implementation. SHA-1, which is used in the digest calculation, is technically outdated and known to have collision flaws, but that's not where things go wrong. The digest isn't the weak point. It simply hides the password during transmission. The real issue is that attackers don't need to break SHA-1 at all, they can just replay the entire authentication header as is.
The real problem lies in how ONVIF phrases its security guidance. The specification "recommends" that devices reject tokens missing a nonce or timestamp, enforce timestamp freshness, and cache used nonces to prevent reuse. But these are not hard requirements. The standard even allows manufacturers to relax those protections for so called "non-sensitive" requests.
That flexibility is exactly what opens the door to trouble. Some devices enforce the rules strictly, while others ignore them altogether. The result is a patchwork of implementations where replay protection may or may not exist, depending entirely on who built the camera.
The Dahua CVE-2022-30563 Case Study
In 2022, researchers from Nozomi Networks Labs uncovered CVE-2022-30563, a vulnerability in Dahua IP cameras that revealed just how fragile WS-UsernameToken can be when it's implemented carelessly.
They tested a Dahua IPC-HDBW2231E-S-S2, a dome camera that's anything but rare.
To test the camera's replay protection, they started small. Using a valid administrator account, they sent a basic ONVIF command called GetScopes, a request that returns configuration details during device discovery. They captured the entire SOAP message from that transaction, laying the groundwork for a test that would soon show how easily those same credentials could be replayed.
Here's what that initial request looked like (simplified for clarity):
The camera responded successfully with scope information. When the researchers sent the exact same request a second time, the device accepted it again without complaint. This behavior, while potentially acceptable for a read-only query, raised a red flag.
The researchers then conducted a critical test: Could they reuse those same authentication credentials for a state changing, security critical operation?
They crafted a new ONVIF request, this time to create a new administrator account, but used the identical authentication header from the original GetScopes request.
Here's the malicious request:
Despite violating every principle of secure WS-UsernameToken implementation, the camera accepted the request and created the attacker controlled administrator account. The researchers then successfully logged in with these new credentials and accessed live camera footage with full administrative privileges.
For this attack to succeed, an adversary needs:
Network access for traffic sniffing. The attacker must be positioned to capture ONVIF traffic. This is achievable through:
- Physical access to network infrastructure (rogue switch port, tap, or compromised network device)
- Man-in-the-middle positioning via ARP spoofing or rogue DHCP
- Compromised WiFi networks where IP cameras are deployed
- Access to network monitoring tools in poorly segmented environments
Unencrypted HTTP Communication: This is the critical enabler.
The researchers noted that:
- The Dahua camera didn't expose an HTTPS service by default
- All ONVIF communication occurred over plaintext HTTP on port 80
- Popular ONVIF clients like ONVIF Device Manager and DSE VMS default to HTTP
- Many installers never configure HTTPS, either due to lack of awareness or certificate management complexity
The attacker doesn't need to capture a privileged command. Even a simple device discovery query or status check provides reusable credentials. This dramatically lowers the bar; any routine maintenance operation or automated polling by a VMS becomes a potential credential source.
Let's walk through how an attacker would exploit this vulnerability in a real world scenario, using readily available tools.
The attacker first scans the network to discover ONVIF devices:
Next, the attacker positions themselves to capture traffic. If they have physical access, they might use a network tap. If operating remotely on a compromised network, they deploy ARP spoofing:
With traffic flowing through their system, the attacker uses Wireshark or tcpdump to capture HTTP traffic:
They wait for any legitimate ONVIF interaction, possibly a VMS querying the camera for system status, or a technician using ONVIF Device Manager to check configuration.
Opening the capture in Wireshark and filtering for HTTP POST requests to typical ONVIF endpoints (/onvif/device_service, /onvif/media_service), the attacker finds a SOAP message:
Perfect. The attacker extracts the complete <Security> header containing the UsernameToken.
Days or weeks later, from a completely different location and IP address, the attacker prepares to exploit the captured credentials. They craft a new ONVIF request with a malicious payload but using the extracted authentication header.
Here's the request to create a new administrator:
The attacker sends this using curl or a custom script:
If the targeted device is vulnurable, it will respond with this:
With a legitimate administrator account called sysupdate and a password only the attacker knows, they gain full control of the device. They can log in through the web interface, ONVIF, or RTSP to watch live and recorded footage. As administrator they can change network settings, add stealth backdoor accounts, alter RTSP credentials, disable logging and alerts, and reconfigure recording schedules. From that foothold the attacker can scan the security network for other devices, try default credentials on neighboring cameras, exploit existing trust relationships between kit, and pivot to a VMS or NVR if the camera shares the same network segment.
This attack is unusually hard to spot. Because the attacker reuses valid credentials there are no failed logins or password guessing patterns to trigger brute force alerts. The ONVIF traffic looks normal since requests are correctly formed and use standard commands, so intrusion detection systems see ordinary SOAP messages. A time gap between when credentials are captured and when they are used makes it unlikely that logs will correlate the two events, especially if retention windows are short. The replay often comes from a different IP address than the original request, which defeats simple source-based correlation.
Reliable detection requires more than basic signatures. Watching for anomalous network behavior, such as user creation commands coming from unexpected hosts, can raise alarms. Full ONVIF transaction logging that tracks nonces and timestamps would catch replays, but few devices and systems actually implement that level of detail. Regular audits of user accounts remain one of the most practical defenses because they will reveal unauthorized administrator accounts if performed consistently.
So what should you take away from all of this? It really depends on where you sit in the industry.
If you're an installer or technician, the basics matter more than anything else. Default credentials should never survive the commissioning process. Every password change needs to be documented securely, and devices should always run over HTTPS before they're connected to a live network. Replay protection should be tested, not assumed, and the network layout should be reviewed with the IT team to make sure security devices sit on the right side of the fence.
For security engineers, the challenge is to build consistency and discipline into how devices are deployed. That means creating hardening standards for ONVIF configurations, maintaining templates for device setup, and automating checks to ensure those standards are actually followed. Secure credential management needs to be part of the workflow, and certificate lifecycles should be planned from the start rather than left as an afterthought.
Executives and managers have their own part to play. They need to see ONVIF security not as a technical detail but as a business risk. That perspective helps justify budgets for proper network segmentation and the time technicians need to harden systems. Security should weigh into vendor selection, and integrators should be expected to provide documentation showing exactly how their deployments are secured.
Q4 Global Industry Update
This quarter has been marked by a strong push to integrate AI into both existing security infrastructure and new product lines. Johnson Controls addressed critical vulnerabilities in its iSTAR Ultra door controllers with a new firmware release, while HID expanded its healthcare RTLS portfolio through the acquisition of Intelligent Observation and launched new access and credential solutions at both the Sydney Security Conference and GSX 2025. Motorola Solutions introduced its Inform platform for unified security operations and added enhancements to Avigilon security products. Teledyne FLIR released the compact C8 thermal camera, and Genetec retained its position as a market leader in video management software. Hanwha Vision showcased new camera and AI solutions, and Hikvision faced regulatory challenges in Canada while rolling out new AI-powered cameras and analytics. AXIS demonstrated its ARTPEC-9-based object detection system, and Dahua updated DSS Professional and debuted its WITHS wireless surveillance lineup. Finally, Verkada unveiled new AI-driven features and remote monitoring solutions at its VerkadaOne conference, highlighting ongoing innovation in access control, video analytics, and multi-site security management.
Johnson Controls issued Product Security Advisory (JCI-PSA-2025-10) identifying six vulnerabilities in iSTAR Ultra door controllers including OS command injection and default credential usage. Firmware version 6.9.3 addresses these critical issues.
HID acquired Intelligent Observation, a hand-hygiene compliance platform, expanding its healthcare RTLS portfolio to help prevent hospital acquired infections.
At the Sydney Security Conference, HID unveiled the Amico facial recognition reader with biometric templates stored on cards, plus FIDO-based credential solutions for seamless mobile and biometric authentication.
Motorola Solutions launched Inform, a unified security operations platform for Avigilon products that aggregates alerts and uses AI to group related events for coordinated response.
Teledyne FLIR introduced the FLIR C8, a compact thermal camera with 320×240 resolution, 35-degree field of view, and MSX image fusion technology for clearer inspections.
Industry analyst Omdia confirmed Genetec as the worldwide leader in video management software for the 14th consecutive year in the Americas, with strong SaaS adoption driving growth.
Hanwha Vision showcased the Wisenet 9 SoC with dual NPU architecture for simultaneous image processing and AI analytics, plus SightMind for video insights and HealthPro for network monitoring.
Hikvision challenged Canadian Federal Court ruling over national security concerns while launching DeepinViewX-Series cameras with 90% fewer false alarms and AcuSeek AI analytics integration.
Axis demonstrated an AI-driven "object detection orchestra" using ARTPEC-9 chip cameras, converting recognized objects into musical cues to showcase real-time analytics capabilities.
Dahua Technology released DSS Professional 8.7 with AI-driven workflows, updated interface, and expanded ecosystem integrations for comprehensive security management.
Motorola Solutions unveiled Alta SOS for emergency data sharing and enhanced Unity with natural language event definition, plus acquisition of InVisit for visitor management.
At VerkadaOne, Verkada introduced Unified Timeline, expanded AI Alerts, Operator View workflow, AF64 Access Station Pro with facial recognition, and remote monitoring solutions.
The Physical Layer will always be free, because knowledge should never come with a paywall. That said, researching and creating this content does take a significant amount of time, effort, and a few out of pocket costs. If you find value in what you're reading and want to help keep it going, consider supporting this project via Ko-Fi using the link below.
© 2025 Timur Gabaidulin | The Physical Layer
https://www.layer0.news
[email protected]
Technical Footnotes
- FIDO Authentication
- FIDO-based credential solutions are passwordless authentication using cryptographic keys stored securely on user's device. Authentication happens through biometric or PIN verification without credentials leaving the device.
- PIV Standards
- Personal Identity Verification standards for smart card authentication ensuring government-grade security for federal employee and contractor identification.
- MSX Technology
- Multi-Spectral Dynamic Imaging is FLIR's proprietary image fusion technology that overlays visible light details onto thermal images, enhancing edge definition and clarity without affecting thermal data.
- Dual NPU Architecture
- Processor design with two dedicated Neural Processing Units, one handling image processing and the other AI analytics simultaneously, allowing complex video analysis without slowing core camera functions.
- ARTPEC-9 Chip
- Axis Communications' latest system-on-chip for network cameras, designed to handle high-resolution video processing, AI-based analytics, and cybersecurity features directly on the camera.