Advise needed, my Hikvision was hacked/pwned

[HP73]

Long story short, I realized yesterday that one of my Hikvision camera was beeing hacked. Saw that there was a change in camera name (to 'PWNED') and all texts coloured in red. I was not able to connect anymore via Web browser with admin credentials. Totally my fault in that sense, the admin password was too easy. I have had that connected in LAN only for years, so never really bothered.

However, I had created a normal 'user' credentials, which let me in via browser (how stupid the hacker was for not deleting all other users when having admin rights?). So I was able to remove the DDNS settings, which I think was the root source me being hacked (No-IP). I just created the service two weeks ago and defined my camera accordingly. I was also able to see from the log the IP address that was used when hacked in. Further, I was able to change the port settings and I'm still able to connect it via Hik-Connect and Web browser. And no-one elso don't, right now. Actually, I un-plugged the PoE cable off

Problem: I have the 'user' rights to the camera, but I don't have 'admin' access to it anymore. Can't create new ADMIN users etc.
Suggestion: I should be able to set the factory settings from the browser, at least the button is active there in 'maintenance'. Should I run all factory settings or just the 'ligther' version of it?. Would that reset the ADMIN credentials as well, restore those back to defaulted one? And then just configure all again, which is no problem.

Any advise needed, really appreciate it.

 

[alastairstevenson]

Totally my fault in that sense, the admin password was too easy.

Maybe - but more likely to be a firmware vulnerability that was exploited for the (unspecified) camera with the (unspecified) firmware version.

So I was able to remove the DDNS settings, which I think was the root source me being hacked (No-IP).

No - it does not matter if the camera can be addressed by name or by IP address - if you have configured a dynamic DNS service you presumably have configured 'port forwarding' so that the entire internet is given access in to the camera.

I should be able to set the factory settings from the browser, at least the button is active there in 'maintenance'.

I doubt if a standard user has the rights to reset to defaults - but try it.

And remove any port forwarding you've set up in your router, disable UPnP in both the camera and router if it's enabled.
And check out how to set up a VPN service - loads of posts on that topic - if you have a need to access the camera remotely.

And check this out :

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

 

[wittaj]

Sounds like many were hacked

Has my Hikvision ip camera been hacked?

Hello all! Posting a screencap of what appears in my Hikvision camera in BlueIris. Static ip address in my home network is 192.168.0.206 using Port 8095. This Hikvision camera is part of my BlueIris outdoor perimeter DIY 24/7 surveillance system which I am running on a Lenovo TinyPC with...

ipcamtalk.com

 

[The Automation Guy]

A factory reset should get you back to square one. I say should because we have no idea what the hacker might have done while in control of the device. They could have easily "updated" the firmware with a modified version that would still give them access even if the camera was reset to default settings.

Best thing to do is download the camera's current firmware version directly from Hikvison and reinstall it. I would also reset the camera to default settings both before attempting this "upgrade" as well as after installing the firmware. (By sticking with the current firmware version, the odds of breaking the camera are pretty low. You can always "upgrade" to a newer version if you want, but there is always a risk that it has bugs that aren't present in the current version).

Most importantly however, you need to take measures to prevent unauthorized access in the future. As already mentioned, it is likely that you have open ports (or have turned on some of the P2P services that most cameras support) which means the entire internet can access your devices. The "security" of that camera (and the rest of your network honestly) is only as strong as your camera's firmware. Clearly it is not programmed well enough to prevent unauthorized access (and most IOT devices have firmware that is terribly written with lots of potential exploits). You need to prevent ANY access to to the camera from the internet. This means you need to stop port forwarding in your router (not just for this device, but remove ALL port forwarding). If you need to access your devices from outside your local network, you need to look into how to set up a self hosted VPN service on your router. Most router's support this and it is the best (ie secure) way to access your local network while you are not physically located at home.

Most of us would also suggest that you also take steps to prevent your cameras from being able to access the internet as well. There are many different ways to accomplish this (which are all discussed here on the forum already). But by both preventing the internet from accessing your cameras, and preventing the cameras from accessing the internet (or even better is to isolate those devices from the rest of your local network as well), you will achieve the best security.

 

[HP73]

A factory reset should get you back to square one. I say should because we have no idea what the hacker might have done while in control of the device. They could have easily "updated" the firmware with a modified version that would still give them access even if the camera was reset to default settings.

Best thing to do is download the camera's current firmware version directly from Hikvison and reinstall it. I would also reset the camera to default settings both before attempting this "upgrade" as well as after installing the firmware. (By sticking with the current firmware version, the odds of breaking the camera are pretty low. You can always "upgrade" to a newer version if you want, but there is always a risk that it has bugs that aren't present in the current version).

Most importantly however, you need to take measures to prevent unauthorized access in the future. As already mentioned, it is likely that you have open ports (or have turned on some of the P2P services that most cameras support) which means the entire internet can access your devices. The "security" of that camera (and the rest of your network honestly) is only as strong as your camera's firmware. Clearly it is not programmed well enough to prevent unauthorized access (and most IOT devices have firmware that is terribly written with lots of potential exploits). You need to prevent ANY access to to the camera from the internet. This means you need to stop port forwarding in your router (not just for this device, but remove ALL port forwarding). If you need to access your devices from outside your local network, you need to look into how to set up a self hosted VPN service on your router. Most router's support this and it is the best (ie secure) way to access your local network while you are not physically located at home.

Thanks for the comment. Updating the firmware is not an option as this Hik was purchased in ebay back in some ten years ago. Update was not guaranteed and not even recommended. So, I'm just trying to avoid this loyal companion turning into stone and get some use it for the future as well. But anyway, I doubt (hope) that the hacker has done anything more clever. Tecnically log is stating that 'admin' has firstly taken the config -file and then logged in as 'admin'. And in this sequence. And never logged out (is that a problem)? As said, my Cam is now un-plugged and totally offline. Removed all DDNS settings, so eventually my dynamic IP will change and hacker can't locate it?

I never got finalized/test the DDNS hostname which I created in No-Ip. Just created the account, defined the local IP address (misstake) and passords. And made the same config in Camera settings. As was a late night try-and-see exercise two weeks ago, which didn't succeed at the time, couldn't get it work in Hik-connect.. But I'm sure that some-one has got access to my unfinished no-ip data and been able to utilize it.

 

[HP73]

And remove any port forwarding you've set up in your router, disable UPnP in both the camera and router if it's enabled.

I couldn't even find UPnP setting in my new Deco mesh router...but surely haven't done that myself. Router settings are very limited, I have only reserved certain IP address to Cam's MAC addresses.

 

[alastairstevenson]

What's the camera model and the current firmware version?

 

[Ray Sharp Boi]

1) Open the unit and look for a physical reset button
2) use the SADP tool and click on the "forgot password" link in the bottom right had corner.

 

[HP73]

1) Open the unit and look for a physical reset button
2) use the SADP tool and click on the "forgot password" link in the bottom right had corner.

1) This camera is mounted under the eave, app. at 5 meters height. I don't prefer to go there in winter (a lot of snow).
2) This camera has not been registered anywhere (purchased from ebay (china), I doubt this would lead anywhere...)

 

[HP73]

What's the camera model and the current firmware version?

Camera model is DS-2CD2532F-IWS, firmware is not upadated since purchase (was not even recommended as it was, if i recall correctly, meant for Chinese market).

 

[Oleglevsha]

Camera model is DS-2CD2532F-IWS, firmware is not upadated since purchase (was not even recommended as it was, if i recall correctly, meant for Chinese market).

Your R0 series camera if you have the option to update the firmware from the web interface, make an update with this file, at the same time there will be a change to the European version of the camera foreverion
After the update, the camera will receive firmware version 5.2.5 and reset the settings to default. It is convenient to search for a device on the network using the utility SADP.exe , in the firmware version V5.2.5 the old admin username and password 12345 are used.
Later, update the firmware starting from version 5.3.0 and up to the latest version sequentially from the European version of the site Hikvision

 

[alastairstevenson]

Camera model is DS-2CD2532F-IWS, firmware is not upadated since purchase

Suggestion to regain control of the camera :

Use SADP to find the camera and see the IP address it is set to use, and also the firmware version.
With a PC that has an IP address in the same range as is used by the camera, use this URL in the browser, using the actual camera IP address :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If you are lucky and the firmware is 5.3.0 or newer it should download a configuration file.
Zip it up and attach it here.

 

[HP73]

Suggestion to regain control of the camera :

Use SADP to find the camera and see the IP address it is set to use, and also the firmware version.
With a PC that has an IP address in the same range as is used by the camera, use this URL in the browser, using the actual camera IP address :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If you are lucky and the firmware is 5.3.0 or newer it should download a configuration file.
Zip it up and attach it here.

Firmware is old, V5.2.0 build 140721. However, I applied your address above with camera IP and it did download some config file (!). But the content is encrypted etc., not readable...File size relatively small also, 274kb. I assume this is exactly what the hacker got previously? Are you able to decrypt it...??

I hesitate a bit sharing the file in public, any chance dropping it to you privately?

 

[alastairstevenson]

I hesitate a bit sharing the file in public, any chance dropping it to you privately?

Yes, of course, no problem.
I suspect though with that very old firmware it's not subject to the usual encryption.
But we'll see.

 

[HP73]

Yes, of course, no problem.
I suspect though with that very old firmware it's not subject to the usual encryption.
But we'll see.

Sent you the file in a private conversation

 

[alastairstevenson]

Sent you the file in a private conversation

Sent you the password!

 

[HP73]

Sent you the password!

Just amazing! I'm at work right now and can't test it. But I know what I'll be doing first thing when arriving at home. I'll keep you posted.

I'm truly grateful for all your support already!!

 

[HP73]

Sent you the password!

I have the control now The password really worked! I have now updated admin and user passwords for both of my existing Hiks, as well as assigned new IP addresses. Those are only configured to LAN for now, I definitely need to investigate possibility to set up VPN for my new Deco router.

I'm still amazed how you did it, but really appreciate it! Time to sit back and enjoy some single malt...

 

[wittaj]

And this is why we say to not let them touch the internet because of all these backdoor exploits that allowed you access back to your camera unfortunately also allows bad folks to gain access as well!

 

[alastairstevenson]

Time to sit back and enjoy some single malt...

That's an excellent suggestion!
I'm glad it worked, a good result.