alastairstevenson
Staff member
The vulnerabilities are in the camera firmware, not what it's connected to.I actually deleted the Hik's software
The vulnerabilities are in the camera firmware, not what it's connected to.I actually deleted the Hik's software
I've used those firmware updates but cameras are still being reset. So no.I have updated my cams to the HIK-firmware on this page: Hangzhou Hikvision Digital Technology Co. Ltd.
Did those FW versions plug the exploit hole(s)?
Have you tried making your cameras inaccessible from the internet for a while and see if the still reset? Next step in troubleshooting.I've used those firmware updates but cameras are still being reset. So no.
Hikvision takes cybersecurity concerns with the utmost seriousness and takes diligent action to ensure that its products meet the standards of the security industry’s best practices.
A new, direct communications channel is actually good news. Assuming there are humans on the other side, the best strategy here is to use it. Everyone with a question, start dialing. Take notes, and after the call, publish them online and describe your experience, good or bad. They will have to staff the line with more humans if it becomes popular and it will become easier to fix/resolve concerns than to continue dealing with negative PR.Lol! Hikvision USA
The idea is perfectly good of course.
If you are only forwarding BI, the issue is moot...the camera never is exposed to the internet...Am I right that the DS-2CD2T42WD-I5 is excluded from that list? I see the FWD's are but don't see WD's. Currently on 5.4.1 Build 160525
I also see here that UPnP is not a good practice and luckily have it disabled everywhere already but didn't know port forwarding is frowned on. The only forwarding I have is as instructed by the BI android app, is that acceptable?
Happy to see my Shields Up test was good!
Yeah it was just the UPnP test that came back ok but I will dive into the VPN setup as soon as possible. Good to know the BI app is an exception, can you confirm if the 2CD2T42WD's are excluded from the backdoor vulnerability?If you are only forwarding BI, the issue is moot...the camera never is exposed to the internet...
That said, you should consider using a vpn for BI...
Shields up cannot be ok if you have the blue iris webserver forwarded....you need to select the full test..and even that doesnt scan all the ports...
I didnt say the BI app is an exception...its can have a vulnerability just like the cameras can....Yeah it was just the UPnP test that came back ok but I will dive into the VPN setup as soon as possible. Good to know the BI app is an exception, can you confirm if the 2CD2T42WD's are excluded from the backdoor vulnerability?
I'm not sure why people are connecting IP cameras to the internet. What I do is connect the camera to the NVR via IP, but I give the camera a fake/non-valid IP as the gateway address. If the camera does require a valid gateway IP address, you can create firewall rules to drop/block all IP Camera traffic from leaving the network/gateway.If you have UPnP enabled on the router and the cameras, or you have enabled port forwarding, they will get hacked when on firmware of 5.4.4 or less.
Next time it happens, try 1111aaaa or asdf1234 as admin passwords.
If that works, they are for sure being hacked.
I do the same. For example, 192.168.254.x is a non-routable IP. A typical camera setting in NVR is 192.168.254.101 and the NVR on a 192.168.x.x network has no problem seeing that camera.I give the camera a fake/non-valid IP as the gateway address.
That should be the default - all inbound access should be blocked by the NAT firewall in the router.I do have all ports block to the camera's ip in the router
That doesn't matter when the packets hit a NAT router.For example, 192.168.254.x is a non-routable IP
With apologies - for the avoidance of any confusion, assuming the example is a Hikvision NVR with PoE ports, there are 2 ethernet interfaces in play internal to the NVR.A typical camera setting in NVR is 192.168.254.101 and the NVR on a 192.168.x.x network has no problem seeing that camera.
I watch remotely, as well. I also use OpenVPN to connect to my network. The IP camera doesn't need to connect to the internet in order for you to view it over the internet. You should be connecting to your synology using DS Cam and not the IP camera. This is why the IP camera doesn't need a valid gateway address.Hello
I will share my setup. On cameras, turn off UPNP. I don’t see the point of changing the gateway, since I also turn off UPNP on the router, and Mikrotik has good settings by default. But I need to watch the camera remotely, for this I use VPN (OpenVPN) on Synology, with a changed port.