Has my Hikvision ip camera been hacked?

[alastairstevenson]

I plan to take down the Hikvision & try to do a factory reset without it being connected to my LAN.

You may be able to access the camera to reset to factory defaults without taking it down.

I cannot get into the camera using the admin login/password.

Suggestion to try :
Power on the camera.
Use SADP to find the camera, noting its IP address and the firmware version.
If the firmware is 5.3.0 or later, you may be able to extract the configuration file without needing credentials.
The configuration file can be decrypted and decoded to find the plaintext password that has been applied.
With a PC with the IP address in the same range as that of the camera, use this URL in the browser, replacing the IP address with the actual IP address of the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If you're lucky and a configuration file is extracted, zip it up and attach here.

 

[f13dfx]

You may be able to access the camera to reset to factory defaults without taking it down.


Suggestion to try :
Power on the camera.
Use SADP to find the camera, noting its IP address and the firmware version.
If the firmware is 5.3.0 or later, you may be able to extract the configuration file without needing credentials.
The configuration file can be decrypted and decoded to find the plaintext password that has been applied.
With a PC with the IP address in the same range as that of the camera, use this URL in the browser, replacing the IP address with the actual IP address of the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If you're lucky and a configuration file is extracted, zip it up and attach here.

Sorry, I reset the camera already and was able to upgrade to the latest firmware. Disabled uPnP in config. Seems to be working fine now.

Thank you all for your quick assistance!

 

[dreniarb]

If you're not able to put your cameras on an isolated vlan remove the gateway from their ip address settings. That will keep them off the internet. You could go a step further and put them on a completely separate subnet (192.168.100.X instead of 192.168.1.X for example). Just make sure you give your blue iris installation a secondary ip on the same subnet so it can talk to the cameras.

 

[lewic]

I remember there was this event late last year where people were hacking into Hikvision and Hikvision OEM cameras and leaving messages on the OSD. Hikvision came out with a firmware update to fix the issue. All that was needed to take the message off was go into the OSD menu and delete the text. Then install the firmware onto the camera. I think I have a picture of it somewhere....

 

[lewic]

Here is a link to the article.

Hikvision faxociety DVR/NVR Hack Fix 2023

Discover how to protect your CCTV system from the Hikvision CCTV camera hack. Learn step-by-step methods to fix vulnerabilities and secure your surveillance system effectively. Don't leave your CCTV exposed, safeguard your privacy and maintain control

www.cctv101.co.uk

It was always the same message on everyone's camera.

 

[yggdrasil]

Yes. Disconnect the camera, reset to factory settings, upgrade the firmware. Do not connect it to the Internet again. It says pwned which means whoever did this, is basically doing it deliberately to make you aware that your camera is insecure and should not be exposed online.

I assume you don't have a switch to put cameras on a VLAN so the easy way, your cable/internet modem mostly likely has a firewall feature, while basic might work. If not, research into having one. Assign your camera a fixed IP address. Then only allow traffic to this internal IP address from another internal IP (your blue iris). Nothing else, so it can't be connected to the Internet.

Port forwarding a camera to your public IP is a horrible idea. There are services that scan ports on the Internet to look for cameras and their models and it's trivial, automated, and they will hack your cameras in hours of being online. It's just a bad idea to put any camera on the Internet, in particular since all made in China now.

Whoever compromised your camera is basically informing you. It could be a script kiddie having fun, but either way, it's a warning that your network is insecure and exposed online, since from your camera an attacker is basically inside your network and can jump to every other device in your home.