Onvif Security Question

V

vwsplitty

Young grasshopper
Oct 21, 2015
78
20
Hi,

i have a question regarding the onvif and loging in to webcams. I have a couple of hikvision cams and two no brand cheapo cams. ALL have a admin account set up with password but when i use the Onvif manager
i can log in to the non brand ones without any input of the admin details, and i can not on the hiks. If i then put in the admin details on the top level of onvif manager i can then log in to those hik cameras.
what is going on, surly i should not be able to log in to anything until i put the admin details in?

at the moment all i can think to do is change the default ports for connection;

before it would of just been http://192.xxx.xxx.xxx/onvif/device_service
now http://192.xxx.xxx.xxx:xxxx/onvif/device_service

cheers for any help
 

Attachments

  • hiks_login.png
    hiks_login.png
    59.1 KB · Views: 14
  • unbranded_login.png
    unbranded_login.png
    74 KB · Views: 14
Last edited:
vwsplitty said:
what is going on, surly i should not be able to log in to anything until i put the admin details in?
Click to expand...
I think you need to ask the supplier of your (unspecified) cameras about the ONVIF implementation of the cameras.

This simply underlines that IP surveillance cameras are just not secure, they are all hackable.
The Hikvision cameras have quite a number of security vulnerabilities too, including a particularly open 'backdoor' - for example : Backdoor found in Hikvision cameras
vwsplitty said:
at the moment all i can think to do is change the default ports for connection;
Click to expand...
That will do nothing, as the ONVIF services are discovered by broadcast, the camera will respond as before with the needed details to any device that requests them.
 
  • Like
Reactions: fenderman
alastairstevenson said:
I think you need to ask the supplier of your (unspecified) cameras about the ONVIF implementation of the cameras.

This simply underlines that IP surveillance cameras are just not secure, they are all hackable.
The Hikvision cameras have quite a number of security vulnerabilities too, including a particularly open 'backdoor' - for example : Backdoor found in Hikvision cameras

That will do nothing, as the ONVIF services are discovered by broadcast, the camera will respond as before with the needed details to any device that requests them.
Click to expand...

They are cheap in branded ones and had for a while. So that’s it no other option I guess than like they are at the moment have no internet access.

Once I changed the ports the Onvif tool would not find them with out using the port numbers on the end of the ip so I presumed
Unless someone knew the new port numbers and was on my network they could access them?
 
vwsplitty said:
Once I changed the ports the Onvif tool would not find them with out using the port numbers on the end of the ip so I presumed
Unless someone knew the new port numbers and was on my network they could access them?
Click to expand...
Normally ONVIF Device Manager would find ONVIF devices on the same network automatically, with no need to specify IP addresses or ports.
But I see in your screenshot you have added the devices manually. Were they not found automatically?

Different ONVIF implementations often have different ONVIF and HTTP ports, all found automatically.
 
alastairstevenson said:
Normally ONVIF Device Manager would find ONVIF devices on the same network automatically, with no need to specify IP addresses or ports.
But I see in your screenshot you have added the devices manually. Were they not found automatically?

Different ONVIF implementations often have different ONVIF and HTTP ports, all found automatically.
Click to expand...


how do i use auto discovery with the tool?
 
I must admit I’m am doing this over vpn as away at the moment but it does not s or populate. I have to manually add any camera and for the two crappy un branded ones I have to add the port????
 
alastairstevenson said:
Presumably ODM isn't running in a VM with a NATed network interface?
Click to expand...

im running it on my laptop at work, my blue iris is running on a VM inside hyper v. ill try running it directly on the VM


Edit:

you are correct. i run it directly on the VM and it found all devices AND the cheapo one gave up the video streams without any login details. That is really poor.
so im asuming the best i can do is block them from the internet via the router seperate them on the LAN
 
alastairstevenson said:
And I'll guarantee that even if it did require authentication, the firmware is readily hackable.
I've used maybe 7 or 8 brands of camera, and it's been fairly easy to find ways in on all of them, big brand or not.
Click to expand...

ok duly noted!

i had isolated them from the internet anyway it just i have gotten back in to the cameras so to speak after a while as im going to start adding some more, and find and a few more things about how eveything works is never a bad thing.
 
You must log in or register to reply here.
Top Bottom