Backdoor found in Hikvision cameras

bobfather

Getting the hang of it
Joined
Jan 17, 2017
Messages
103
Reaction score
26
Of course, security is a huge concern in this day and age. Even before the "hacks" of default-passworded devices became publicized, Dahua cams (and probably Hiks too) had been observed communicating with IPs in China for unclear reasons.

For Hiks, I think the answer is two-fold - disable platform access to stop that vector, and then get yourself a nice firewall. I use pfSense, a free, open-source software firewall that runs on an old computer. My pfSense install is setup to do 3 main things to stop attackers:

1) Blue Iris and all cams are VLAN'ed onto a different subnet that can't talk to any other subnet on my LAN - I have long worried that Blue Iris or Hiks might get hacked, and containing them in this way ensures that an attacker couldn't jump to any other devices on my LAN, just because they got in through a device on the VLAN. Note that other devices on the LAN can talk to the security cam VLAN, so managing Blue Iris (or using Remote Desktop to manage the Blue Iris server) is still easy.

2) On the security cam VLAN, pfSense has rules to completely disallow the Hikvision cams to talk to the internet, except for time.windows.com (to set time). This completely prevents the Hiks from phoning home or from being accessed from the WAN. The Blue Iris server gets full outbound access to the WAN, and the inbound access (for remote Blue Iris viewing) has a different default port and is scheduled to only allow access to Blue Iris from the WAN during work hours. The ability to schedule firewall rules like this is one thing that makes pfSense a cut above your regular consumer-level routers.

3) pfSense can be setup to provide all major forms of VPN, and configuring it properly is a 10 minute job. Any access to Blue Iris (or other systems on the LAN) that is needed outside of work hours can be accomplished just by VPN-ing in and loading Blue Iris.

Considering one can easily spend $200 for a fancy all-in-one wireless A/C router from Netgear or Linksys, I think it's a comparatively great deal to get something like an old i3-3220 computer, paired with a Ubiquiti UAC-AC-Lite wireless access point, a basic, managed gigabit switch, and a second gigabit network card for your pfSense box. All together, these items cost about the same as a $200 router, but can be configured to be way more secure than a consumer router ever could.
 
As an eBay Associate IPCamTalk earns from qualifying purchases.
As an Amazon Associate IPCamTalk earns from qualifying purchases.

Zeddy

Getting the hang of it
Joined
Jun 19, 2016
Messages
92
Reaction score
42
Of course, security is a huge concern in this day and age. Even before the "hacks" of default-passworded devices became publicized, Dahua cams (and probably Hiks too) had been observed communicating with IPs in China for unclear reasons.

For Hiks, I think the answer is two-fold - disable platform access to stop that vector, and then get yourself a nice firewall. I use pfSense, a free, open-source software firewall that runs on an old computer. My pfSense install is setup to do 3 main things to stop attackers:

1) Blue Iris and all cams are VLAN'ed onto a different subnet that can't talk to any other subnet on my LAN - I have long worried that Blue Iris or Hiks might get hacked, and containing them in this way ensures that an attacker couldn't jump to any other devices on my LAN, just because they got in through a device on the VLAN. Note that other devices on the LAN can talk to the security cam VLAN, so managing Blue Iris (or using Remote Desktop to manage the Blue Iris server) is still easy.

2) On the security cam VLAN, pfSense has rules to completely disallow the Hikvision cams to talk to the internet, except for time.windows.com (to set time). This completely prevents the Hiks from phoning home or from being accessed from the WAN. The Blue Iris server gets full outbound access to the WAN, and the inbound access (for remote Blue Iris viewing) has a different default port and is scheduled to only allow access to Blue Iris from the WAN during work hours. The ability to schedule firewall rules like this is one thing that makes pfSense a cut above your regular consumer-level routers.

3) pfSense can be setup to provide all major forms of VPN, and configuring it properly is a 10 minute job. Any access to Blue Iris (or other systems on the LAN) that is needed outside of work hours can be accomplished just by VPN-ing in and loading Blue Iris.

Considering one can easily spend $200 for a fancy all-in-one wireless A/C router from Netgear or Linksys, I think it's a comparatively great deal to get something like an old i3-3220 computer, paired with a Ubiquiti UAC-AC-Lite wireless access point, a basic, managed gigabit switch, and a second gigabit network card for your pfSense box. All together, these items cost about the same as a $200 router, but can be configured to be way more secure than a consumer router ever could.

Do you see any knocks in the firewall logs from the cameras trying to connect to random IP's?
 
As an eBay Associate IPCamTalk earns from qualifying purchases.
As an Amazon Associate IPCamTalk earns from qualifying purchases.

bobfather

Getting the hang of it
Joined
Jan 17, 2017
Messages
103
Reaction score
26
Do you see any knocks in the firewall logs from the cameras trying to connect to random IP's?
I haven't been monitoring it, but it's well within pfSense's capability to mark IPs and monitor their traffic. If I see anything strange, I'll come back and report it.
 

bobfather

Getting the hang of it
Joined
Jan 17, 2017
Messages
103
Reaction score
26
Logging is going. When you disable all traffic from Hiks to the internet, I first found that some cams will constantly try to pound 8.8.8.8 (Google's DNS server). I unblocked 8.8.8.8, since DNS traffic will likely be innocuous (though there are IP over DNS methods, I doubt the Hik cams employ them). I also figured that if the Hik cams thought they could access the internet because they could see a DNS server, they'd be more likely to try shady things, if they were going to try them.
 

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
I use pfSense, a free, open-source software firewall
I use a different method. I have a pfSense appliance rather than installation on an old pc. I have a Hikvision NVR on my lan and I've assigned the cameras a non-routable IP, 192.168.254.x.
My NVR does have a routable IP and is assigned as a gateway to the cameras.

This arrangement allows me use my linux browser to view individual camera's on 192.168.254.x or from the NVR (in a different room).

pfSense log show no activity from my NVR out to the world and since the camera's are non-routable they can't go past the lan. I don't recall what I did to allow NVR to getting time signals, it's right on time and nothing is in the log file. I'll have to look into that again.

I set up a vpn to access when I am away. No port forwarding. Works well on Apple mobile devices.

The vlan seems like a good idea but it would require me to do more research on an already working system that I hope is sufficiently secure. Your comment about being on a different subnet is certainly worth considering a major reconfig of my system.
 

bobfather

Getting the hang of it
Joined
Jan 17, 2017
Messages
103
Reaction score
26
I use a different method. I have a pfSense appliance rather than installation on an old pc. I have a Hikvision NVR on my lan and I've assigned the cameras a non-routable IP, 192.168.254.x.
My NVR does have a routable IP and is assigned as a gateway to the cameras.

This arrangement allows me use my linux browser to view individual camera's on 192.168.254.x or from the NVR (in a different room).

pfSense log show no activity from my NVR out to the world and since the camera's are non-routable they can't go past the lan. I don't recall what I did to allow NVR to getting time signals, it's right on time and nothing is in the log file. I'll have to look into that again.

I set up a vpn to access when I am away. No port forwarding. Works well on Apple mobile devices.

The vlan seems like a good idea but it would require me to do more research on an already working system that I hope is sufficiently secure. Your comment about being on a different subnet is certainly worth considering a major reconfig of my system.
Using VLANs made sense to me because the PoE switches I needed to power the cams had the functionality built in already. If your setup works well, I'd say leave it. The more important factor is that the cameras are adequately segmented and firewalled from the outside.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Intriguing - unless they are playing with words, a "a privilege-escalating vulnerability" is not the same thing as the deliberately-coded backdoors we've been discussing for a while.
The 'Dahua backdoor' that's the subject of your recent expose could certainly be described as a "a privilege-escalating vulnerability".
I'm tempted to take a look in the linked firmware to see what they've altered.

*edit*
Looking at the firmware links, that firmware was released near the end of January, published on the EU portal and then after a few days removed from that site.
So on the face of it, the timing of their notice is a little odd.
I've already tested IPC_R0_EN_STD_5.4.5_170123 out on a couple of R0 IPCs and confirmed that the backdoors that are present in IPC_R0_EN_STD_5.4.0_160530 were still present.
 
Last edited:

montecrypto

IPCT Contributor
Joined
Apr 20, 2016
Messages
104
Reaction score
304
montecrypto, all, Hikvision has just sent a bulletin to dealers about a "Privilege-Escalating Vulnerability" Is this related to your backdoor report or different?
I guess it is. I have been communicating with Hikvision since I notified them and they have actually been been quite responsive. As for the term "privilege escalation", well, technically they are correct. One can remotely escalate their privileges from anonymous web surfer to admin. :) Upgrade your cameras. Hikvision's problem now is that only a small percentage of cameras out there will be upgraded, the rest will remain vulnerable. Those who purchased those "multilanguage, don't upgrade" cameras are definitely screwed. I wonder how many bricked or Chinese-only cameras will be listed on eBay in the coming weeks :)
 

bobfather

Getting the hang of it
Joined
Jan 17, 2017
Messages
103
Reaction score
26
I suppose I'll be spending Monday morning updating 24 cameras at work!

Real talk though - privilege escalations are one of the most severe kinds of exploits out there. I hope anyone that has an internet-facing camera buttons it up quick.
 

NVR

Getting the hang of it
Joined
Apr 13, 2015
Messages
314
Reaction score
42
"When a specific request code is used to access the IP camera"

What request code are they referring to?
 

bobfather

Getting the hang of it
Joined
Jan 17, 2017
Messages
103
Reaction score
26
Just updated 24 cameras today - mostly 2432 and 2442 cubes, and a handful of 2142 outdoor cams. Aside from taking a while, every (US, retail) camera took the firmware update no problem.

I do wish Hikvision Tools had a firmware update feature built into it, rather than having to update from the camera interface.
 

IL-MAFIOSO

Getting the hang of it
Joined
Jun 27, 2016
Messages
130
Reaction score
0
Hello,

.... I'm affraid to update two of my cameras because they're Chinese .... Last time i tried was a disastre ... camera returned to seller because totally blocked. Those two cameras was : DS-2CD2632F-IS
 

Iemand91

Pulling my weight
Joined
Aug 12, 2016
Messages
251
Reaction score
196
Location
Netherlands
I have a DS-2CD2132F-IWS from Aliexpress that I bought about 2 years ago. Firmware version is V5.2.5 build 141201 so according to the linked PDF; my camera is affected.
But since it's from Aliexpress with a multilingual firmware I can't update it and have to live with it.
That's the downside of buying it from China...
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I can't update it and have to live with it.
If you don't allow internet access inbound, and you trust your local network, the probability of an exploit is very low.

That's the downside of buying if from China...
I don't regret buying from China, but I was able to do the 'MTD hack', convert to EN and update to the 5.4.5 firmware.
But that firmware does still have a couple of 'backdoors', and maybe more than the obvious ones.
 
Top