NVR4108-4KS Recordings Paused by Thieves

alastairstevenson · Jan 19, 2019

Yes, the SoCs for both cameras and NVRs do have hardware watchdog timers, that have to be regularly 'fed' to prevent triggering.
Hikvision cameras are commonly set at 10 mins.
Hikvision NVRs can be about 3 minutes.
It varies with the firmware.
I've not explored this in other brands.

WoodenTop · Jan 22, 2019

From a law enforcement perspective I have found this thread very entertaining. Car thieves tend to be quite low down in the intelligence chain and of course use prebuilt devices when conducting relay attacks about which they know nothing at all, hence why they are doing the dirty work. And as previously stated, their best form of defence is a balaclava.

If the OP's cams were WiFi only of course these could be easily taken offline with a 10 dollar raspberry pi zero and suitable usb wifi adapter.

The fact the cams are hardwired and only accessed via vpn would make it pretty much impossible to perform an attack (extreme and pointless lengths to go to to steal a vehicle in any case).

I'd go for a power issue. Local login just being the NVR rebooting/local PC/phone logging in.

xyvyx · Jan 23, 2019

While I'll agree that the use of a sophisticated attack is pretty unlikely, the timing does seem suspicious.
Does anyone here know with 100% certainty what exploits/back-doors are present in the Dahua NVRs? That's a rhetorical question of course... the answer is no.

Can a person get on your network? It sounds like you've made it difficult. Impossible? Of course not. Can they approach your home w/o being in-view of one of your cameras? I'm not sure. With Dahua as a major manf/OEM for NVRs, the idea that somebody has created a canned device that exploits the NVR to send a shutdown command is actually somewhat reasonable.

I find it interesting how it appears to have updated a user account and/or authenticated against several cameras almost instantaneously. What do normal log entries look like upon login?

alastairstevenson · Jan 23, 2019

I was more thinking about giving the router a hard enough time with flooding some disrupting WiFi requests that it forgot to spend enough time on the switch ports to support the camera video traffic such that it got into a disconnect/reconnect mess.
But I never got an answer about whether the camera traffic went through the router switch ports.

looney2ns · Jan 23, 2019

fenderman · Jan 23, 2019

alastairstevenson said:
I was more thinking about giving the router a hard enough time with flooding some disrupting WiFi requests that it forgot to spend enough time on the switch ports to support the camera video traffic such that it got into a disconnect/reconnect mess.
But I never got an answer about whether the camera traffic went through the router switch ports.

The problem with this theory is that the thieves would have to know/assume that the camera traffic passed the router which is usually not the case.

mat200 · Jan 23, 2019

fenderman said:
The problem with this theory is that the thieves would have to know/assume that the camera traffic passed the router which is usually not the case.

Note - many consumer grade cameras are cloud cameras, not certain about the stats on cameras in the UK - but certainly in the USA these wifi cloud are very popular items for consumers.

fenderman · Jan 23, 2019

mat200 said:
Note - many consumer grade cameras are cloud cameras, not certain about the stats on cameras in the UK - but certainly in the USA these wifi cloud are very popular items for consumers.

to clarify, alastair's scenario focuses on a hardwired system such as the OP.

mat200 · Jan 23, 2019

fenderman said:
to clarify, alastair's scenario focuses on a hardwired system such as the OP.

Yes, however - the thieves are probably using whatever attack / relay kit they bought from Eastern European hackers and thus are probably setup to use more of a "shotgun" / general attack than any sort of "sniping" / specific attack

As improbable as it may seem, it is not outside the realm of possibilities that the attack kits on laptops may go beyond just duplicating the e-key signature.

fenderman · Jan 23, 2019

mat200 said:
Yes, however - the thieves are probably using whatever attack / relay kit they bought from Eastern European hackers and thus are probably setup to use more of a "shotgun" / general attack than any sort of "sniping" / specific attack

As improbable as it may seem, it is not outside the realm of possibilities that the attack kits on laptops may go beyond just duplicating the e-key signature.

These thieves are using nothing. This NVR was not hacked. The point is that this type of theoretical attack would not work on a wired system such as the OP unless possible if the data passed through the router which is highly unlikely. Even if possible it would not cause the NVR to reboot.

c hris527 · Jan 23, 2019

WoodenTop said:
From a law enforcement perspective I have found this thread very entertaining. Car thieves tend to be quite low down in the intelligence chain and of course use prebuilt devices when conducting relay attacks about which they know nothing at all, hence why they are doing the dirty work. And as previously stated, their best form of defence is a balaclava.

If the OP's cams were WiFi only of course these could be easily taken offline with a 10 dollar raspberry pi zero and suitable usb wifi adapter.

The fact the cams are hardwired and only accessed via vpn would make it pretty much impossible to perform an attack (extreme and pointless lengths to go to to steal a vehicle in any case).

I'd go for a power issue. Local login just being the NVR rebooting/local PC/phone logging in.

I took a good look at his recording log, How nice of the Thieves or hackers to turn recording back on after the crime is committed.

Barboots · Jan 23, 2019

Was the suggestion of pulling the power to emulate power loss followed through on?

c hris527 · Jan 23, 2019

Barboots said:
Was the suggestion of pulling the power to emulate power loss followed through on?

I don't know but IF the power was shut off, it happened twice, I see a small event of zero recording, then a small amount of recording then a gap of no recording again and then it magically comes back to life. We are missing a LOT of info and seeing logs like this are NOT uncommon in my world when things get out of wack.

TonyR · Jan 24, 2019

xyvyx said:
Does anyone here know with 100% certainty what exploits/back-doors are present in the Dahua NVRs? That's a rhetorical question of course... the answer is no.

Is that considered a rhetorical answer? :wtf:

fenderman · Jan 24, 2019

xyvyx said:
While I'll agree that the use of a sophisticated attack is pretty unlikely, the timing does seem suspicious.
Does anyone here know with 100% certainty what exploits/back-doors are present in the Dahua NVRs? That's a rhetorical question of course... the answer is no.

Can a person get on your network? It sounds like you've made it difficult. Impossible? Of course not. Can they approach your home w/o being in-view of one of your cameras? I'm not sure. With Dahua as a major manf/OEM for NVRs, the idea that somebody has created a canned device that exploits the NVR to send a shutdown command is actually somewhat reasonable.

I find it interesting how it appears to have updated a user account and/or authenticated against several cameras almost instantaneously. What do normal log entries look like upon login?

Complete nonsense. The OP was using VPN so even if there was a back door it would not be accessible. This is nothing more then a defect. These guys are stealing cars not assassinating high-level politicians.

xyvyx · Jan 24, 2019

fenderman said:
Complete nonsense. The OP was using VPN so even if there was a back door it would not be accessible. This is nothing more then a defect. These guys are stealing cars not assassinating high-level politicians.

So you're stating that his "use of a vpn" means his network is 100% secure?
It's nonsense because the NVRs are 100% bulletproof?

People around here should understand exploits in network hardware better than most.

nbstl68 · Jan 24, 2019

WoodenTop said:
...If the OP's cams were WiFi only of course these could be easily taken offline with a 10 dollar raspberry pi zero and suitable usb wifi adapter.

Cool, I'd love to know how to do that! I could totally mess with my bro-in-law's Arlo cameras he keeps touting. Please give me more info!

On a different note, I'm really surprised this topic has made it to 4 pages!

fenderman · Jan 24, 2019

xyvyx said:
So you're stating that his "use of a vpn" means his network is 100% secure?
It's nonsense because the NVRs are 100% bulletproof?

People around here should understand exploits in network hardware better than most.

Nope. Read again. You are the one who is misunderstanding. Use of vpn means that any backdoor in the NVR is not exploitable since its not exposed to the net. You are the one who mentioned dahua backdoors not me and I am explaining that the backdoor is irrelevant because the OP used a vpn. If you think the car ring is able to crack a vpn they you are more misguided than I previously thought. Even if they were, these sophisticated car thieves spent time researching nearby homes, finding the ip addresses, hack the vpn, hack the NVR. Then restored it after the heist? Think a bit.

samplenhold · Jan 24, 2019

Remember that the OP stated "the police did mention that it was a very organised gang taking prestigious vehicles in the area".

I checked with a friend, Inspector Mike Whittier at Interpol, and this is a well-known group. They only boost cars that are worth more than 200k Euros. It seems that they ship them to other countries, mostly the ME/Gulf area. The main guy is Randall Raines. He has a few runners working for him. Most of the planning is done by an Otto Halliwell. He gets his electronics from some guys in Azerbaijan that have ties with Beijing, Kula Lumper, and Lagos. Inspector Whittier believes that they work for Keyser Soze, but they probably don't know it.

They are know as the "Gentlemen Jackers" since, when they disrupt nearby surveillance systems, they always reset them after they leave so as not to cause undue hardship to the owners of those systems.

fenderman · Jan 24, 2019

samplenhold said:
Remember that the OP stated "the police did mention that it was a very organised gang taking prestigious vehicles in the area".

I checked with a friend, Inspector Mike Whittier at Interpol, and this is a well-known group. They only boost cars that are worth more than 200k Euros. It seems that they ship them to other countries, mostly the ME/Gulf area. The main guy is Randall Raines. He has a few runners working for him. Most of the planning is done by an Otto Halliwell. He gets his electronics from some guys in Azerbaijan that have ties with Beijing, Kula Lumper, and Lagos. Inspector Whittier believes that they work for Keyser Soze, but they probably don't know it.

They are know as the "Gentlemen Jackers" since, when they disrupt nearby surveillance systems, they always reset them after they leave so as not to cause undue hardship to the owners of those systems.

lol

Search

NVR4108-4KS Recordings Paused by Thieves

alastairstevenson

WoodenTop

n3wb

xyvyx

Getting the hang of it

alastairstevenson

looney2ns

fenderman

mat200

fenderman

mat200

fenderman

c hris527

Known around here

Barboots

Pulling my weight

c hris527

Known around here

TonyR

fenderman

xyvyx

Getting the hang of it

nbstl68

Getting comfortable

fenderman

samplenhold

fenderman