Hik-Connect and UPnP

jimbo123

Young grasshopper
Joined
Mar 15, 2019
Messages
65
Reaction score
11
Location
Australia
Hi all,

Apologies if this has been covered here, but I looked around for a while and couldn't find the answers I was looking for - hopefully that doesn't translate to I didn't know what I was looking for ?

Ok, so today I discovered Hik-Connect and thought great, a mechanism to easily see my Hik cam when I'm not at home.

While setting it up it had asked for a 'UPnP mode' setting,.. which I left to auto - my thinking being that I don't have UPnP enabled on my router, so I should be ok with this UPnP vulnerability that's around for devices running non-recent firmware.

Then I disabled the wireless on my phone and was able to see the live view going over the Telco connection.

So my question now becomes, how was I able to see a live view if I had UPnP disabled on the router ?

Surely my live view I see on my phone doesn't happen by it coming directly to my router and into my cam as there's no inbound path - or so I think, or is this UPnP somehow active ?

Is anyone able to shed any light on this ?

Thanks,

Jim.....
 

Mike

Staff member
Joined
Mar 9, 2014
Messages
2,982
Reaction score
2,725
Location
New York
Disable UPnP. Hik-Connect's service transmits the data to their servers, then to you.
 

jimbo123

Young grasshopper
Joined
Mar 15, 2019
Messages
65
Reaction score
11
Location
Australia
At the risk of sounding like a tool,.. where ?

  • If I look at the CAM via its WebIf I don't have the checkbox checked.
  • If I look at my router, I don't have UPnP enabled.
  • The only place its set to 'auto' is when I've added the device into the Hik-Connect config. I've now gone back and made that 'Manual' and then picked some random numbers for server/http port and its still working - no idea what those values are used for,.. maybe something to do with remote config if I had DDNS configured?

So a path is created between the CAM and the Hik-Connect servers where the stream is sent to and from there its sent to me on the phone ? And I guess this only happens when I ask for a 'live view' on the phone ?
 

RyanODan

IPCT Vendor
Joined
Mar 10, 2014
Messages
626
Reaction score
266
Location
Tulsa
At the risk of sounding like a tool,.. where ?
  • The only place its set to 'auto' is when I've added the device into the Hik-Connect config. I've now gone back and made that 'Manual' and then picked some random numbers for server/http port and its still working - no idea what those values are used for,.. maybe something to do with remote config if I had DDNS configured?
Those settings dont matter if you aren't port forwarded. If you are then you can configure specific ports to essentially use hik-connect as a DDNS service. Auto won't have any impact unless you have upnp enabled on your camera and router. If so, it will automatically forward the default ports.
 

obqo

Young grasshopper
Joined
Oct 10, 2015
Messages
75
Reaction score
16
So here is my take...

The Hik-Connect service creates an encrypted TLS tunnel between the NVR or device inside your network and the Hik-Connect web portal. You do this when you use your serial number and create an activation key inside the NVR. You supply that key to the Hik-Connect service and they are authenticated and the tunnel is created. Your NVR knows the public IP address of your WAN connection (cable modem, DSL, etc...) and dynamically updates this to the Hik-Connect web service if it changes. Part of Hik-Connect is a dynamic DNS service. So no matter what your WAN IP address is you can get to your system using that service. Easy peasy.

It ALSO provides a connection point to port 8000. This is the port the Hik-Connect app requires to receive the video from the NVR or device behind your firewall that is why no port forward is necessary. Once the app knows where to look for 8000 from the Hik-Connect web portal/service the video flows. I think Mike - love you like a red haired step child :) btw, is essentially correct in that it supplies connection "data" to the Hik server but not the video. It only carries the port relay information necessary to establish the TCP/UDP connection to the mobile application. Meaning, the video stream does not go from your NVR to HIK then back to you. Given how big Hik is, and it's user base, that amount of video hitting their servers would be the equivalent of a DOS attack... Could they gain access to the video is an entirely different question. All of that means you can still get to port 8000 without a port forward. Most of the better IoT devices work this way, Nest, Ring, etc....

Ryan is correct that you don't need the UPNP settings if your aren't using port forwarding, not the best idea anyway. If you have UPNP turned here and the on the router, I believe it make the devices http port, typically 80 available to the Hik-Connect DDNS service. My belief is that it will create a port-foward rule that essentials sends any traffic on inbound port 80 to the IP address of the NVR for example WAN > 192.168.1.100:80. If Hik-Connect is setup in this manner and you log on the the Hik-Connect website you get a clickable link to that NVR. This works great if you have dynamic WAN IP address that changes, as most do.

Short version - when you click the link in the Hik-Connect web portal to your IP address with UPNP setup - it should open a new tab with access to that devices http web portal without any manual port forward or the hassle of remembering your WAN IP address.

I should take a packet capture of this at some point to post and verify. Sorry for the long post. I hope this helps.
 

jimbo123

Young grasshopper
Joined
Mar 15, 2019
Messages
65
Reaction score
11
Location
Australia
Thanks grasshopper,.. while I re-read and digest (a few more times),....

So there's a transfer of info, (connection details), b/w the CAM and HikVision. The Hik-Connect app on my phone goes to HikVision and says "I am here and want to see something",.. so the HikVision servers/service 'tell' the CAM where to send the stream to ? i.e. my phone ? And some negotiation occurs between the phone and the CAM to allow that to happen.
 

obqo

Young grasshopper
Joined
Oct 10, 2015
Messages
75
Reaction score
16
Yes - that is pretty much it. Here is a summary.

  1. Once setup correctly, your Hik device (cam or NVR) and the Hik-Connect web service have a direct communication path (tunnel) without the need of a port-forward. This path is only created after you have a web account with your credentials and have shared the authentication password from the device when you "enabled" it. These two pieces of information are unique. Your device and the Hik-Connect web portal/service always have this communication path available once enabled.

  2. Your device at home periodically checks to see if the WAN public IP address of your gateway (your modem) has changed. If a change is detected, your camera will "phone home" to HIk-Connect web service/cloud and says "here I am now". The update occurs from your device to their servers.

  3. The Hik mobile applications and their ilk (Hik-Connect, iVMS-4500, Guarding Expert) by default all listen on port 8000 to get the data/video from your Hikvision source device. When you start your app on your phone, a request to get the information from your device on port 8000 is essentially relayed from the Hik-Connect web service to the device within your home network. This is a gross oversimplification of the process as I understand it, but I think largely correct.

  4. The "negotiation" really occurs between the app on your phone on the Hik-Connect web portal/service. This happens when you start the app and login. Once authenticated, the Hik-Connect web portal/service tells the mobile app 1) where the device is (WAN IP address), and how to get the data/video (listen on port 8000). The Hk-Connect web portal/service just keeps track of this stuff to make it easy..

Hope this helps.
 

obqo

Young grasshopper
Joined
Oct 10, 2015
Messages
75
Reaction score
16
That is excellent ...a and probably 1000% better than my rambling posts.
 

intz

n3wb
Joined
Nov 15, 2017
Messages
13
Reaction score
3
Thanks @obqo for that amazing explanation! Wondering what your take is on the following.

I currently have a VPN configured that I use to connect my Hik-Connect mobile app to view live video and have configured email notifications to get alerts. My understanding is this is the safest setup.

Unfortunately, the only downside of my configuration is that I do not receive push notifications to Hik-Connect, which I would really like to have. This means I need to create a Hik-Connect account and use that TLS tunnel to connect to my NVR. I am however worried that this is not secure (not the tunnel). What do you think of changing to this configuration? Is it higher risk? Should I avoid it and just stick to the VPN?
 

RonL

Young grasshopper
Joined
Apr 12, 2021
Messages
41
Reaction score
14
Location
Fort mill, sc
Does it really matter ? Who cares if someone else sees your video? I certainly don't care. And if hikvision was truly banned, how can it still be sold everywhere ?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
Who cares if someone else sees your video? I certainly don't care.
Maybe not a big issue, but if the access exposed a vulnerability that allowed onward entry to the underlying network with it's private data and devices you might care about that.
That's not fiction - it does happen.
 

RonL

Young grasshopper
Joined
Apr 12, 2021
Messages
41
Reaction score
14
Location
Fort mill, sc
Maybe not a big issue, but if the access exposed a vulnerability that allowed onward entry to the underlying network with it's private data and devices you might care about that.
That's not fiction - it does happen.
Well my current system is out of China too, I've had them for several years.
"Smonet." But it's not ip. Analog. But still sends my feed to them and back for remote.
 
Top