fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
“Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”
- Thread starter fenderman
- Start date
alastairstevenson
Staff member
It's pathetic, really, for such a large hi-tech organisation to promote such bad practice.
People and organisations who have been impacted by their unsafe guidance should work up a class-action suit and take them to the cleaners.
People and organisations who have been impacted by their unsafe guidance should work up a class-action suit and take them to the cleaners.
Of course the Chinese Gov't.-owned Hikvision corporate would take that stand; allowing their products to access the Internet allows them (the Chinese GOVERMENT!) to exploit holes in the United States' and other nations' surveillance systems at government and military facilities, banks, schools, etc.
I am NOT a conspiracy-theorist and do NOT wear an aluminum foil hat but I do NOT think it's a good idea to give ANY other country, especially a socialist or Communist one, "the keys to OUR candy store!"
Last edited:
my firewall logs would agree
Bradmph
Pulling my weight
I agree, in fact this MFing company put one of mine online and posted it on a damn map with hundreds of others. Thank god the map coordinates were off, showing a bad address, but these bastards increase the wana-bee hackers to hack and reset the hik cameras about once a week. Pissing me off big time. That is the main reason for me to update cameras. Forum should come down on that companies practices. New FCC rules should help and allow some retaliation on camera hacking I hope.
Last edited:
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
That MFing company, ipvm.com is the one who I linked to in the first post. They did a GREAT job.
..now you have learned your lesson...your cameras were not hacked because of ipvm, they were hacked because YOU exposed them to the internet and relied on hikvision who is known for security flaws to keep you safe. Why you would port forward your cameras when you use blue iris (based on your avatar and sig) is beyond me.
All IPVM did was take readily available information from Shodan and map it....the map was off obviously because all it knows is the ip and its a guesstimate....- they dont have your address.
IPVM did you a favor - they showed you how vulnerable you were.....
Stop port forwarding.
Last edited:
Bradmph
Pulling my weight
Should remove any linking from this business fenderman. Don't give them any more publicity by linking a large forum as this to them. Post url using an image as I did so it gives them no link to this place at all.
My cameras are not online as well, they are powered through modem yes, but nowhere are they available on a website. Not port forwarded as well
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
Why? They are doing a great job! Hacked Hikvision IP Camera Map USA And Europe
There is an entire thread where I linked the map. See here IPVM - -Hacked Hikvision IP Camera Map
The problem is YOU not them. Stop burring your head in the sand. STOP PORT FORWARDING YOUR CAMERAS!!!!! What is particularly strange is the fact that you port forwarded the cameras in the first place, since you are using Blue iris...makes no sense.
Last edited:
@Bradmph you may not have port forwarded your cameras but Hikvision had another security flaw, see Hikvision UPnP Hacking Risk that might have automatically, unknown to you, exposed your cameras to the Internet.
alastairstevenson
Staff member
It might be interesting to check if they are accessible without you realising it, due to the way you have your router configured.
Use the full port scan (not the UPnP scan) on the ShieldsUp! site here and see if you get any surprises : GRC | ShieldsUP! — Internet Vulnerability Profiling
And I'm afraid you have the wrong end of the stick regarding IPVM.com
They are frequently holding Hikvision (and other surveillance companies) to account for poor and careless security practices and claims.
Hikvision in particular needs to have their feet held to the fire of adverse publicity in order to effect change and improvements in the risks their products impose on their customers.
The hacked camera map is just another example of such pressure.
There are large numbers of malicious hackers with their botnets taking much worse advantage of Hikvision's weak security than some snapshots culled via Shodan.
Guys re port forwarding etc. Just bear in mind that most people on this forum won't have the IP networking/ software experience that you have.
And don't comprehend the risks.
Most ISP CPE don't show for example the constant port scanning going on against every router on every ISP subnets looking for open ports. Normal people and even many in the industry have no idea. How do I know - I used to specialise in the standards for the ISP CPE space.
I used to flag the risks and ISP still chose low cost devices with little logging and features.
I also had my router port forwarded for 5 years to my cameras with no problems.
I would have restricted the WAN IP access if the CPE had that capability. Admittedly relying on hikvision security and good software (doh!). And i've been in telco and networking for 30 years.
Bradmph and others. Over the last two weeks i've put in a server vpn and it was pretty easy to take the cameras directly off the internet.
The steps to help are below. And I can help anyone else.
Like to contribute where I can - in the example of Alastair and Fender.
1. I selected ASUS AC68u adsl vdsl fibre router. Great router so much great logging and gui capability still at pro-sumer level.
2. Enable it for OpenVPN VPN.
3. Enable DDNS dynamic dns.
4. Generate the OpenVPN Cert Auth Key - export it. It takes the DDNS name automatically into account.
5. Send it to your email. Download it on your phone and save it in your phone directory.
6. Google playstore get OpenVPN app and install on your phone.
7.Import the OpenVPN Cert on your phone into it. set up the user and password on your phone.
8. Test the VPN works. Outside the home network on 4G you should be able to type 192.168.1.254 for your router or whatever gateway IP address and login to router.
9.Take off all the Dynamic DNS settings in TinyCam and IVMS and input all the local ip addresses of the cameras e.g. 192.168.1.x and y. because now the only way you will ever access the cameras is on the local network through the VPN server.
10. Test it in the home network locally on TinyCam and IVMS and then turn off Wifi and then enable VPN over 4G and test it again with 4G VPN access and TinyCam and iVMS.
11. Use a UDP and TCP port scanner on your WAN IP address to ensure all ports show closed.
You can use the PPTP VPN server no doubt but OpenVPN was the one I got quickly working.
Also the admin password tool helped me to reset the camera admin password back on 5.3.5 software.
Prior to that I'd added a new user with full capabilties so at least I could login and change parameters/ email till I could get around to password recover.
Hope this helps.
Bradmph
And don't comprehend the risks.
Most ISP CPE don't show for example the constant port scanning going on against every router on every ISP subnets looking for open ports. Normal people and even many in the industry have no idea. How do I know - I used to specialise in the standards for the ISP CPE space.
I used to flag the risks and ISP still chose low cost devices with little logging and features.
I also had my router port forwarded for 5 years to my cameras with no problems.
I would have restricted the WAN IP access if the CPE had that capability. Admittedly relying on hikvision security and good software (doh!). And i've been in telco and networking for 30 years.
Bradmph and others. Over the last two weeks i've put in a server vpn and it was pretty easy to take the cameras directly off the internet.
The steps to help are below. And I can help anyone else.
Like to contribute where I can - in the example of Alastair and Fender.
1. I selected ASUS AC68u adsl vdsl fibre router. Great router so much great logging and gui capability still at pro-sumer level.
2. Enable it for OpenVPN VPN.
3. Enable DDNS dynamic dns.
4. Generate the OpenVPN Cert Auth Key - export it. It takes the DDNS name automatically into account.
5. Send it to your email. Download it on your phone and save it in your phone directory.
6. Google playstore get OpenVPN app and install on your phone.
7.Import the OpenVPN Cert on your phone into it. set up the user and password on your phone.
8. Test the VPN works. Outside the home network on 4G you should be able to type 192.168.1.254 for your router or whatever gateway IP address and login to router.
9.Take off all the Dynamic DNS settings in TinyCam and IVMS and input all the local ip addresses of the cameras e.g. 192.168.1.x and y. because now the only way you will ever access the cameras is on the local network through the VPN server.
10. Test it in the home network locally on TinyCam and IVMS and then turn off Wifi and then enable VPN over 4G and test it again with 4G VPN access and TinyCam and iVMS.
11. Use a UDP and TCP port scanner on your WAN IP address to ensure all ports show closed.
You can use the PPTP VPN server no doubt but OpenVPN was the one I got quickly working.
Also the admin password tool helped me to reset the camera admin password back on 5.3.5 software.
Prior to that I'd added a new user with full capabilties so at least I could login and change parameters/ email till I could get around to password recover.
Hope this helps.
Bradmph
This thread is of great interest to me. I have things set up so I can access my Blue Iris setup on the internet, but I admittedly am not very knowledgable on these things, and setting it up was not easy. Could you explain in general terms why using the above method is more secure than using port forwarding for remote Blue Iris access? I have read a little about VPN services, but I've never tried using one. I know some people who do use them, but not for security cameras.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
the services that you hear people using is not what you want...you want a vpn server in your home so you can connect security to it..see vpn primer for noobs thread.
VPN servers are designed with a keen eye for cybersecurity, making them extremely difficult to hack.
Blue Iris's web server on the other hand can be assumed to be less secure since it wasn't designed with cybersecurity as such a high priority. Vulnerabilities have been discovered in it in the past, and more could be discovered in the future. If you don't port forward to Blue Iris, then you don't have to worry about any such vulnerabilities.
Which firewall are you using?
Thank you.
Thank you. So to wrap my head around this, the simplified version of how to say this would be that, rather than using a server out in the cloud, over which you have zero control, you would be using your own computer in your home as a server for your IP camera feeds, thus allowing you total control over who gets in? This is what OpenVPN allows you to do?
Hey Radnoaz.Per below;Reading the VPN noobs thread now......my router has OpenVPN capability baked in!Time for some research! Thanks guys!
1. Essentially your router becomes the vpn server. the thing you authenticate to when you want to connect to your home network.
2. Its secure because with a vpn server it only allows users who have the Certificate (security file) to connect.
3. Thats why you have to generate the CERT at the router and IMPORT it at the devices you want to be able to connect.
4. Hackers that don't have this CERT theoritically will not be able to connect to your vpn from their devices. Only devices with the CERT can connect.
5. In addition there is also the vpn server user and password that is encrypted ( no one can see it) when you authenticate with the vpn server.
6.When you connect to the vpn server successfully its like you are at home on your wifi. You can connect from the vpn on your router to your home devices all encrypted communication that no one on the internet can see.
7. One more thing make sure you use a cipher/ encryption algorithum ( i forget which) but something strong like AES256.
OpenVpn for me defaulted to something less secure in bit length.