Am I hacked? Silly me

Discussion in 'Hikvision' started by Rani, Jun 15, 2019.

Share This Page

  1. Rani

    Rani n3wb

    Joined:
    Nov 12, 2015
    Messages:
    10
    Likes Received:
    0
    Hey peeps, So I jumped on here about a year ago asking if I should upgrade my 5 DS-2CD2332's 5.0 firmware but I was not made aware of the backdoor hack specifically (with all due respect to "alastairstevenson" who I'm sure had my best interests at heart) and I should have researched more into it, so I left everything and everything was running fine. Until...

    A couple of days ago I changed the default password and activated RTSP to integrate the cams with "Home Assistant". I had also just purchased the Netgear Orbi which had UPnP activated by default. Then within a day I lost all my 5 cameras (not visible by NVR or web)

    I was unaware of the backdoor hacks until this problem happened and I researched into it.
    I'm now panicking and don't know where to start troubleshooting the problem

    Where do I go from here?
    If/when I do get my cams back, will updating the firmware get rid of all previous hacks?

    There is this part of the article Hikvision flaw could be remotely exploited to hijack cameras, DVRs

    ```
    • Take over the user’s account after resetting their password. After that, even if the user tried factory resetting their device, it would not be “unbound” from the attacker’s account without contacting Hikvision. Stykas added, “If we change the password we can use the devices menu on the Hik-connect android app and manage the device (update firmware and brick it or do whatever we want) without any password given.”```
    How accurate is that? Should I just call my supplier and get the cams replaced?

    Thanks in advanced
     
    Last edited: Jun 15, 2019
  2. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    30,534
    Likes Received:
    9,565
    Don't misrepresent what Alastair told you. You didn't read his response. He warned you about the hacking. Running ancient firmware on DS-2CD2332 , worth upgrading?
     
    Rani likes this.
  3. mikeynags

    mikeynags Getting the hang of it

    Joined:
    Mar 14, 2017
    Messages:
    86
    Likes Received:
    42
    Location:
    CT - the tax you to death state
    to @alastairstevenson defense, he did say "But if it's running AOK, and not exposed to hacking, probably best left as-is."

    Have you tried calling Hikvision support as the article mentions and have the cams unbound from the attacker's account?
     
  4. Rani

    Rani n3wb

    Joined:
    Nov 12, 2015
    Messages:
    10
    Likes Received:
    0
    Yes apologies, I'm not blaming him at all. I admit it was my fault for not doing my due diligence

    No not yet, I was thinking of calling my supplier to see if he knows the problem.
    I'm uncertain if it is a hack yet as my cams are inaccessible
    So there's nothing about the hack that can be permanent as long as I contact hikvision?
     
  5. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,401
    Location:
    Scotland
    If it's a password no longer working -
    A hacked camera is often left with these passwords for you to try : 1111aaaa and asdf1234
    If neither of those work, the password can be extracted via the 'Hikvision backdoor' by pulling the configuration file.
    Use this URL, from a PC with an IP address in the same range as the camera, replacing the camera IP address as needed :
    http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

    Zip up the resulting file, attach here, and I can decrypt and decode it to extract the password for you.

    And for the future - the camera can be converted to EN / updatable such that the firmware can be upgraded to a backdoor-fixed version with this method :
    Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
    R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.
    Lots of people have used it - it's not too bad.
     
    mat200, SouthernYankee and fenderman like this.
  6. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,727
    Likes Received:
    960
    Location:
    Houston Tx
    For security reason, your cameras should not be exposed to the internet. The cameras should be block at the router. Or placed on a seperate subnet, which prevents access from the internet.
     
  7. Dramus

    Dramus Getting the hang of it

    Joined:
    May 7, 2019
    Messages:
    108
    Likes Received:
    61
    Location:
    New Jersey
    And by "not exposed to hacking" one suspects he meant "not (directly) exposed to the Internet."

    Anything that's exposed to the Internet is, by definition, exposed to hacking. Likewise anything accessible via a poorly-secured or otherwise-exploitable WiFi system.
     
  8. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,401
    Location:
    Scotland
    Yes, my terminology was a bit lacking in that response, not as explicit as it should have been.
    Ta for the clarifications, folks!
     
  9. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,401
    Location:
    Scotland
    This just catches so many people out!
    UPnP on the router, and any device on the LAN with UPnP (eg Hikvision cameras, enabled by default) can mess with the router and allow inbound access that you don't even know about.
     
  10. Rani

    Rani n3wb

    Joined:
    Nov 12, 2015
    Messages:
    10
    Likes Received:
    0
    Hey peeps, thanks very much for the replies.

    @alastairstevenson I hope you didn't take offence to my OP.
    In regards to the cameras, they're not accessible at all. The NVR shows no cameras, and when I navigate to the cam's original IPs there's nothing.
    So It's like they've been reset back to default and unconfigured
     
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,401
    Location:
    Scotland
    No offence at all, no worries.
    What does SADP show for the cameras?
    Are they on the LAN or on NVR PoE ports?
    If on NVR PoE ports, plug the PC into an unused port so SADP can see the cameras.
     
  12. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,401
    Location:
    Scotland
    SADP will find the cameras whatever their IP address when on the same network.
     
  13. Rani

    Rani n3wb

    Joined:
    Nov 12, 2015
    Messages:
    10
    Likes Received:
    0
    So I plugged my pc straight into the Poe and sapd is showing all cams

    For some reason the cams have changed their ip addresses and I guess that's why the NVR couldn't connect to them.

    I can log in to the cameras with the same password I had setup which tells me that they were not hacked?
     
  14. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,401
    Location:
    Scotland
    What IP addresses are showing?
    If the cameras were all connected to the NVR PoE ports - generally they'd not be very accessible for being messed with.
    But it's a bit coincidental that you changed your router and it had UPnP enabled.
    For LAN-based cameras, that would be bad, they could be easily accessible.

    OK, so you have access to the cameras.
    With SADP you can change the IP addresses back to what the NVR PoE channels are set to, and all should work again.

    In principle - cameras that get hacked could have anything changed on them, it doesn't have to be the password.
     
  15. Rani

    Rani n3wb

    Joined:
    Nov 12, 2015
    Messages:
    10
    Likes Received:
    0
    Hey @alastairstevenson
    Apologies for the disappearance, been really under the weather for the past few days.

    I have now managed to upgrade all to latest firmware. Cameras (V5.4.5 build 170123) and NVR (V3.1.0 build 171010)

    There is one thing I'm really confused about, if my cameras are attached to NVR and have 192.0.0.X IPs that does mean they're not exposed to the internet as they're on a different subnet right?
    My NVR is the only thing that I want to be accessible externally and it has 192.168.1.250 IP address. What I have done is forward it's port (8000)

    Which leads me to my problem. I can't seem to configure the cameras on the NVR by using the "manual" option instead of "plug-and-play" for some reason
    If I select "Manual" and put in the camera's password it says "Offline(Network Abnormal)"
    If I select "plug-and-play" it says "Offline(User password error.)"

    I don't want to use the plug-and-play on the cameras as I'm afraid it might forward ports I don't want it to forward and make them externally accessible

    I'm sorry I don't know much about networking

    Here are my settings but the NVR is refusing to connect the cameras
     
    Last edited: Jun 21, 2019
  16. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,401
    Location:
    Scotland
    No problem, hope you are better now.

    When connected to NVR PoE ports, the cameras are by default not accessible from the LAN, although when the very useful and convenient feature 'Virtual Host' is enabled, it's possible to access the cameras from the LAN.
    But they are much safer than they would be if they were on the LAN, when UPnP could be enabled on the router, and also on the cameras. That's the risky combination that must be avoided. Best disable UPnP on both.

    Plug&Play won't do that, don't worry about it.

    I don't think you've said what model of NVR you are using.
    My understanding is that the cameras all disconnected from the NVR, and you found they'd changed IP addresses.
    You can see all the cameras with SADP, and now know the camera IP addresses, and know the camera passwords.

    To get the cameras back connected, this is what you could do.
    In the NVR web GUI, note down the IP addresses as specified for each channel of the NVR.
    These would normally be in the 192.168.254.x range - but you've suggested yours are 192.0.0.x Did you customise the 'Internal NIC' IP address (in the NVR VGA/HDMI interface) away from the default?
    Ensure that the camera password that is set on the NVR channel matches what you know works on the cameras. The channel needs to be in Manual mode to be able to set that.

    Having noted the IP addresses associated with each NVR channel, you then need to set the camera IP address to match the channel it is plugged in to.
    SADP will do that, when the PC is connected to an unused NVR PoE port.

    That should bring the cameras back to a connected state.
    Good luck!