Backdoor found in Hikvision cameras

Discussion in 'Hikvision' started by montecrypto, Mar 5, 2017.

Share This Page

  1. montecrypto

    montecrypto Pulling my weight

    Joined:
    Apr 20, 2016
    Messages:
    85
    Likes Received:
    211
    There have been rumours... I would like to confirm that there is a backdoor in many popular Hikvision products that makes it possible to gain full admin access to the device.

    Hikvision gets two weeks to come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed. I sent them an email. If nothing changes, I will publish all details on March 20th, along with the firmware that disables the backdoor.

    It would be wise to disconnect your cameras from the Internet.
     
  2. Securame

    Securame Getting the hang of it

    Joined:
    Mar 25, 2014
    Messages:
    271
    Likes Received:
    42
    Location:
    Barcelona, Spain
  3. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,376
    Likes Received:
    4,892
    Location:
    Denver, CO
    Obligatory
    [​IMG]
     
  4. Kroegtijgertje

    Kroegtijgertje Getting the hang of it

    Joined:
    Nov 10, 2015
    Messages:
    114
    Likes Received:
    14
    Would be wise to disconnect my cam??
    Because today you tell us we have a backdoor??
    That backdoor has been present since the day I bought the cam, but never had a problem with it.
    So I will just continue using my cam, thank you! ;)
     
  5. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    4,671
    Likes Received:
    1,715
    In other words, see you on March 20th.

    This isn't the first backdoor and won't be the last. Best not to put Hikvision cameras online in the first place without proper protection. Such as a VPN, or at least some video management software that keeps the cameras secure while providing video access.
     
    alastairstevenson likes this.
  6. ekaz

    ekaz Young grasshopper

    Joined:
    Nov 4, 2015
    Messages:
    95
    Likes Received:
    23
    You mean I shouldn't have gotten static IPs for each of my cameras from my ISP? :D
     
  7. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    17,823
    Likes Received:
    3,550
    That you know of...Also when he makes the exploit public anyone will be able to access your camera..Don't be blissfully ignorant..
     
  8. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    5,473
    Likes Received:
    1,213
    Location:
    Scotland
    Just for info - @brk at ipvm.com has been putting together a story on this topic, having been provided with the recipe to demonstrate the backdoor(s) independently by a certain forum member.
    But apparently he's paused it for a similar story on Dahua backdoors.

    *edit* Check out this recent very high-level statement :
     
    dt-cam and fenderman like this.
  9. john-ipvm

    john-ipvm Getting the hang of it

    Joined:
    Oct 15, 2015
    Messages:
    68
    Likes Received:
    80
    alastairstevenson, fenderman and nayr like this.
  10. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    5,473
    Likes Received:
    1,213
    Location:
    Scotland
    This isn't the 'zhimakaimen' access by any chance?
     
  11. Securame

    Securame Getting the hang of it

    Joined:
    Mar 25, 2014
    Messages:
    271
    Likes Received:
    42
    Location:
    Barcelona, Spain
  12. john-ipvm

    john-ipvm Getting the hang of it

    Joined:
    Oct 15, 2015
    Messages:
    68
    Likes Received:
    80
    The PDF linked article
    The PDF Linked article works for me but another person said it did not work for them. I reuploaded it here https://ipvm-uploads.s3.amazonaws.com/uploads/d899/4a9a/Dahua-Cybersecurity-Bulletin-030617v2.pdf Let me know if that helps

    That statement was originally published here on IPVM on Saturday and is the precursor to out report / test 0-Day: Dahua Backdoor Generation 2 & 3
     
  13. Securame

    Securame Getting the hang of it

    Joined:
    Mar 25, 2014
    Messages:
    271
    Likes Received:
    42
    Location:
    Barcelona, Spain
  14. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,376
    Likes Received:
    4,892
    Location:
    Denver, CO
    Whats the C's in CCTV stand for? It sure in the hell dont mean hook it up to a global broadcasting system and hope for the best..

    VPN is the only way to go; none of these IP systems have ever been, nor ever will be secure enough for direct exposure to the full force of the internet.

    If you dont trust your LAN, then there are external ways to isolate these systems further.. they are black boxes your putting on your network, dont trust them ever.
     
  15. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    4,671
    Likes Received:
    1,715
    I love how the guy "deleted" the backdoor script for Dahua on github.

    I looked at it, and sure enough, no authentication required to pull account info off a camera.
     
    whoslooking and nayr like this.
  16. richtj99

    richtj99 Young grasshopper

    Joined:
    May 11, 2016
    Messages:
    65
    Likes Received:
    6
    Do these cameras phone home to china? Or is it more that if the camera is sitting on a port forward, someone else can gain access easily?

    How can you scan the camera traffic to see if its going outside your network?
     
  17. Kroegtijgertje

    Kroegtijgertje Getting the hang of it

    Joined:
    Nov 10, 2015
    Messages:
    114
    Likes Received:
    14
    Kim Jong-Un is behind this complot theory.
    He's planning on taking over the world :p:D
     
  18. NVR

    NVR Getting the hang of it

    Joined:
    Apr 13, 2015
    Messages:
    276
    Likes Received:
    32
  19. NVR

    NVR Getting the hang of it

    Joined:
    Apr 13, 2015
    Messages:
    276
    Likes Received:
    32
  20. iTuneDVR

    iTuneDVR Getting the hang of it

    Joined:
    Aug 23, 2014
    Messages:
    235
    Likes Received:
    26
    Location:
    www.iTuneDVR.ru
    Hikvision
    Prev. was 7001 port to control IPC device without auth.
    For ex. add IPC to NVR POE port: change IP address without auth.

    Later they not listen it allways but .... ;)

    Dahua
    If shared media port 37777 to internet you can get from it without auth many interesting thing: account information name, hashed password (need brute), and etc....

    Many holes, a lot of vulnerabilitys
    Think that you buy or (and) use!
     
    mat200 likes this.
  21. Zeddy

    Zeddy Getting the hang of it

    Joined:
    Jun 19, 2016
    Messages:
    88
    Likes Received:
    35
  22. bobfather

    bobfather Young grasshopper

    Joined:
    Jan 17, 2017
    Messages:
    47
    Likes Received:
    14
    Of course, security is a huge concern in this day and age. Even before the "hacks" of default-passworded devices became publicized, Dahua cams (and probably Hiks too) had been observed communicating with IPs in China for unclear reasons.

    For Hiks, I think the answer is two-fold - disable platform access to stop that vector, and then get yourself a nice firewall. I use pfSense, a free, open-source software firewall that runs on an old computer. My pfSense install is setup to do 3 main things to stop attackers:

    1) Blue Iris and all cams are VLAN'ed onto a different subnet that can't talk to any other subnet on my LAN - I have long worried that Blue Iris or Hiks might get hacked, and containing them in this way ensures that an attacker couldn't jump to any other devices on my LAN, just because they got in through a device on the VLAN. Note that other devices on the LAN can talk to the security cam VLAN, so managing Blue Iris (or using Remote Desktop to manage the Blue Iris server) is still easy.

    2) On the security cam VLAN, pfSense has rules to completely disallow the Hikvision cams to talk to the internet, except for time.windows.com (to set time). This completely prevents the Hiks from phoning home or from being accessed from the WAN. The Blue Iris server gets full outbound access to the WAN, and the inbound access (for remote Blue Iris viewing) has a different default port and is scheduled to only allow access to Blue Iris from the WAN during work hours. The ability to schedule firewall rules like this is one thing that makes pfSense a cut above your regular consumer-level routers.

    3) pfSense can be setup to provide all major forms of VPN, and configuring it properly is a 10 minute job. Any access to Blue Iris (or other systems on the LAN) that is needed outside of work hours can be accomplished just by VPN-ing in and loading Blue Iris.

    Considering one can easily spend $200 for a fancy all-in-one wireless A/C router from Netgear or Linksys, I think it's a comparatively great deal to get something like an old i3-3220 computer, paired with a Ubiquiti UAC-AC-Lite wireless access point, a basic, managed gigabit switch, and a second gigabit network card for your pfSense box. All together, these items cost about the same as a $200 router, but can be configured to be way more secure than a consumer router ever could.
     
    ndstate, funkadelic and mat200 like this.
  23. Zeddy

    Zeddy Getting the hang of it

    Joined:
    Jun 19, 2016
    Messages:
    88
    Likes Received:
    35

    Do you see any knocks in the firewall logs from the cameras trying to connect to random IP's?
     
  24. bobfather

    bobfather Young grasshopper

    Joined:
    Jan 17, 2017
    Messages:
    47
    Likes Received:
    14
    I haven't been monitoring it, but it's well within pfSense's capability to mark IPs and monitor their traffic. If I see anything strange, I'll come back and report it.
     
  25. bobfather

    bobfather Young grasshopper

    Joined:
    Jan 17, 2017
    Messages:
    47
    Likes Received:
    14
    Logging is going. When you disable all traffic from Hiks to the internet, I first found that some cams will constantly try to pound 8.8.8.8 (Google's DNS server). I unblocked 8.8.8.8, since DNS traffic will likely be innocuous (though there are IP over DNS methods, I doubt the Hik cams employ them). I also figured that if the Hik cams thought they could access the internet because they could see a DNS server, they'd be more likely to try shady things, if they were going to try them.
     
  26. username

    username Young grasshopper

    Joined:
    Feb 7, 2016
    Messages:
    76
    Likes Received:
    10
    I use a different method. I have a pfSense appliance rather than installation on an old pc. I have a Hikvision NVR on my lan and I've assigned the cameras a non-routable IP, 192.168.254.x.
    My NVR does have a routable IP and is assigned as a gateway to the cameras.

    This arrangement allows me use my linux browser to view individual camera's on 192.168.254.x or from the NVR (in a different room).

    pfSense log show no activity from my NVR out to the world and since the camera's are non-routable they can't go past the lan. I don't recall what I did to allow NVR to getting time signals, it's right on time and nothing is in the log file. I'll have to look into that again.

    I set up a vpn to access when I am away. No port forwarding. Works well on Apple mobile devices.

    The vlan seems like a good idea but it would require me to do more research on an already working system that I hope is sufficiently secure. Your comment about being on a different subnet is certainly worth considering a major reconfig of my system.
     
  27. bobfather

    bobfather Young grasshopper

    Joined:
    Jan 17, 2017
    Messages:
    47
    Likes Received:
    14
    Using VLANs made sense to me because the PoE switches I needed to power the cams had the functionality built in already. If your setup works well, I'd say leave it. The more important factor is that the cameras are adequately segmented and firewalled from the outside.
     
  28. john-ipvm

    john-ipvm Getting the hang of it

    Joined:
    Oct 15, 2015
    Messages:
    68
    Likes Received:
    80
    fenderman likes this.
  29. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    5,473
    Likes Received:
    1,213
    Location:
    Scotland
    Intriguing - unless they are playing with words, a "a privilege-escalating vulnerability" is not the same thing as the deliberately-coded backdoors we've been discussing for a while.
    The 'Dahua backdoor' that's the subject of your recent expose could certainly be described as a "a privilege-escalating vulnerability".
    I'm tempted to take a look in the linked firmware to see what they've altered.

    *edit*
    Looking at the firmware links, that firmware was released near the end of January, published on the EU portal and then after a few days removed from that site.
    So on the face of it, the timing of their notice is a little odd.
    I've already tested IPC_R0_EN_STD_5.4.5_170123 out on a couple of R0 IPCs and confirmed that the backdoors that are present in IPC_R0_EN_STD_5.4.0_160530 were still present.
     
    Last edited: Mar 12, 2017
  30. montecrypto

    montecrypto Pulling my weight

    Joined:
    Apr 20, 2016
    Messages:
    85
    Likes Received:
    211
    I guess it is. I have been communicating with Hikvision since I notified them and they have actually been been quite responsive. As for the term "privilege escalation", well, technically they are correct. One can remotely escalate their privileges from anonymous web surfer to admin. :) Upgrade your cameras. Hikvision's problem now is that only a small percentage of cameras out there will be upgraded, the rest will remain vulnerable. Those who purchased those "multilanguage, don't upgrade" cameras are definitely screwed. I wonder how many bricked or Chinese-only cameras will be listed on eBay in the coming weeks :)
     
    hmjgriffon and fenderman like this.