alastairstevenson
Staff member
Backdoor found in Hikvision cameras
- Thread starter montecrypto
- Start date
I have updated my cams to the HIK-firmware on this page: Hangzhou Hikvision Digital Technology Co. Ltd.
Did those FW versions plug the exploit hole(s)?
Did those FW versions plug the exploit hole(s)?
o6blink
n3wb
- Oct 29, 2017
- 9
- 0
mlapaglia
Getting comfortable
- Apr 6, 2016
- 849
- 508
Have you tried making your cameras inaccessible from the internet for a while and see if the still reset? Next step in troubleshooting.
alastairstevenson
Staff member
Lol! Hikvision USA
The idea is perfectly good of course.
But it's this sort of meaningless political speak that rankles with me when they put so much effort into trying to break cameras bought on-line when people do the firmware updates that fix the backdoors :
The idea is perfectly good of course.
But it's this sort of meaningless political speak that rankles with me when they put so much effort into trying to break cameras bought on-line when people do the firmware updates that fix the backdoors :
A new, direct communications channel is actually good news. Assuming there are humans on the other side, the best strategy here is to use it. Everyone with a question, start dialing. Take notes, and after the call, publish them online and describe your experience, good or bad. They will have to staff the line with more humans if it becomes popular and it will become easier to fix/resolve concerns than to continue dealing with negative PR.
Also, append this to your signature in every forum post:
If you have any additional questions, please call Hikvision's security line at 626-723-2100, or talk to their tech support at 866-200-6690
They are usually very helpful and will happily assist you regardless of where you purchased their product.
TheWhiteKnight
Young grasshopper
- Mar 8, 2017
- 81
- 10
Am I right that the DS-2CD2T42WD-I5 is excluded from that list? I see the FWD's are but don't see WD's. Currently on 5.4.1 Build 160525
I also see here that UPnP is not a good practice and luckily have it disabled everywhere already but didn't know port forwarding is frowned on. The only forwarding I have is as instructed by the BI android app, is that acceptable?
Happy to see my Shields Up test was good!
I also see here that UPnP is not a good practice and luckily have it disabled everywhere already but didn't know port forwarding is frowned on. The only forwarding I have is as instructed by the BI android app, is that acceptable?
Happy to see my Shields Up test was good!
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,407
If you are only forwarding BI, the issue is moot...the camera never is exposed to the internet...
That said, you should consider using a vpn for BI...
Shields up cannot be ok if you have the blue iris webserver forwarded....you need to select the full test..and even that doesnt scan all the ports...
TheWhiteKnight
Young grasshopper
- Mar 8, 2017
- 81
- 10
Yeah it was just the UPnP test that came back ok but I will dive into the VPN setup as soon as possible. Good to know the BI app is an exception, can you confirm if the 2CD2T42WD's are excluded from the backdoor vulnerability?
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,407
I didnt say the BI app is an exception...its can have a vulnerability just like the cameras can....
My point is who cares whether or not the t42 is affected....it makes no difference to you...dont port forward it and it wont matter...
I have 2 of the Hikvision DS-2CD2332-I 5.2 firmware on my uncle's farm. Over a year ago,1 of them was getting disconnected form the Synology NAS. Unable to log in I would have to use the software tools to get it reset. After a few times I replaced the old Dlink router with a newer Asus and denied the cameras access to the internet and it has not happened again. In the last week the same thing has happened to one of my 3 cameras at my residence (same model and firmware). I've had to reset the password twice and the cameras are denied access to the net in the Netgear r7800 router. I'm not sure if this is the backdoor hack or what. These are grey market and so I can not upgrade the firmware. The router seems to be blocking access to the net as the cameras all seem to not be unable to sync their time to the google server. They sync to my synology on the LAN. Not sure what is going on or how to stop it. Think this is a backdoor hack? Would the IP filter in the firmware be of help or not if its a backdoor hack?
alastairstevenson
Staff member
If you have UPnP enabled on the router and the cameras, or you have enabled port forwarding, they will get hacked when on firmware of 5.4.4 or less.
Next time it happens, try 1111aaaa or asdf1234 as admin passwords.
If that works, they are for sure being hacked.
Next time it happens, try 1111aaaa or asdf1234 as admin passwords.
If that works, they are for sure being hacked.
I'm not sure why people are connecting IP cameras to the internet. What I do is connect the camera to the NVR via IP, but I give the camera a fake/non-valid IP as the gateway address. If the camera does require a valid gateway IP address, you can create firewall rules to drop/block all IP Camera traffic from leaving the network/gateway.
Thanks for the reply. I only mess with this network stuff a few times a year when setting something up so knowledge is limited. I did turn off UPnP in the cameras but failed to do it in the router. I do have all ports block to the camera's ip in the router but the web site canyouseeme.org says the cameras port is open! Turning UPnP off in the router has the ports closed now. Appears UPnP will override the block ports setting. Thanks, for taking the time to help me out 
I'm guessing this was my issue.
I'm guessing this was my issue.I do the same. For example, 192.168.254.x is a non-routable IP. A typical camera setting in NVR is 192.168.254.101 and the NVR on a 192.168.x.x network has no problem seeing that camera.
And I can point my browser to that IP and see the camera.
The camera is blocked at my firewall and does not go outside my location.
For a camera with a backdoor like my DS-2CD2332-I it seems the best way AFAIK. Nice image but I don't trust the firmware. On my LAN I use Tinycam on the android device and a windows program call IP Camera Viewer for the desktops. Outside the LAN I go through the Synology.
saniaowner
Young grasshopper
Hello
I will share my setup. On cameras, turn off UPNP. I don’t see the point of changing the gateway, since I also turn off UPNP on the router, and Mikrotik has good settings by default. But I need to watch the camera remotely, for this I use VPN (OpenVPN) on Synology, with a changed port.
I will share my setup. On cameras, turn off UPNP. I don’t see the point of changing the gateway, since I also turn off UPNP on the router, and Mikrotik has good settings by default. But I need to watch the camera remotely, for this I use VPN (OpenVPN) on Synology, with a changed port.
alastairstevenson
Staff member
That should be the default - all inbound access should be blocked by the NAT firewall in the router.
Why did you have to make an explicit inbound block rule?
That doesn't matter when the packets hit a NAT router.
Private LANs using non-routable addresses can still reach out to external networks, there isn't a barrier.
With apologies - for the avoidance of any confusion, assuming the example is a Hikvision NVR with PoE ports, there are 2 ethernet interfaces in play internal to the NVR.
The interface on the 192.168.254.0 network is dedicated to the PoE ports connected cameras.
I watch remotely, as well. I also use OpenVPN to connect to my network. The IP camera doesn't need to connect to the internet in order for you to view it over the internet. You should be connecting to your synology using DS Cam and not the IP camera. This is why the IP camera doesn't need a valid gateway address.