Backdoor found in Hikvision cameras

[username]

With apologies - for the avoidance of any confusion, assuming the example is a Hikvision NVR with PoE ports, there are 2 ethernet interfaces in play internal to the NVR.
The interface on the 192.168.254.0 network is dedicated to the PoE ports connected cameras.

Sorry, I don't grasp what you are saying. Indeed the example is a HVision NVR /w (16) PoE ports. And yes, there must be 2 interfaces at play for each camera.
And yes, 192.168.254.0 network is dedicated to cameras.

That said, my belief is (was?) that 192.168.254.0/24 is non-routable. Perhaps I am mistaken, it would not be the first time
However, no packets from the .254 network get to the WAN connection and I have not written any firewall rules to block them. Would you know a specific inbound or return IP range that I can monitor? I have only monitored outbound from the .254 IP's and I suppose if the camera's were to try to call home on a random or intermittent schedule I could have missed that.
I do not have any 'outside' services running on the NVR except NTP and that points to my firewall/router which is my NTP server.
My firewall blocks all inbound traffic that is unsolicited.

It's interesting that I got the idea for non-routable IP's for the camera's from a post you made a number of years ago. If the network address I am using is incorrect then I must have misread your post. Whatever, AFAIK the way I have it set up keeps my cameras & NVR off the internet and inside my LAN. I can access my LAN via locally hosted VPN server and my access the NVR via my mobile devices. No P2P, No Cloud, No 3rd party except my own system.

And thank you for all the knowledge you post at this site. I should visit here more often.

 

[alastairstevenson]

my belief is (was?) that 192.168.254.0/24 is non-routable.

Certainly on a public network (internet), packets from that source address would be dropped by convention on a gateway.

It might be interesting to try some experiments just to explore this topic.
On a Hikvision NVR with PoE ports -
Via the NVR web GUI, pick a channel and modify it to 'Manual' mode instead of Plug&Play. This is to stop the NVR reversing any changes. Note down the assigned IP address, presumably something in the range 192.168.254.x
Enable Virtual Host if needed and use it to access the chosen camera web GUI.
In the Network settings, the default gateway will likely be the LAN interface default gateway, your LAN router.
Change it to the NVR PoE interface, probably 192.168.254.1
The camera needs a gateway in its own address range if it is going to be able to send traffic outside its own address range. The LAN gateway address is not valid as a gateway on the NVR PoE interface address range.

At this point, the camera will be able to send packets across the NVR network interfaces to addresses on the LAN via the NVR's internal routing table.
But devices on the LAN won't be able to send to the camera native IP address because their default gateway, the LAN router, will either drop the packets or simply forward the packets out to the router WAN interface, as it does with all traffic not from its LAN address range.

What can be done now is to inform the LAN router how to properly handle traffic for the 192.168.254.0 network by adding a static route definition.
Most routers have the facility to define specific routes for non-local networks where a local gateway for them exists.
The configuration would be along the lines of :
"For network 192.168.24.0/24 (ie subnet mask 255.255.255.0) use gateway <NVR_LAN_interface_IP_address>"

When this is set, the NVR PoE-connected camera will be accessible at it's actual IP address, as verified by
ping <CAMERA_IP_address>
tracert <CAMERA_IP_address>
Point the browser at <CAMERA_IP_address>
etc

 

[username]

The configuration would be along the lines of :
"For network 192.168.24.0/24 (ie subnet mask 255.255.255.0) use gateway <NVR_LAN_interface_IP_address>"

That is pretty much the way I have set it up.
I don't use DHCP.
My NVR is assigned static IP on the LAN network.
The gateway is my router/firewall appliance (I use Netgate's pfSense)
My camera's are assigned static IP's 192.168.254.x

iVMS4200 on an iMac can access the camera's
My safari browser cannot due to the lack of a plugin although I can sign in to any of the devices (& NVR) and access the settings, just not the video.
I have installed VLC and created playlists for windowed & full screen. A windowed view is rtsp:/192.168.254.x:554/Streaming/Channels/102 (Full Screen is same, except 101 in lieu of 102).
I rarely access via VLC since iVMS4200 works well (prior versions of iVMS prompted me to try VLC).

My router provides a VPN server and I can access via iPhone/iPad if I am away. It attaches to the network and I use the iPhone/iPad iVMS app to view.

A screenshot of windowed VLC output.

 

[Faresoyam]

I have a hacked camera what can i do. I just managed to change the password the frimware is 5.4.4 and there is no update if i just disable udp ports of the camera everything will be okay?

 

[watchful_ip]

Make sure it can't access the Internet and you should be fine.

Or TFTP latest Chinese firmware if you don't care that menus will be Chinese and you don't use an NVR.

 

[Faresoyam]

Make sure it can't access the Internet and you should be fine.

Or TFTP latest Chinese firmware if you don't care that menus will be Chinese and you don't use an NVR.

Thank you for your reply is there a guide how to make TFTP upgrade and if i make the ip camera ip 192.168.255.x i will be fine?