Backdoor found in Hikvision cameras

[IL-MAFIOSO]

Hello,

My cameras are connected to a NAS QNAP. And with IVMS 4500 i have an access too.
Where i should disable the access to internet. Directly on camera ? On router ? Sorry for my question but i'm a little newbee with that

 

[nayr]

add all the IP addresses of your cameras to a group on your firewall/router.. then create a firewall rule at the top of the rule list to block all traffic too/from that group.

 

[Denali804]

What is the latest firmware for USA version of Ds-2cd2142fwd-is? And where can I get it?

Thanks

 

[IL-MAFIOSO]

Thanks nayr, i will do like you suggest

 

[h_2_o]

add all the IP addresses of your cameras to a group on your firewall/router.. then create a firewall rule at the top of the rule list to block all traffic too/from that group.

agreed why people allow anything from china like this access to the outside world is beyond me.

 

[Iemand91]

If you don't allow internet access inbound, and you trust your local network, the probability of an exploit is very low.

I have port 8000 forward in my router to view the live view on my mobile when not in local network.
I do trust my local network though.

I don't regret buying from China, but I was able to do the 'MTD hack', convert to EN and update to the 5.4.5 firmware.
But that firmware does still have a couple of 'backdoors', and maybe more than the obvious ones.

Me neither; because if I would have bought the DS-2CD2132F-IWS here in the Netherlands; it would have cost me about 3 times as much.

But I am concerned about a setup for my brother's house.
I was thinking of placing 2 Hik EXIR camera's with (likely) the DS-7108N NVR.
Buying those from Aliexpress with multilingual (i.e. non-updatable) firmware would cost us about $70-75 per camera and about the same for the NVR.

Buying those with updatable firmware from Aliexpress would cost us about $110 per camera and I can't even find the NVF with updatable firmware on Aliexpress. The cheapest Hik NVR with updatable firmware I can't find there is the DS-7604NI-E1 for about $150.

Add a 1TB WD Purple hard drive (about $65) and the setup with non updatable firmware would cost us about $275-290 and with updatable firmware about $445. Both prices are without possible import taxes.
That's a big difference and the second option is expensive for just a 2 camera setup.
(the NVR makes it expensive)

But what concerns me the most is 1 thing about the NVR; 24/7 recording but with the events highlighted.
And that's only possible with recent firmware if I'm correct and I don't know if those multilingual camera's/NVR support that.

 

[autospy]

Those who purchased those "multilanguage, don't upgrade" cameras are definitely screwed. I wonder how many bricked or Chinese-only cameras will be listed on eBay in the coming weeks

You would be a hero amongst the ipcamtalk community (and Internet security people in general), if you would require that Hikvision, as part of your disclosure process permit the "multi language" v5.2.5 (and 5.2.8) to be upgraded to a patched english firmware without bricking.

 

[reeves1985]

You would be a hero amongst the ipcamtalk community (and Internet security people in general), if you would require that Hikvision, as part of your disclosure process permit the "multi language" v5.2.5 (and 5.2.8) to be upgraded to a patched english firmware without bricking.

Definitely isn't going to happen!

 

[john-ipvm]

We (IPVM) has posted on the Hikvision vulnerability (public link). We did note that there is no proof offered for the backdoor claim and Hikvision has effectively denied this. If there is proof of the backdoor, it should be shown so that people can take this seriously and upgrade their devices immediately.

 

[Defender666]

I don't believe that all those backdoors are really intentional, it is more like bugs. It is just that security industry wants to keep prices up. And big players like Axis, Bosch, Mobotix are happy to tell there customers that Chinese cameras have many backdoors. So people keep paying there premium price for low end features.

However lets face windows! No one says there is a backdoor in Windows. But CIA and FBI are more then happy that windows has so many leaks.

These days I trust China more then USA. China only wants to sell there electronic stuff and make money, they never fight in any war abroad unlike USA.

 

[autospy]

We (IPVM) has posted on the Hikvision vulnerability (public link).

Thank you for bringing attention to the gray market devices. Hikvision will have to provide a fix for gray market as well or else their reputation will take be damaged when those devices get hacked.

 

[Defender666]

Real gray market would mean the products are stolen or cloned. Like gray market for Rolex watches or something similar.

The products you refare to are genuine cameras sold on chinese market. This is only called gray market in Hikvisions mind and buying those does not break any law. Those devices are original Hikvision cameras. The only difference is that it has additional languages. However for some models they want to get 2 times the price for same product. I call this hungry. I see hikvision pumping enormous effort into securing the devices instead of pumping this in better marketing, software and bugfixing. If I tell someone I have a Hikvision camera no one knows them. All people only know Axis, Bosch, Sony, Canon.

 

[zero-degrees]

Real gray market would mean the products are stolen or cloned. Like gray market for Rolex watches or something similar.

That's not an accurate comparison at all. A grey market product is an authentic product from the original manufacture that is sold via unauthorzied channels or outside a contract/agreement with said seller. It does not mean it's stolen and would not be a clone (that would be a knock off or fake).

Grey market HIK hardware is authentic, however it is sold into distribution channels in china for example and per those distributor agreements will be sold into China only. However, the hardware is then sold via other sales channels to the US for example which is NOT in accordance with the distributor agreement thus making it a "Gray market camera".

Hikvision will have to provide a fix for gray market as well or else their reputation will take be damaged

Yes and No... While HIK are some serious A-Holes for the Region Lock games they play, the consumer is at fault in the end for buying something that is not authorized by the manufacture. This is no different then you purchasing a NEW DJI drone for example from an ebay seller, then having a problem with it and needing warranty coverage. If the seller is NOT an authorized (under contract/active Distributor agreement) your warranty claim can be denied because it was not purchased by a DJI certified seller. This is NOT uncommon of a lot of products, but yes HIK is more confusing and difficult then some others. Hell, even Tesla is doing this with their cars. If a Tesla is worked on by an an unauthorized shop or repaired after an accident by someone other than a certified facility they will remotely disable the vehicle.

 

[autospy]

.
Yes and No... While HIK are some serious A-Holes for the Region Lock games they play, the consumer is at fault in the end for buying something that is not authorized by the manufacture. This is no different then you purchasing a NEW DJI drone for example from an ebay seller, then having a problem with it and needing warranty coverage. e.

Many consumers purchased these items without knowing that Hikvision would be bricking their devices if they tried to patch security issues..

The drone comparison is not even valid. This isn't about warranty service because of a broken propeller -- this is about Hikvision being responsible for devices they manufactured. If these hacked devices launch attacks over the Internet, no one will blame the consumer. They'll blame Hikvision for making it impossible for consumers to patch their cameras.

 

[fenderman]

Many consumers purchased these items without knowing that Hikvision would be bricking their devices if they tried to patch security issues..

The drone comparison is not even valid. This isn't about warranty service because of a broken propeller -- this is about Hikvision being responsible for devices they manufactured. If these hacked devices launch attacks over the Internet, no one will blame the consumer. They'll blame Hikvision for making it impossible for consumers to patch their cameras.

is microsoft required to provide security patches to for hacked versions of windows? Many users purchased hacked copies unwittingly....the answer is no. Most users do infact know that they are buying gray market.
Any user who relies on hikvision or any other manufacturer for security of their appliance is foolish.

 

[Securame]

Many consumers purchased these items without knowing that Hikvision would be bricking their devices if they tried to patch security issues..

The drone comparison is not even valid. This isn't about warranty service because of a broken propeller -- this is about Hikvision being responsible for devices they manufactured. If these hacked devices launch attacks over the Internet, no one will blame the consumer. They'll blame Hikvision for making it impossible for consumers to patch their cameras.

They can patch their cameras, they just need to install the chinese firmware.

 

[autospy]

is microsoft required to provide security patches to for hacked versions of windows? Many users purchased hacked copies unwittingly....the answer is no. Most users do infact know that they are buying gray market.

But the Hikvision cameras purchased from Aliexpress aren't hacked or stolen versions. These are genuine cameras. There is no doubting it.

Regardless, Microsoft provides security updates for pirated Windows 7. It would be very bad for business for them not to.

 

[autospy]

They can patch their cameras, they just need to install the chinese firmware.

I believe there are certain situations (e.g. devices shipped with v5.2.8) where you can't do that. Trying to upgrade will brick the camera.

 

[fenderman]

But the Hikvision cameras purchased from Aliexpress aren't hacked or stolen versions. These are genuine cameras. There is no doubting it.

Regardless, Microsoft provides security updates for pirated Windows 7. It would be very bad for business for them not to.

They are not running genuine firmware hence they are not genuine. It is akin to buying a home version of software that prohibits business use and then complaining that you are not getting support. You know what you are getting yourself into, deal with the consequences.

 

[autospy]

They are not running genuine firmware hence they are not genuine. It is akin to buying a home version of software that prohibits business use and then complaining that you are not getting support. You know what you are getting yourself into, deal with the consequences.

I agree with you, but the consumer faces very little in consequences. The camera keeps working, except now its used in the Mirai botnet to attack others. The headlines won't blame the consumer, instead the headlines will blame Hikvision for not providing security updates because Hik doesn't like how the product was purchased.

This is exactly what happened to Microsoft and that is why they provide security updates for pirated Windows 7.