Backdoor found in Hikvision cameras

Discussion in 'Hikvision' started by montecrypto, Mar 5, 2017.

Share This Page

  1. IL-MAFIOSO

    IL-MAFIOSO Getting the hang of it

    Joined:
    Jun 27, 2016
    Messages:
    127
    Likes Received:
    0
    Hello,

    My cameras are connected to a NAS QNAP. And with IVMS 4500 i have an access too.
    Where i should disable the access to internet. Directly on camera ? On router ? Sorry for my question but i'm a little newbee with that
     
  2. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,347
    Likes Received:
    5,234
    Location:
    Denver, CO
    add all the IP addresses of your cameras to a group on your firewall/router.. then create a firewall rule at the top of the rule list to block all traffic too/from that group.
     
    CCTV Platform likes this.
  3. Denali804

    Denali804 n3wb

    Joined:
    Feb 8, 2017
    Messages:
    20
    Likes Received:
    5
    What is the latest firmware for USA version of Ds-2cd2142fwd-is? And where can I get it?

    Thanks
     
  4. IL-MAFIOSO

    IL-MAFIOSO Getting the hang of it

    Joined:
    Jun 27, 2016
    Messages:
    127
    Likes Received:
    0
    Thanks nayr, i will do like you suggest
     
  5. h_2_o

    h_2_o Young grasshopper

    Joined:
    Feb 3, 2016
    Messages:
    44
    Likes Received:
    0
    agreed why people allow anything from china like this access to the outside world is beyond me.
     
  6. Iemand91

    Iemand91 Getting the hang of it

    Joined:
    Aug 12, 2016
    Messages:
    128
    Likes Received:
    37
    Location:
    Netherlands
    I have port 8000 forward in my router to view the live view on my mobile when not in local network.
    I do trust my local network though.
    Me neither; because if I would have bought the DS-2CD2132F-IWS here in the Netherlands; it would have cost me about 3 times as much.

    But I am concerned about a setup for my brother's house.
    I was thinking of placing 2 Hik EXIR camera's with (likely) the DS-7108N NVR.
    Buying those from Aliexpress with multilingual (i.e. non-updatable) firmware would cost us about $70-75 per camera and about the same for the NVR.

    Buying those with updatable firmware from Aliexpress would cost us about $110 per camera and I can't even find the NVF with updatable firmware on Aliexpress. The cheapest Hik NVR with updatable firmware I can't find there is the DS-7604NI-E1 for about $150.

    Add a 1TB WD Purple hard drive (about $65) and the setup with non updatable firmware would cost us about $275-290 and with updatable firmware about $445. Both prices are without possible import taxes.
    That's a big difference and the second option is expensive for just a 2 camera setup.
    (the NVR makes it expensive)

    But what concerns me the most is 1 thing about the NVR; 24/7 recording but with the events highlighted.
    And that's only possible with recent firmware if I'm correct and I don't know if those multilingual camera's/NVR support that.
     
  7. autospy

    autospy n3wb

    Joined:
    Feb 8, 2015
    Messages:
    6
    Likes Received:
    4
    You would be a hero amongst the ipcamtalk community (and Internet security people in general), if you would require that Hikvision, as part of your disclosure process permit the "multi language" v5.2.5 (and 5.2.8) to be upgraded to a patched english firmware without bricking.
     
    Last edited: Mar 14, 2017
    alastairstevenson likes this.
  8. reeves1985

    reeves1985 Pulling my weight

    Joined:
    Sep 13, 2015
    Messages:
    668
    Likes Received:
    209
    Definitely isn't going to happen!
     
  9. john-ipvm

    john-ipvm Known around here

    Joined:
    Oct 15, 2015
    Messages:
    208
    Likes Received:
    304
    We (IPVM) has posted on the Hikvision vulnerability (public link). We did note that there is no proof offered for the backdoor claim and Hikvision has effectively denied this. If there is proof of the backdoor, it should be shown so that people can take this seriously and upgrade their devices immediately.
     
  10. Defender666

    Defender666 Getting the hang of it

    Joined:
    Dec 19, 2015
    Messages:
    178
    Likes Received:
    22
    I don't believe that all those backdoors are really intentional, it is more like bugs. It is just that security industry wants to keep prices up. And big players like Axis, Bosch, Mobotix are happy to tell there customers that Chinese cameras have many backdoors. So people keep paying there premium price for low end features.

    However lets face windows! No one says there is a backdoor in Windows. But CIA and FBI are more then happy that windows has so many leaks.

    These days I trust China more then USA. China only wants to sell there electronic stuff and make money, they never fight in any war abroad unlike USA.
     
    Last edited: Mar 15, 2017
    CCTV Platform likes this.
  11. autospy

    autospy n3wb

    Joined:
    Feb 8, 2015
    Messages:
    6
    Likes Received:
    4
    Thank you for bringing attention to the gray market devices. Hikvision will have to provide a fix for gray market as well or else their reputation will take be damaged when those devices get hacked.
     
  12. Defender666

    Defender666 Getting the hang of it

    Joined:
    Dec 19, 2015
    Messages:
    178
    Likes Received:
    22
    Real gray market would mean the products are stolen or cloned. Like gray market for Rolex watches or something similar.

    The products you refare to are genuine cameras sold on chinese market. This is only called gray market in Hikvisions mind and buying those does not break any law. Those devices are original Hikvision cameras. The only difference is that it has additional languages. However for some models they want to get 2 times the price for same product. I call this hungry. I see hikvision pumping enormous effort into securing the devices instead of pumping this in better marketing, software and bugfixing. If I tell someone I have a Hikvision camera no one knows them. All people only know Axis, Bosch, Sony, Canon.
     
  13. zero-degrees

    zero-degrees Known around here

    Joined:
    Aug 15, 2015
    Messages:
    1,305
    Likes Received:
    737
    That's not an accurate comparison at all. A grey market product is an authentic product from the original manufacture that is sold via unauthorzied channels or outside a contract/agreement with said seller. It does not mean it's stolen and would not be a clone (that would be a knock off or fake).

    Grey market HIK hardware is authentic, however it is sold into distribution channels in china for example and per those distributor agreements will be sold into China only. However, the hardware is then sold via other sales channels to the US for example which is NOT in accordance with the distributor agreement thus making it a "Gray market camera".

    Yes and No... While HIK are some serious A-Holes for the Region Lock games they play, the consumer is at fault in the end for buying something that is not authorized by the manufacture. This is no different then you purchasing a NEW DJI drone for example from an ebay seller, then having a problem with it and needing warranty coverage. If the seller is NOT an authorized (under contract/active Distributor agreement) your warranty claim can be denied because it was not purchased by a DJI certified seller. This is NOT uncommon of a lot of products, but yes HIK is more confusing and difficult then some others. Hell, even Tesla is doing this with their cars. If a Tesla is worked on by an an unauthorized shop or repaired after an accident by someone other than a certified facility they will remotely disable the vehicle.
     
  14. autospy

    autospy n3wb

    Joined:
    Feb 8, 2015
    Messages:
    6
    Likes Received:
    4
    Many consumers purchased these items without knowing that Hikvision would be bricking their devices if they tried to patch security issues..

    The drone comparison is not even valid. This isn't about warranty service because of a broken propeller -- this is about Hikvision being responsible for devices they manufactured. If these hacked devices launch attacks over the Internet, no one will blame the consumer. They'll blame Hikvision for making it impossible for consumers to patch their cameras.
     
    OldBobcat likes this.
  15. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    30,304
    Likes Received:
    9,411
    is microsoft required to provide security patches to for hacked versions of windows? Many users purchased hacked copies unwittingly....the answer is no. Most users do infact know that they are buying gray market.
    Any user who relies on hikvision or any other manufacturer for security of their appliance is foolish.
     
  16. Securame

    Securame Pulling my weight

    Joined:
    Mar 25, 2014
    Messages:
    491
    Likes Received:
    132
    Location:
    Barcelona, Spain
    They can patch their cameras, they just need to install the chinese firmware.
     
  17. autospy

    autospy n3wb

    Joined:
    Feb 8, 2015
    Messages:
    6
    Likes Received:
    4
    But the Hikvision cameras purchased from Aliexpress aren't hacked or stolen versions. These are genuine cameras. There is no doubting it.

    Regardless, Microsoft provides security updates for pirated Windows 7. It would be very bad for business for them not to.
     
    mat200 likes this.
  18. autospy

    autospy n3wb

    Joined:
    Feb 8, 2015
    Messages:
    6
    Likes Received:
    4
    I believe there are certain situations (e.g. devices shipped with v5.2.8) where you can't do that. Trying to upgrade will brick the camera.
     
  19. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    30,304
    Likes Received:
    9,411
    They are not running genuine firmware hence they are not genuine. It is akin to buying a home version of software that prohibits business use and then complaining that you are not getting support. You know what you are getting yourself into, deal with the consequences.
     
  20. autospy

    autospy n3wb

    Joined:
    Feb 8, 2015
    Messages:
    6
    Likes Received:
    4
    I agree with you, but the consumer faces very little in consequences. The camera keeps working, except now its used in the Mirai botnet to attack others. The headlines won't blame the consumer, instead the headlines will blame Hikvision for not providing security updates because Hik doesn't like how the product was purchased.

    This is exactly what happened to Microsoft and that is why they provide security updates for pirated Windows 7.
     
    mat200 likes this.