Backdoor found in Hikvision cameras

fenderman · Apr 8, 2017

sammmy said:
Thanks for the comments. Noticed no NVR firmware update at this stage.

I'm not saying that the NVR has this vulnerability...My point was it can...Stop Port forwarding.!

sammmy · Apr 14, 2017

Like to setup a VPN so I can remote access the NVR on a iphone or android.
Any advice how to set one up.
Would openVPN do the job?
Thanks

zero-degrees · Apr 14, 2017

sammmy said:
Like to setup a VPN so I can remote access the NVR on a iphone or android.
Any advice how to set one up.
Would openVPN do the job?
Thanks

Search the forum, all your answers and guides are already here...

Look for the thread VPN Primer....

Prohidium · Apr 15, 2017

Is this vulnerability on any open ports to a Hickvision or just the web port for example? I believe the Hickvision cams use port 80 for web access and then a different port for "server" access as well as an RTP port for audio? If using "security by obscurity" and using a non-traditional port, is the cam identifiable on a port scan other than that it is listening?

Of course, I have a grey market cam that I doubt that I can upgrade the firmware on without the risk of it either being full Chinese, bricked or potentially fine. I obviously have to do more reading on that aspect.

Tolting Colt Acres · Apr 15, 2017

Prohidium said:
I doubt that I can upgrade the firmware on without the risk of it either being full Chinese, bricked

Look at the upside: it gives you an opportunity to learn how to read mandarin (or whichever dialect the menus are in

)

Prohidium · Apr 15, 2017

Tolting Colt Acres said:
Look at the upside: it gives you an opportunity to learn how to read mandarin (or whichever dialect the menus are in )

Starting to look like I may need to learn Chinese. Is it inevitable anyway!?

bomack · Apr 15, 2017

sammmy said:
Like to setup a VPN so I can remote access the NVR on a iphone or android.
Any advice how to set one up.
Would openVPN do the job?
Thanks

Yes OpenVPN would be a good solution. Depending how you implemented OpenVPN it can be moderate or difficult. Check if your router supports it out of the box. If not check if you router can run firmware like did-wrt with vpn support. Another option and the option I use is a raspberry pi running OpenVPN. I find this solution to be more secure as the software is continuously being updated. I also have pi-hole running on the same raspberry pi to block ads when surfing the internet on my home network.

Prohidium said:
Is this vulnerability on any open ports to a Hickvision or just the web port for example? I believe the Hickvision cams use port 80 for web access and then a different port for "server" access as well as an RTP port for audio? If using "security by obscurity" and using a non-traditional port, is the cam identifiable on a port scan other than that it is listening?

Of course, I have a grey market cam that I doubt that I can upgrade the firmware on without the risk of it either being full Chinese, bricked or potentially fine. I obviously have to do more reading on that aspect.

A lot of times the port scans look for open ports. Then the IP address and port is automatically put into a script that runs. The script has known hacks and back doors and automatically tries to get in. When successful it reports back to the loser (script kid, hacker, punk, etc) that a successful login worked. There is more to it but that is basically what it's about.

My first post. Finally created an account to be able to reply here.. lurking is done.

sammmy · Apr 23, 2017

Managed to setup a VPN and it is up and running.
Able to playback and live view from the App from a remote site.
Having problems with alarm notification with the App. Unable to
enable due to failed to register the DDNS server

bomack said:
Yes OpenVPN would be a good solution. Depending how you implemented OpenVPN it can be moderate or difficult. Check if your router supports it out of the box. If not check if you router can run firmware like did-wrt with vpn support. Another option and the option I use is a raspberry pi running OpenVPN. I find this solution to be more secure as the software is continuously being updated. I also have pi-hole running on the same raspberry pi to block ads when surfing the internet on my home network.

A lot of times the port scans look for open ports. Then the IP address and port is automatically put into a script that runs. The script has known hacks and back doors and automatically tries to get in. When successful it reports back to the loser (script kid, hacker, punk, etc) that a successful login worked. There is more to it but that is basically what it's about.

My first post. Finally created an account to be able to reply here.. lurking is done.

Managed to setup a VPN and it is up and running.
Able to playback and live view from the App from a remote site.
Having problems with alarm notification with the App. Unable to
enable due to failed to register the DDNS server.

bomack said:
Yes OpenVPN would be a good solution. Depending how you implemented OpenVPN it can be moderate or difficult. Check if your router supports it out of the box. If not check if you router can run firmware like did-wrt with vpn support. Another option and the option I use is a raspberry pi running OpenVPN. I find this solution to be more secure as the software is continuously being updated. I also have pi-hole running on the same raspberry pi to block ads when surfing the internet on my home network.

A lot of times the port scans look for open ports. Then the IP address and port is automatically put into a script that runs. The script has known hacks and back doors and automatically tries to get in. When successful it reports back to the loser (script kid, hacker, punk, etc) that a successful login worked. There is more to it but that is basically what it's about.

My first post. Finally created an account to be able to reply here.. lurking is done.

john-ipvm · May 4, 2017

DHS ICS-CERT has issued an advisory on Hikvision cameras crediting @montecrypto The vulnerability overview section cites "IMPROPER AUTHENTICATION CWE-287" and "PASSWORD IN CONFIGURATION FILE CWE-260".
Nice work @montecrypto !

Tolting Colt Acres · May 4, 2017

Indeed. The forum is blessed to have talented people like montecrypto.

alexvas · May 5, 2017

I'm making vulnerability scanner for tinyCam Monitor (Android) app. It uses multiple exploits revealed recently to warn users about their cameras issues.
https://goo.gl/X6ySaV

I just tried to implement Hikvision camera vulnerability and it looks like information published by ICS-CERT (CWE-287: Improper Authentication) is very general.

I'm sending request:

GET/ISAPI/System/time HTTP/1.1\r\n
"Cookie: user=Administrator\n
"Cookie: loggedin=true\r\n
"Connection: close\r\n\r\n

And always getting 401 unauthorised request from several Hikvision cameras.

@montecrypto do you have any hints how to check if vulnerability exists on camera?

bubba123 · May 8, 2017

So is version 5.1.6 vulnerable? I have a DS-2CD2332-I and from this article (Hikvision Patches Backdoor in IP Cameras ) it says versions 2.0 to 5.4.0 are vulnerable. But CERT says 5.2.0 to 5.4.0 (Hikvision Cameras | ICS-CERT). Did the article just leave off the "5." Before the 2.0?

Consultant · May 9, 2017

montecrypto said:
There have been rumours... I would like to confirm that there is a backdoor in many popular Hikvision products that makes it possible to gain full admin access to the device.

Hikvision gets two weeks to come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed. I sent them an email. If nothing changes, I will publish all details on March 20th, along with the firmware that disables the backdoor.

It would be wise to disconnect your cameras from the Internet.

I'm new here. Pardon my stupidly, but so what if a stranger wants to look at a camera pointed to as hot water heater? If someone in the USA were able to watch one or more of your cams, what adverse event might occur?

tangent · May 9, 2017

Consultant said:
I'm new here. Pardon my stupidly, but so what if a stranger wants to look at a camera pointed to as hot water heater? If someone in the USA were able to watch one or more of your cams, what adverse event might occur?

The bigger issue is your camera being further hacked to attack the internet as part of a bot net or giving a hacker a foothold into your network. Concern someone's watching you is secondary. The real solution is to use a VPN and other network security measures to to enforce a degree of security for insecure devices.

fenderman · May 10, 2017

ipvm breakdown..
Hikvision Backdoor Confirmed

alexvas · May 10, 2017

There is no public available exploit at the moment. But it is just a question of time when this happens. What hackers should do is just compare "fixed" and previous version of Hikvision firmware publicly available.

xtropodx · May 10, 2017

tangent said:
The bigger issue is your camera being further hacked to attack the internet as part of a bot net or giving a hacker a foothold into your network. Concern someone's watching you is secondary. The real solution is to use a VPN and other network security measures to to enforce a degree of security for insecure devices.

In such situation, would having an NVR vs Windows PC running IP cameras be better/worse? Assuming same set up ie VPN or lack thereof, all networked.

EDIT:
"Also recognize that VPN is only as secure as the connected devices"
^^Does this mean that if an IP camera is compromised on a network & you access said camera remotely via VPN, you're open to being compromised as well?

tangent · May 10, 2017

xtropodx said:
In such situation, would having an NVR vs Windows PC running IP cameras be better/worse? Assuming same set up ie VPN or lack thereof, all networked.

EDIT:
"Also recognize that VPN is only as secure as the connected devices"
^^Does this mean that if an IP camera is compromised on a network & you access said camera remotely via VPN, you're open to being compromised as well?

I was referring to the choice between exposing a camera/nvr/pc directly to the internet vs requiring a VPN to tunnel into the network securely. Any security issues with the cameras/nvr/pc still exist, difference is only people on your local network or with access to your VPN server can exploit them instead of the entire internet. It's also a good idea to disable upnp and block or limit the ability of the cameras to connect to the internet.

IL-MAFIOSO · May 10, 2017

Hello, if I've good understand disabling upnp will block (by the router) all requests from internet but allow camera to send to internet like email notification ?

But in this case , we will no more have live streaming with IVMS-4500 too in WAN ....

tangent · May 10, 2017

upnp allows devices on your network to automatically request port forwarding rules. Disabling it on your router and cameras won't block the cameras from connecting to the internet.

Blocking internet access is something to consider in the name of security, but will impact email alerts and push notifications (though you could run a local mail relay). The main reason to disable it is the p2p/easy4ip style nat traversal schemes many cameras have, you can disable this on many cameras. China regions cams may lack the option. You could also setup some more complicated firewall rules if you've got hardware that allows it to only allow certain things.

Search

Backdoor found in Hikvision cameras

fenderman

sammmy

n3wb

zero-degrees

Known around here

Prohidium

n3wb

Tolting Colt Acres

Pulling my weight

Prohidium

n3wb

bomack

n3wb

sammmy

n3wb

john-ipvm

Known around here

Tolting Colt Acres

Pulling my weight

alexvas

tinyCam Developer

bubba123

Young grasshopper

Consultant

n3wb

tangent

fenderman

alexvas

tinyCam Developer

xtropodx

Getting the hang of it

tangent

IL-MAFIOSO

Getting the hang of it

tangent