Backdoor found in Hikvision cameras

[IL-MAFIOSO]

Hello,
Thanks for your reply .
At moment I've disable upnp on the cameras only. This don't disturb email alerts sended by cameras. Will certainly affect the time ...
But i lost WAN access with iVMS-4500 for live streaming.
Is there a very simply tutorial with pictures to explain how to set a VPN connection just to give an access to cameras with iVMS-4500 for example ?
My router is configured to accept IPSEC and PPTP but has no VPN server built in.

 

[tangent]

killing upnp alone won't block email or push notifications.

 

[tangent]

My router is configured to accept IPSEC and PPTP but has no VPN server built in.

VPN Primer for Noobs
the easiest option is to use a router with a built in vpn server or 3rd party firmware that adds the function. Otherwise you're looking at setting up a raspberry pi, cu box, old pc or similar as a vpn server (2 network interfaces are required).

 

[tangent]

OK. I have decided to set up a VPN server. May I ask an incredibly stupid question? If I set up an OpenVPN on my Asus router (which seems easy) but don't get it exactly right at the start, will I screw up my current ability to access my cameras and their images remotely? I'll get it right eventually but it might take a few days to do so. Just don't want to see everything go offline.

The network in question is in a remote vacation home. I use IP Cam Viewer Pro to access cameras remotely, which requires port forwarding. (All are running 5.4.5 firmware.)

get it all working when you're on site assuming you have good enough cellular internet to test your vpn.

 

[username]

An example of what I believe to be secure:

I have NVR on my network. I can access any of my cameras at NVR or via a web browser that support napi and also via iPad/iPhone using iVMS-4500. I have never signed up with hik-online.com, I don't port forward at my firewall, I have disabled upnp. Rather than use the NVR dhcp (not recommended in my situation, I already have a dhcp server on my LAN), I statically assign my cameras to a non-routable ip address (ie: 192.168.254.x). Thus the cameras cannot send out beyond my lan (there is no route for the data). My firewall prevents new inbound connections so someone would have infect my cameras from inside my network. This setup may be undesirable for some folks but works fine for me.

I have set up my iPhone/iPad with openVPN and when away, I can connect to my network via VPN and use iVMS-4500 to view live stream or recorded events. I have not set up email alerts, my cameras are outside and a slight breeze frequently alerts them, the email traffic would be overwhelming. One point of note: not all wifi access points allow VPN and I have only 1GB/mo data on my phone so am not inclined to spend a lot of time looking at my cameras in this manner. For it's intended purpose, this is a flaw in my setup.

Other than the possibility that that there may be a undiscovered flaw in openVPN that could compromise me I believe this is secure and allows me access to live stream. Other than to test that it works, I do not regularly access it. I'm not so sure this would work with a system of camera's w/o an NVR.

 

[Securame]

To those posting unrelated messages on the topic; please stop.

If you have questions about configuring your VPN or disabling remote access to your devices to make sure, there are other threads for that.

 

[gb7777]

upnp allows devices on your network to automatically request port forwarding rules. Disabling it on your router and cameras won't block the cameras from connecting to the internet.

Blocking internet access is something to consider in the name of security, but will impact email alerts and push notifications (though you could run a local mail relay). The main reason to disable it is the p2p/easy4ip style nat traversal schemes many cameras have, you can disable this on many cameras. China regions cams may lack the option. You could also setup some more complicated firewall rules if you've got hardware that allows it to only allow certain things.

Why would you want to block outbound access?

Given the highlighted Privilege Escalation vulnerability (and the general piss poor nature of HIK's software) I can understand the advice to avoid exposing their products to the WWW.

I can only think of two reasons to block outbound access (i.e device initiated sockets through your firewall):

1) You believe your camera may be compromised already. In which case you're better served dealing with the issue rather then trying to wall it within your own network where others may have their guard down.

2) You distrust the actual HIK Firmware (i.e. you believe they may have some nefarious intentions executable through their stock firmware). In which case its best to bin the cameras and move on to be honest.

3) You believe outbound sockets from the camera itself can be compromised. In which case you're router/firewall would have to be at fault as well, as it would first have to allow a third party to hijack that socket. Or of course you feel the other end of those sockets may not be trustworthy. But thats going to be HIK Servers, Your Time Server, ???Cant think of what else??????.

As an example lets say you use google for NTP. How could that lead to a successful attack on your camera:

A) Googles NTP server itself initiates the attack, as it has a direct connection to your camera through your firewall.

B) Someone successfully guesses you're using Google as your NTP server and also guesses the socket parameters (IP/Ports/Protocol), then sends a spoofed packet/stream (would hope someone would pick this up via RPF but thats the web for you) and compromises your camera blind. Then getting it to form outbound connections to you.

C) Theres something you know that I don't

If the services/functions that require outbound connection are of no use, then by all means wall the buggers in. But surely its going OTT to wall them in and start finding workarounds for push/email notifications for example.

 

[tangent]

Why would you want to block outbound access?

There have been other threads where this idea has been discussed more. Most IP cams ship with some sort of mechanism for nat traversal / idiot proof setup via scanning a barcode. On some cameras you can't turn this off. I agree that in most cases it's a little extreme to block wan access. Hikvision is owned by the Chinese government.

 

[gb7777]

Hikvision is owned by the Chinese government.

At the rate theyre selling us plastic crap on tick, they'll own it all soon anyway

 

[fenderman]

More from ipvm.com Hikvision Blaming Backdoor On Others, Cannot Hide From DHS

 

[IL-MAFIOSO]

Hi tangent,

It was not so easer for me ... a little more difficult for my iPhone . But now it's working. I've disable upnp on cameras and in IVMS-4500 change WAN IP to LAN IP. I can access them with my iPhone when enabling the VPN Thanks for suggestions and help

 

[brentkhack]

After reading this I have two 4MP dome from amazon. I have been getting through text 3509: message not found and error messages from BI to my text for snapshots of motion on my cameras. So I looked into my router logs and saw DOS attack: Illegal Fragments, Ping of Death, Teardrop or derivative all over the place. It shows target and source IP addresses. So I turned off UPNP from the cameras and router. As of now I haven't been getting any error text from BI.

 

[alastairstevenson]

So I turned off UPNP from the cameras and router.

Very sensible.
Such a dangerous set of defaults. Especially on the router. It's not just IP cameras that try to configure holes in the firewall via UPnP on the router.

 

[brentkhack]

Well that was short lived. I still have DoS in my logs so I doubt it is a Hikvision issue. It is a known issue with iPhones and Netgear modem/router I have.

 

[dealpapa]

Intriguing - unless they are playing with words, a "a privilege-escalating vulnerability" is not the same thing as the deliberately-coded backdoors we've been discussing for a while.
The 'Dahua backdoor' that's the subject of your recent expose could certainly be described as a "a privilege-escalating vulnerability".
I'm tempted to take a look in the linked firmware to see what they've altered.

*edit*
Looking at the firmware links, that firmware was released near the end of January, published on the EU portal and then after a few days removed from that site.
So on the face of it, the timing of their notice is a little odd.
I've already tested IPC_R0_EN_STD_5.4.5_170123 out on a couple of R0 IPCs and confirmed that the backdoors that are present in IPC_R0_EN_STD_5.4.0_160530 were still present.

now I am crazy. I just upgrade to IPC_CN_STD_5.4.5_170123.zip gmail is working now but my problem is still here.

 

[Stephen Drake]

Wouldn't any camera connected to your network have a potential back Dior? If not, what cameras do you suggest? Axis?

 

[fenderman]

Wouldn't any camera connected to your network have a potential back Dior? If not, what cameras do you suggest? Axis?

Use a vpn, never trust any manufacture firmware to be free of exploits.

 

[epcjay]

Not sure if related to backdoor, but I've had two cameras from 2 separate clients compromised. Their admin password was changed.

 

[alastairstevenson]

Not sure if related to backdoor, but I've had two cameras from 2 separate clients compromised. Their admin password was changed.

There have been various 'brickerbot' campaigns over the last few months targeting exposed IPCs and NVRs that had default credentials.
Did you see a new 'system' account on the cameras?

 

[dealpapa]

V5.4.41 build 170707 is the latest. Does this version fix the backdoor problem?