Backdoor found in Hikvision cameras

mlapaglia

Getting comfortable
Joined
Apr 6, 2016
Messages
849
Reaction score
506
I've used those firmware updates but cameras are still being reset. So no.
Have you tried making your cameras inaccessible from the internet for a while and see if the still reset? Next step in troubleshooting.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Lol! Hikvision USA
The idea is perfectly good of course.
But it's this sort of meaningless political speak that rankles with me when they put so much effort into trying to break cameras bought on-line when people do the firmware updates that fix the backdoors :
Hikvision takes cybersecurity concerns with the utmost seriousness and takes diligent action to ensure that its products meet the standards of the security industry’s best practices.
 

montecrypto

IPCT Contributor
Joined
Apr 20, 2016
Messages
104
Reaction score
304
Lol! Hikvision USA
The idea is perfectly good of course.
A new, direct communications channel is actually good news. Assuming there are humans on the other side, the best strategy here is to use it. Everyone with a question, start dialing. Take notes, and after the call, publish them online and describe your experience, good or bad. They will have to staff the line with more humans if it becomes popular and it will become easier to fix/resolve concerns than to continue dealing with negative PR.

Also, append this to your signature in every forum post:

If you have any additional questions, please call Hikvision's security line at 626-723-2100, or talk to their tech support at 866-200-6690
They are usually very helpful and will happily assist you regardless of where you purchased their product.
 

TheWhiteKnight

Young grasshopper
Joined
Mar 8, 2017
Messages
81
Reaction score
10
Am I right that the DS-2CD2T42WD-I5 is excluded from that list? I see the FWD's are but don't see WD's. Currently on 5.4.1 Build 160525

I also see here that UPnP is not a good practice and luckily have it disabled everywhere already but didn't know port forwarding is frowned on. The only forwarding I have is as instructed by the BI android app, is that acceptable?

Happy to see my Shields Up test was good!
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Am I right that the DS-2CD2T42WD-I5 is excluded from that list? I see the FWD's are but don't see WD's. Currently on 5.4.1 Build 160525

I also see here that UPnP is not a good practice and luckily have it disabled everywhere already but didn't know port forwarding is frowned on. The only forwarding I have is as instructed by the BI android app, is that acceptable?

Happy to see my Shields Up test was good!
If you are only forwarding BI, the issue is moot...the camera never is exposed to the internet...
That said, you should consider using a vpn for BI...
Shields up cannot be ok if you have the blue iris webserver forwarded....you need to select the full test..and even that doesnt scan all the ports...
 

TheWhiteKnight

Young grasshopper
Joined
Mar 8, 2017
Messages
81
Reaction score
10
If you are only forwarding BI, the issue is moot...the camera never is exposed to the internet...
That said, you should consider using a vpn for BI...
Shields up cannot be ok if you have the blue iris webserver forwarded....you need to select the full test..and even that doesnt scan all the ports...
Yeah it was just the UPnP test that came back ok but I will dive into the VPN setup as soon as possible. Good to know the BI app is an exception, can you confirm if the 2CD2T42WD's are excluded from the backdoor vulnerability?
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Yeah it was just the UPnP test that came back ok but I will dive into the VPN setup as soon as possible. Good to know the BI app is an exception, can you confirm if the 2CD2T42WD's are excluded from the backdoor vulnerability?
I didnt say the BI app is an exception...its can have a vulnerability just like the cameras can....
My point is who cares whether or not the t42 is affected....it makes no difference to you...dont port forward it and it wont matter...
 

john747

n3wb
Joined
Dec 13, 2014
Messages
14
Reaction score
1
I have 2 of the Hikvision DS-2CD2332-I 5.2 firmware on my uncle's farm. Over a year ago,1 of them was getting disconnected form the Synology NAS. Unable to log in I would have to use the software tools to get it reset. After a few times I replaced the old Dlink router with a newer Asus and denied the cameras access to the internet and it has not happened again. In the last week the same thing has happened to one of my 3 cameras at my residence (same model and firmware). I've had to reset the password twice and the cameras are denied access to the net in the Netgear r7800 router. I'm not sure if this is the backdoor hack or what. These are grey market and so I can not upgrade the firmware. The router seems to be blocking access to the net as the cameras all seem to not be unable to sync their time to the google server. They sync to my synology on the LAN. Not sure what is going on or how to stop it. Think this is a backdoor hack? Would the IP filter in the firmware be of help or not if its a backdoor hack?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
If you have UPnP enabled on the router and the cameras, or you have enabled port forwarding, they will get hacked when on firmware of 5.4.4 or less.
Next time it happens, try 1111aaaa or asdf1234 as admin passwords.
If that works, they are for sure being hacked.
 

dt-cam

Getting the hang of it
Joined
Dec 9, 2016
Messages
104
Reaction score
15
If you have UPnP enabled on the router and the cameras, or you have enabled port forwarding, they will get hacked when on firmware of 5.4.4 or less.
Next time it happens, try 1111aaaa or asdf1234 as admin passwords.
If that works, they are for sure being hacked.
I'm not sure why people are connecting IP cameras to the internet. What I do is connect the camera to the NVR via IP, but I give the camera a fake/non-valid IP as the gateway address. If the camera does require a valid gateway IP address, you can create firewall rules to drop/block all IP Camera traffic from leaving the network/gateway.
 

john747

n3wb
Joined
Dec 13, 2014
Messages
14
Reaction score
1
Thanks for the reply. I only mess with this network stuff a few times a year when setting something up so knowledge is limited. I did turn off UPnP in the cameras but failed to do it in the router. I do have all ports block to the camera's ip in the router but the web site canyouseeme.org says the cameras port is open! Turning UPnP off in the router has the ports closed now. Appears UPnP will override the block ports setting. Thanks, for taking the time to help me out :) I'm guessing this was my issue.
 

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
I give the camera a fake/non-valid IP as the gateway address.
I do the same. For example, 192.168.254.x is a non-routable IP. A typical camera setting in NVR is 192.168.254.101 and the NVR on a 192.168.x.x network has no problem seeing that camera.
And I can point my browser to that IP and see the camera.
The camera is blocked at my firewall and does not go outside my location.
 

john747

n3wb
Joined
Dec 13, 2014
Messages
14
Reaction score
1
For a camera with a backdoor like my DS-2CD2332-I it seems the best way AFAIK. Nice image but I don't trust the firmware. On my LAN I use Tinycam on the android device and a windows program call IP Camera Viewer for the desktops. Outside the LAN I go through the Synology.
 

saniaowner

Young grasshopper
Joined
Sep 17, 2019
Messages
61
Reaction score
20
Location
World
Hello
I will share my setup. On cameras, turn off UPNP. I don’t see the point of changing the gateway, since I also turn off UPNP on the router, and Mikrotik has good settings by default. But I need to watch the camera remotely, for this I use VPN (OpenVPN) on Synology, with a changed port.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I do have all ports block to the camera's ip in the router
That should be the default - all inbound access should be blocked by the NAT firewall in the router.
Why did you have to make an explicit inbound block rule?

For example, 192.168.254.x is a non-routable IP
That doesn't matter when the packets hit a NAT router.
Private LANs using non-routable addresses can still reach out to external networks, there isn't a barrier.

A typical camera setting in NVR is 192.168.254.101 and the NVR on a 192.168.x.x network has no problem seeing that camera.
With apologies - for the avoidance of any confusion, assuming the example is a Hikvision NVR with PoE ports, there are 2 ethernet interfaces in play internal to the NVR.
The interface on the 192.168.254.0 network is dedicated to the PoE ports connected cameras.
 

dt-cam

Getting the hang of it
Joined
Dec 9, 2016
Messages
104
Reaction score
15
Hello
I will share my setup. On cameras, turn off UPNP. I don’t see the point of changing the gateway, since I also turn off UPNP on the router, and Mikrotik has good settings by default. But I need to watch the camera remotely, for this I use VPN (OpenVPN) on Synology, with a changed port.
I watch remotely, as well. I also use OpenVPN to connect to my network. The IP camera doesn't need to connect to the internet in order for you to view it over the internet. You should be connecting to your synology using DS Cam and not the IP camera. This is why the IP camera doesn't need a valid gateway address.
 
Top