DS-2CD3345-I Password reset on its own. How to fix?

[mendark]

After reading a lot of posts and upgrading the firmware a few times I am lost...

Issue: Suddenly, one of the 5 cameras lost its password. As nobody touched it, hardware failure could be possible. Cannot log in via anything but I can get to the web UI.

This camera does not have a reset button.

So I updated the firmware to the Chinese version IPC_G0_CN_STD_5.5.53_180716.zip (camera was apparently Chinese grey market) hoping will reset the password.

Still no luck...camera remains activated.

I have another DS-2CD3345-I working well which is at firmware 5.3.8.

Options:
1. Copy the partitions from the working one onto the non working one. Has it been done?
2. Downgrade the camera. I only found steps for R0 cameras but this one is a G0 camera. Also could not find any old dav file for it.

Can anyone help?

 

[alastairstevenson]

As nobody touched it, hardware failure could be possible

The common cause of those symptoms is that it has been hacked.

So I updated the firmware to the Chinese version IPC_G0_CN_STD_5.5.53_180716.zip (camera was apparently Chinese grey market) hoping will reset the password.

How did you do this? And did the login prompts change to Chinese?
Presumably using the Hikvision tftp updater as you don't know the password.
What were the last few lines on the tftp updater status window?

If the camera has been hacked - a couple of common passwords to try are
1111aaaa
and
asdf1234

And definitely worth checking whether those work or not is what inbound ports ShieldsUp! finds on the full port scan : GRC | ShieldsUP! — Internet Vulnerability Profiling  

I have another DS-2CD3345-I working well which is at firmware 5.3.8.

That version of firmware still has the Hikvision backdoor vulnerability.

Copy the partitions from the working one onto the non working one. Has it been done?

That would need serial console access.
If you have that, you 'own' the camera and could simply retrieve or delete the configuration.

 

[bp2008]

How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

 

[mendark]

Thanks! It was indeed hacked and password was asdf1234. Any idea of how they get to exploit it when is behind a firewall? Could be malware that got inside the network? I assume they hack these en masse....

I am NATed however UPnP was enabled on the router (my bad). I noticed that port 80 was enabled on the router by UPnP and I am positive was this camera that did it (was enabled in settings). The port was going to the router management page and the router seems to have not been compromised.

Camera was hacked last Friday at 4 AM...that is when it lost its feed to the Synology.

I downloaded the Diagnostic info from the camera and I am noticing:

Lots of [ 10.442046] yaffs: checking block XXX bad
__________

[ 11.945910] base module init version.
[ 11.953200] hikcomm: module license 'Proprietary' taints kernel.
[ 11.953225] Disabling lock debugging due to kernel taint
__________________

192.168.X.XX:52536 115.231.107.23:6801 ESTABLISHED


115.231.107.23 is an IP in China and on the list of malicious IPs. I blocked the entire class B and the connection dropped. However, this makes me believe the camera now has some malicious code in it, in spite of me upgrading it. (unless that is a Chinese cloud server which I also disabled in the camera config)

The common cause of those symptoms is that it has been hacked.


How did you do this? And did the login prompts change to Chinese?
Presumably using the Hikvision tftp updater as you don't know the password.
What were the last few lines on the tftp updater status window?

Yes, I used TFTP and now the camera is in Chinese. I wish I would have not upgraded it but here I am. Any idea of how to make it English again? Plus I have the other one with the vulnerable firmware that I might want to upgrade...

At least now is live again, but I cannot use it with iVMS anymore...Synology does not care it is Chinese and works just fine...

 

[alastairstevenson]

Lots of [ 10.442046] yaffs: checking block XXX bad

Perfectly normal - just scary phrasing. It's looking for bad blocks, not finding bad blocks.

[ 11.945910] base module init version.
[ 11.953200] hikcomm: module license 'Proprietary' taints kernel.
[ 11.953225] Disabling lock debugging due to kernel taint

Again, normal, no worries there.

Any idea of how they get to exploit it when is behind a firewall?

You've already answered that question yourself.
UPnP enabled on the router allows ANY device on your LAN to control the router to allow inbound access.
As it's a Hik camera, it will likely be 80, 554, 8000 that were opened inbound.
And with the Hikvision backdoor, full access to the camera is available, and through that, potentially, your LAN and the devices on it.

However, this makes me believe the camera now has some malicious code in it,

It's certainly possible with that file system, though not very likely.

in spite of me upgrading it.

With Hikvision's file-by-file update method on that firmware, theoretically there could be foreign residual files not cleaned out by the update process.

(unless that is a Chinese cloud server which I also disabled in the camera config)

It's not clear to me what that server does - apart from being in Hikvision home territory - but if the access is linked to one of Hikvision's configurable services, there's probably been no harm done.

Any idea of how to make it English again?

On that model it will need 'hacked to English' firmware applied.
I don't have any for that specific model, or I'd slip you a copy.

 

[alastairstevenson]

The port was going to the router management page

Just a thought - presumably you DON'T have 'Remote Management' enabled on the router?
If so - disable it tout suite.

 

[mendark]

Thanks again!!


Is there a way to unpack the 5.5.53 firmware, make the change and repack it for upload? I heard now there is crypto on them so checksums might not suffice...I may have to find my cracking hat from 20 years ago and dust it off of course, benefit vs time spent is now more important than it was 20 years ago and if will take me one week, will likely just buy a new one, heh

 

[mendark]

Just a thought - presumably you DON'T have 'Remote Management' enabled on the router?
If so - disable it tout suite.

Nooooooo. I've worked in security long enough to not do that. With UPnP I was sloppy that is true...

 

[Tolting Colt Acres]

Is there a way to unpack the 5.5.53 firmware, make the change and repack it for upload? I heard now there is crypto on them so checksums might not suffice...I may have to find my cracking hat from 20 years ago and dust it off of course, benefit vs time spent is now more important than it was 20 years ago and if will take me one week, will likely just buy a new one, heh

You're better off buying an English camera and shipping the chinese camera to alastair so he'll have another sample to play with.

 

[pjsaunders75]

FYI,
For anyone else who ends up here on this thread.

I have been exactly the same experience, with 2 of these identical cameras constantly having the password reset without being touched.
My cameras are on internal network only with firewall.
It happens pretty much every ~6 months, so I think there is just something screwy in the firmware.
I always have to use the "Hikvision Password Reset Helper" to reset the password, though today for the first time both cameras went "Inactive" and I had to Activate them again.
I have 5 other Hikvision cameras (with same p/w) and they are never affected.

This is the version of my cameras:
DS-2CD3345-I
Firmware version: V5.4.20 build 160726

Both cameras are Chinese versions that had been set to English language.
For this reason, I won't be trying to update the firmware.

 

[alastairstevenson]

My cameras are on internal network only with firewall.
It happens pretty much every ~6 months, so I think there is just something screwy in the firmware.

Suggestion :
Check for open ports inbound using ShieldsUp! full ports scan : GRC | ShieldsUP! — Internet Vulnerability Profiling
Then access the cameras web GUI and see if UPnP is enabled. It usually is, by default. Disable it.
Then access your router and check if UPnP is disabled. If so disable it.
Then check ShieldsUp! again.

I'm speculating that the cameras have automatically opened ports inbound via UPnP and have been hacked.
The firmware you quoted suffers from the Hikvision 'backdoor vulnerability'.

 

[alastairstevenson]

If the passwords get changed again - try :

1111aaaa
and
asdf1234

These are commonly used by the hackbots when inbound access is available and vulnerable firmware is installed.

 

[pjsaunders75]

Hi guys,
My results are:
I did check with "ShieldsUp!" and it did not detect any issues.
My cameras DID have UPnP enabled - I have now disabled for all cameras.
My router does have UPnP enabled - if I disable would that cause issues with playing multiplayer games etc?

Thanks,

Pat

 

[alastairstevenson]

My cameras DID have UPnP enabled - I have now disabled for all cameras.
My router does have UPnP enabled - if I disable would that cause issues with playing multiplayer games etc?

OK, with those settings, the cameras will be letting the whole internet in to access them.

I did check with "ShieldsUp!" and it did not detect any issues.

All service ports, and Hikvision's port 8000 command and control port?

 

[pjsaunders75]

OK, with those settings, the cameras will be letting the whole internet in to access them.


All service ports, and Hikvision's port 8000 command and control port?

I did disable UPnP for all cameras and NVR.

The instant UPnP test: ACTIVELY REJECTED OUR UPnP PROBES!
Common Ports: Failed on 5000 (only)
Port 8000 probe: result = Stealth. (OK)

Not perfect, but much better now thanks.

BTW, what is the purpose is there in resetting the cameras...?

 

[alastairstevenson]

BTW, what is the purpose is there in resetting the cameras...?

Probably just mischief. And a prompt to the user to check what's going on.