Exposing to the internet.

[thedoc46]

I hear the 'its bad practice' to expose our camera's to the internet frequently.

But what makes HIKVISIONS so much more vulnerable ?

What about the 50million XBOX's and Playstations out there? (most likely via uPnP) They also need exposing to the internet. Or any of the millions upon millions of PC's iOS devices probably online at any one time in the US alone. The general population is not setting up vpns to run their gaming consoles thru....

Everything from the phone in your pocket, to the camera on your wall is really exposed to the internet.

I just want to know what makes people more paranoid of hikvision hardware? is it because its chinese, and some people are worried that the firmware has some back doors especially built in or something ?

Just curious.

 

[bp2008]

There have been published vulnerabilities for Hikvision cameras, if that is what you are asking. But you are quite right, millions of other devices are also vulnerable, not just Hikvision cameras. The chance of a vulnerability being exploited is fairly small anyway.

 

[alastairstevenson]

Hikvision IP devices are not 'so much more vulnerable' than many other brands of domestic electronics.

'Exposing to the internet' means creating an exception to allow inbound access, generally to a device on your home network.
That's not the same thing as a device on the home network accessing the internet.
Invariably the router provided by the ISP has a built in firewall and NAT facility that by default will block any external traffic trying to access your home network from the internet and thus provide a level of protection.
'Exposing your device to the internet' means poking a hole in that firewall to allow external devices to be able to reach in, as an exception.

Many devices are specifically designed and maintained through security updates to be robust and less vulnerable to the exploits that can result from allowing external access, for example the devices you have mentioned, as being somewhat exposed to the internet is part of their intended normal operating environment.
Many devices are not so designed or maintained, and examples are items of domestic electronics that would normally operate within the protected environment of the secured home network, such as home surveillance cameras, and even your NAS boxes and smart TVs.

No-one is paranoid about Hikvision devices, they are just conscious of the risks and consequences inherent in allowing any internet-connected device in the world access to your home network.

 

[thedoc46]

Hikvision IP devices are not 'so much more vulnerable' than many other brands of domestic electronics.

'Exposing to the internet' means creating an exception to allow inbound access, generally to a device on your home network.
That's not the same thing as a device on the home network accessing the internet.
Invariably the router provided by the ISP has a built in firewall and NAT facility that by default will block any external traffic trying to access your home network from the internet and thus provide a level of protection.
'Exposing your device to the internet' means poking a hole in that firewall to allow external devices to be able to reach in, as an exception.

Many devices are specifically designed and maintained through security updates to be robust and less vulnerable to the exploits that can result from allowing external access, for example the devices you have mentioned, as being somewhat exposed to the internet is part of their intended normal operating environment.
Many devices are not so designed or maintained, and examples are items of domestic electronics that would normally operate within the protected environment of the secured home network, such as home surveillance cameras, and even your NAS boxes and smart TVs.

No-one is paranoid about Hikvision devices, they are just conscious of the risks and consequences inherent in allowing any internet-connected device in the world access to your home network.

Many games, and all gaming consoles poke holes thru your firewall to allow incoming access for online gaming. Admittedly now i'm a hikvision owner, i can say that the software is not as well written and at least on the face of it, i do not trust trying to update its firmware, without praying it won't be bricked... Unlike other devices, that i have no qualms whatsoever about updating the firmware... Probably because we're dealing with a chinese company here, and well, they're chinese... need i say more !

 

[MikeSav]

I don't think I would say the chance of being exploited is low if you open your cameras to the outside world. Online cameras literally let people watch you. They are a target. They have been since day one.

There have been websites setup that specifically point their visitors to unsecured cameras for over a decade. There used to be johnny.ihackstuff, which hosted a database of easily accessed online devices. And then, there is Insecam, which appeared a while ago, then disappeared, and seems to be back online. Oh, and we can't forget about Shodan, which can help people find cameras to exploit.

What it comes down to is whether or not you trust the manufacturer of your camera and, ironically, IP camera manufacturers in general seem very poor regarding security.

For example, Hikvision failed to respond to the disclosure of vulnerabilities for months. The group that discovered the vulnerabilities made exploit tools, and released them. The article says 150,000 devices were vulnerable. Most probably still are, given the circus that Hikvision has created with their regional firmware restrictions.

Dahua isn't much better. There have been vulnerabilities (hard-coded root password, for example). And, like Hikvision, they have ignored the disclosures. They too have a firmware circus, requiring you to get it from your original seller, who may be out of business.


My cameras sit behind a VPN. I don't want strangers (like me) watching me.

 

[The_Penguin]

As Mike said, VPN is your most secure bet, but an alternative, don't expose the cameras themselves, expose a web server (Blue Iris, Zoneminder, or whatever flavor you choose) that way, you control the O/S patch levels, and software updates. Known exploit? Patch, or change to something else.
Also, you can expose to known IP addresses, or known ranges of IP addresses. At work, you probably have a static IP. Your mobile provider probably has a range, albeit a large range. Sure it's less secure than not exposing it, but at least it's not open to the entire world.
Myself, a few of my cameras are exposed to a very limited list of IP addresses, and are on obscure ports. My Blue Iris server is exposed to a larger range, but not the whole world.

 

[thedoc46]

Unfortunately I am unable to setup a VPN at my router, as I have a Comcast Arris TG862G/CT cable / telephony / wifi all in one unit, provided by comcast, cos i also have their phone service... So i'm limited to what i can do with it... It only gives me a few basic options.

TBH my webcams are only going to be pointing to my driveway. I'm not installing within my home... I also live in a gated community with a 24/7 security guard, so getting burgled is highly unlikely. So unless a hacker wants to watch me wash my car on my driveway every sunday, i'm pretty sure he'll move on to a more interesting IP cam of that hot chick's bedroom somewhere else. My main concern would be using the web cam as a way onto my network, which is pretty well secured anyway.. As in no files with any important info exist on my machines... Everything that is confidential is on an external bitlocker drive that is only ever switched on when needed... But even so...... doesn't hurt to take precautions.