Has my Hikvision ip camera been hacked?

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,957
Reaction score
6,790
Location
Scotland
I plan to take down the Hikvision & try to do a factory reset without it being connected to my LAN.
You may be able to access the camera to reset to factory defaults without taking it down.

I cannot get into the camera using the admin login/password.
Suggestion to try :
Power on the camera.
Use SADP to find the camera, noting its IP address and the firmware version.
If the firmware is 5.3.0 or later, you may be able to extract the configuration file without needing credentials.
The configuration file can be decrypted and decoded to find the plaintext password that has been applied.
With a PC with the IP address in the same range as that of the camera, use this URL in the browser, replacing the IP address with the actual IP address of the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If you're lucky and a configuration file is extracted, zip it up and attach here.
 

f13dfx

Getting the hang of it
Joined
Oct 15, 2015
Messages
91
Reaction score
44
You may be able to access the camera to reset to factory defaults without taking it down.


Suggestion to try :
Power on the camera.
Use SADP to find the camera, noting its IP address and the firmware version.
If the firmware is 5.3.0 or later, you may be able to extract the configuration file without needing credentials.
The configuration file can be decrypted and decoded to find the plaintext password that has been applied.
With a PC with the IP address in the same range as that of the camera, use this URL in the browser, replacing the IP address with the actual IP address of the camera :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If you're lucky and a configuration file is extracted, zip it up and attach here.
Sorry, I reset the camera already and was able to upgrade to the latest firmware. Disabled uPnP in config. Seems to be working fine now.

Thank you all for your quick assistance!
 

dreniarb

n3wb
Joined
Jan 13, 2016
Messages
14
Reaction score
3
If you're not able to put your cameras on an isolated vlan remove the gateway from their ip address settings. That will keep them off the internet. You could go a step further and put them on a completely separate subnet (192.168.100.X instead of 192.168.1.X for example). Just make sure you give your blue iris installation a secondary ip on the same subnet so it can talk to the cameras.
 

lewic

Getting the hang of it
Joined
Mar 12, 2020
Messages
190
Reaction score
76
Location
Texas, USA
I remember there was this event late last year where people were hacking into Hikvision and Hikvision OEM cameras and leaving messages on the OSD. Hikvision came out with a firmware update to fix the issue. All that was needed to take the message off was go into the OSD menu and delete the text. Then install the firmware onto the camera. I think I have a picture of it somewhere....
 

lewic

Getting the hang of it
Joined
Mar 12, 2020
Messages
190
Reaction score
76
Location
Texas, USA
Here is a link to the article.
It was always the same message on everyone's camera.
 

yggdrasil

n3wb
Joined
Feb 17, 2024
Messages
24
Reaction score
6
Location
Florida
Yes. Disconnect the camera, reset to factory settings, upgrade the firmware. Do not connect it to the Internet again. It says pwned which means whoever did this, is basically doing it deliberately to make you aware that your camera is insecure and should not be exposed online.

I assume you don't have a switch to put cameras on a VLAN so the easy way, your cable/internet modem mostly likely has a firewall feature, while basic might work. If not, research into having one. Assign your camera a fixed IP address. Then only allow traffic to this internal IP address from another internal IP (your blue iris). Nothing else, so it can't be connected to the Internet.

Port forwarding a camera to your public IP is a horrible idea. There are services that scan ports on the Internet to look for cameras and their models and it's trivial, automated, and they will hack your cameras in hours of being online. It's just a bad idea to put any camera on the Internet, in particular since all made in China now.

Whoever compromised your camera is basically informing you. It could be a script kiddie having fun, but either way, it's a warning that your network is insecure and exposed online, since from your camera an attacker is basically inside your network and can jump to every other device in your home.
 
Top