Hikvision Defaulted Devices Getting Hacked

fenderman · Mar 3, 2017

nayr · Mar 3, 2017

Well Duh

johnyfalco · Mar 3, 2017

Yes. I have been locked out of two of my HikVision cameras that had not had the default password changed.

Sent from my iPhone using Tapatalk

h_2_o · Mar 3, 2017

I would say this is not really getting hacked and more some kid is changing the password on someone's cam that is to dumb to change the default passwords. 2 different things IMHO.

fenderman · Mar 3, 2017

h_2_o said:
I would say this is not really getting hacked and more some kid is changing the password on someone's cam that is to dumb to change the default passwords. 2 different things IMHO.

There is more to it...based on the article and the comments, it appears (at least for now) that this password change occurred on devices that only have the 8000 server port open....unless you can change the password via ivms(with only the server port open) they must have been doing something else to gain access to the camera.

Camit · Mar 3, 2017

Don't hikvision make you change the password when you first setup the camera? Also why would you have port 8000 open.

fenderman · Mar 3, 2017

Camit said:
Don't hikvision make you change the password when you first setup the camera? Also why would you have port 8000 open.

read the article, this affects devices running older firmware...
Because hikvision uses port 8000 to communicate with hikvision apps..

Trax95008 · Mar 3, 2017

i think it was a rhetorical question. like "who in their right mind would have port 8000 open" anyone who knows what they are doing would forward a different "public" port to 8000

Fruit · Mar 3, 2017

Windows is next...or already happening....someone please stop mirai

Skilled Attacker Develops Advanced Windows Botnet to Spread Infamous Mirai Malware

fenderman · Mar 3, 2017

Trax95008 said:
i think it was a rhetorical question. like "who in their right mind would have port 8000 open" anyone who knows what they are doing would forward a different "public" port to 8000

I don't think so.. Anyone who knows what they're doing won't forward any ports ..

nayr · Mar 4, 2017

changing port numbers does nothing, its very easy to fingerprint services running on any port and with all the bots out there they can scan every IP on the internet and fingerprint every available service and usually versions too without much effort.

Your getting scanned for attack surfaces pretty much the moment your exposed to the internet.. Obfuscation wont help you at all.

hmjgriffon · Mar 4, 2017

In fact there is a program out the that will scan one port on the entire internet in like 5 minutes.

Sent from my Nexus 6P using Tapatalk

hmjgriffon · Mar 4, 2017

GitHub - robertdavidgraham/masscan: TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Sent from my Nexus 6P using Tapatalk

Securame · Mar 4, 2017

fenderman said:
There is more to it...based on the article and the comments, it appears (at least for now) that this password change occurred on devices that only have the 8000 server port open....unless you can change the password via ivms(with only the server port open) they must have been doing something else to gain access to the camera.

You can change the password with only the server port (manually can be done from both iVMS-4200 and even iVMS-4500).

For those using password "12345", well, doh... 3 years and a half ago I found an indian company that had 1612 (!!!!) Hikvision devices online with "12345" password, I even wrote an entry on our company blog about it.
Passwords por defecto en un equipo de CCTV: lo que NO hay que hacer - Securamente - El blog de Securame

fenderman · Mar 4, 2017

Securame said:
You can change the password with only the server port (manually can be done from both iVMS-4200 and even iVMS-4500).

For those using password "12345", well, doh... 3 years and a half ago I found an indian company that had 1612 (!!!!) Hikvision devices online with "12345" password, I even wrote an entry on our company blog about it.
Passwords por defecto en un equipo de CCTV: lo que NO hay que hacer - Securamente - El blog de Securame

I no longer have 4500 installed but I don't recall an option to change the password...

Securame · Mar 4, 2017

It has not been there forever, but it surely has been there for a while. It even warns you when adding a device if the password is "insecure".

skeet25 · Mar 5, 2017

What is the exposure for those NVRs that were hacked, and subsequently recovered via an admin password change? Any risk of malicious scripts left behind by the hackers?

fenderman · Mar 5, 2017

skeet25 said:
What is the exposure for those NVRs that were hacked, and subsequently recovered via an admin password change? Any risk of malicious scripts left behind by the hackers?

Doubtful...but there is more to worry about now..
Backdoor found in Hikvision cameras

ttumms123 · Mar 6, 2017

Apart from ports 80,554 and 8000 there is also port 443 opened on my router. Anyone know what is it for? Seems like this is the where the attack came from.

Securame · Mar 7, 2017

ttumms123 said:
Apart from ports 80,554 and 8000 there is also port 443 opened on my router. Anyone know what is it for? Seems like this is the where the attack came from.

That's the HTTPS port.

Search

Hikvision Defaulted Devices Getting Hacked

fenderman

nayr

johnyfalco

n3wb

h_2_o

Young grasshopper

fenderman

Camit

Pulling my weight

fenderman

Trax95008

Getting the hang of it

Fruit

Getting the hang of it

fenderman

nayr

hmjgriffon

Known around here

hmjgriffon

Known around here

Securame

Pulling my weight

fenderman

Securame

Pulling my weight

skeet25

Young grasshopper

fenderman

ttumms123

n3wb

Securame

Pulling my weight