Hikvision NVR connecting to Amazon AWS. Why?

[alastairstevenson]

Here's a strange thing.
I've been exploring my newly-delivered Hikvision 7816N-E2/8P NVR, which has 3.0.8 firmware and is working pretty well, even with non-Hikvision cameras. But that's another story.
Whilst looking around the eLinux I noticed that the system is running a TCP connection out to an Amazon AWS instance (a cloud computing resource).
Now I've seen cameras on boot up check if they have an internet connection by trying a 3-way SYN/ACK handshake with some well-known internet hosts, in the same way as Windows checks if it's internet-connected.
But that's just a transient quick connection / teardown. This has been left connected, as seen via netstat:
tcp 0 0 192.168.1.210:40418 ec2-107-21-50-164.compute-1.amazonaws.com:6800 ESTABLISHED
I haven't yet captured any of the network traffic to see what if anything the NVR is doing.

I thought I'd first ask the community if anyone else has seen this, or looked on their own Hikvision NVR, and has any explanation.
I'm not unduly worried - but it does seem a bit odd.

 

[fenderman]

Interesting...i dont have a hik nvr but keep us posted. Thanks

 

[nayr]

are you using a dynamic dns client on your NVR?

 

[alastairstevenson]

Hi,
Nope, no external access in to my domestic network, fully stealthed, no 'port forwarding' or NATing or UPnP outside the LAN, DDNS on all devices disabled.
I'll do a bit of rewiring so I can sniff the internet traffic on the ISP router whilst keeping the Hikvision NVR on the gigabit ports. There's some camera stream via the ISP router that I'll move off it to save clutter.

 

[nayr]

yeah you'll need to sniff the traffic and see what its communicating, when I telnet ec2-107-21-50-164.compute-1.amazonaws.com 6800 it accepts anythign I send and never responds/replies or terminates the connection.. so no idea wth that service is, port 6800 is nothing standard.

could always blacklist that host on your firewall.

 

[alastairstevenson]

OK, so I sniffed the internet traffic from my DS7816N-E2/8P Hikvision NVR to see what it was doing with the Amazon AWS resource.
This is a sample of the dialogue that's taking place about every about 30secs (I've obscured the serial number):

Hik NVR to Amazon AWS:
?xml version="1.0" encoding="utf-8"?>.<Request>..<DevSerial>xxxxxxx</DevSerial>..<FirmwareVersion>V3.0.8 build 140825</FirmwareVersion>..<Authorization>2b310f02bcea40a5be0b293b6d8eb686</Authorization>..</Request>..6eda4078dbcedbdf8c9bb5105d3af6ac
Amazon AWS to Hik NVR:
?xml version="1.0" encoding="utf-8"?>.<Request>..<DevSerial>xxxxxxx</DevSerial>..<FirmwareVersion>V3.0.8 build 140825</FirmwareVersion>..<Authorization>2b310f02bcea40a5be0b293b6d8eb686</Authorization>..</Request>..6eda4078dbcedbdf8c9bb5105d3af6ac

Now that could be lots of things, and I know from my IT Security background that you cannot take any of these things at face value. Is it a software licence validation? Hard to know. Comments welcome!
It will be interesting to see what if anything happens when I block the traffic.

It will also be interesting to hear if any other Hikvision NVR owners can see the same type of behaviour.

 

[bp2008]

I would suspect it is some kind of usage tracking. Companies love tracking their users.

 

[nayr]

its calling home, might be a update check or a cloud NVR framework its trying to setup even if its unused.

blocking it shouldn't have any impact, plenty of people run these offline.. I put my cameras on a separate vlan and block all internet access.. partly because I do not trust them.

 

[khx73]

Old thread I know..

But I just googled "NVR + amazonaws" and this thread was the first link. I was trying to get to the bottom of the same thing @alastairstevenson noticed.

Did you ever figure out any more about this? I have a Swann NVR..which you may as well call a Hikvision... and it's calling out to four different amazon AWS servers every 40 seconds. UDP packets though, not TCP. Nothing useful visible in a packet sniff.

 

[badmop]

I'm also curious, if you can't find out much, contact amazon and see if they can help you with any kind of information. Just a thought.

 

[alastairstevenson]

I should have updated this thread after I got more info - apologies for any potential confusion. I just forgot, some time had passed.
I was checking out the 7816N-E2/8P NVR 'out of the box', before I made any changes.
What I believe it turned out to be, despite that in the supplied firmware there were no configuration pages for enabling or disabling it (at least via the web GUI, not sure about the VGA/HDMI output) was the NVR connecting to the ezviz7.com platform, that's hosted on Amazon AWS.
On the later firmware there are configuration options for the platform access, to select, enable and disable.
By default it should be inactive, unlike on the original firmware.

 

[khx73]

Yeah I've seen that option in cameras directly, but not on this NVR. I'm not holding my breath for a firmware update anytime soon for mine. Anyway, they are staying blocked for the forseeable future.
Thanks.

 

[1800dvr]

hik NVR have DNS hosted in aws

 

[mbw]

I just noticed this tonight also.

I have some DS-2CD2042WD-I cameras (and several others). I have them setup via my home router (peplink) such that they can only talk to one specific NTP server for time sync, but nothing else outside my network.

(Log example) Denied CONN=lan MAC=00:1a:dd:27:7f:20:a4:14:XX:XX:XX:XX:XX:XX SRC=192.168.1.XX DST=54.173.222.107 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54976 DF PROTO=TCP SPT=50116 DPT=8555 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x2

Wish I could stop it. Why would they need to get updates every couple of seconds on this? Seems like overkill.

 

[alastairstevenson]

Wish I could stop it. Why would they need to get updates every couple of seconds on this? Seems like overkill.

Depending on the version of firmware, some settings for external platform access are enabled by default.
If you don't need them, check out the network settings and untick the enable boxes, that should stop the traffic.

 

[mbw]

Depending on the version of firmware, some settings for external platform access are enabled by default.
If you don't need them, check out the network settings and untick the enable boxes, that should stop the traffic.

I figured out that it is actually the HikConnect feature trying to connect. I disabled that and I think its good now. Configuration >Network > Advanced Settings > Platform Access