Hikvision RCE Vulnerability

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Hi guys, was doing alot of reading in IP Cam Talk and found it really helpful and informative. So thank you guys for all the info you’ve been providing. first post on this site so sorry if i got this wrong.

Living in an estate where there’s lot of drug dealing and break ins. Initially had some cheap wireless cams but found out they were being jammed so decided to invest in a Hilook NVR and some wired IP Cams.

Recently had an issue with the nvr getting rebooted and cams going offline suddenly . Did some research and found out about the big RCE Vulnerability issue that happened last year with Hikvision products. Also read that 1 of the ways hackers find out if the device is vulnerable to this RCE bug is by forcing a reboot with some commands. Read that this hack gives them a “Root Shell Access” to the devices. Have updated the latest firmware which is still old and most likely still vulnerable to the hack.

Just wanted to know what they’re able to do with a root shell access to my devices. Can they alter the footage as my cams are on continuous record or something along them lines? I know there’s still issues happening at my place but when looking through the footage cant seem to see anything.

Appreciate your help
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,436
Reaction score
47,560
Location
USA
Once they are in your NVR, they can do pretty much anything with your NVR, including getting into your network. Most of these people are not hacking into the device to watch your video feed - it is for ill intent.

Best thing to do would be to factory reset the device and turn UPnP off in your router and when you set the NVR backup, turn off UPnP and P2P and do not forward ports to see your NVR.

Set up OpenVPN or some other VPN that puts you back on your system. Many routers have that native to the router.

This is not a paid VPN as that is for illegal streaming and porn.
 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
251
Reaction score
226
Location
london
Hi guys, was doing alot of reading in IP Cam Talk and found it really helpful and informative. So thank you guys for all the info you’ve been providing. first post on this site so sorry if i got this wrong.

Living in an estate where there’s lot of drug dealing and break ins. Initially had some cheap wireless cams but found out they were being jammed so decided to invest in a Hilook NVR and some wired IP Cams.

Recently had an issue with the nvr getting rebooted and cams going offline suddenly . Did some research and found out about the big RCE Vulnerability issue that happened last year with Hikvision products. Also read that 1 of the ways hackers find out if the device is vulnerable to this RCE bug is by forcing a reboot with some commands. Read that this hack gives them a “Root Shell Access” to the devices. Have updated the latest firmware which is still old and most likely still vulnerable to the hack.

Just wanted to know what they’re able to do with a root shell access to my devices. Can they alter the footage as my cams are on continuous record or something along them lines? I know there’s still issues happening at my place but when looking through the footage cant seem to see anything.

Appreciate your help
If Hikvision didn't issue new firmware after I reported it to them on 21 June 2021 then it wasn't affected by CVE-2021-36260


Advice regarding not exposing your devices to the Internet in an insecure way:


Or in other words don't expose your device to direct access from the Internet without additional security measures (like a VPN). That's good advice for any IoT device in general irrespective of the make and model.
 
Last edited:

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Thanks for the reply guys. Ahh the famous Watchful_ip been seeing your name alot recently. Its an honour chatting to you.

Issue is my nvr model and firmware IS listed on Haffected devices list (Nvr model is Hilook 104H-D/4P was initially running on firmware V4.30.055 build 201111 but I recently updated to latest firmware available on HikVision Europe Portal which is V4.30.080 build 210412). So even the latest firmware was created before the vulnerability was found which leads me to believe my NVR is still vulnerable.

Im new to all this networking stuff and the moment i’m having trouble setting up a VPN on my NOWTV router.

What i wanted to know is how much this hack can tamper with my continuos recordings. Im not seeing any missing sections in my footage timeline but skips a 3-4 seconds here and there. Can the hackers freeze the frame while the time clock keeps going etc?

Appreciate all the help once again
 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
251
Reaction score
226
Location
london
Looks like the model type affected is the (C) variant - (C) link which does show issued updates:

HIKVISION UK PORTAL

Yours might have a matching model name, but if it is not the (C) variant then it is not affected, hence no updated firmware had to be issued for it.

You can also check the firmware portal at hikvision.com which tends to be updated more frequently. But the product is likely EOL (end of life) so doesn't get updates unless for something serious like CVE-2021-36260

Or check at the Europe version which seems to have a lot more to choose from:


If someone has information that conflicts with what I've said please chime in - I don't have any HiLook kit.
 
Last edited:

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Just noticed something weird going through my nvr log. Seems like an unknown remote ip access to my device. I think time setting been changed from what i remember used to be google. Now system syncs time to this new setting every now and again. Any ideas please?
 

Attachments

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Looks like the model type affected is the (C) variant - (C) link which does show issued updates:

HIKVISION UK PORTAL

Yours might have a matching model name, but if it is not the (C) variant then it is not affected, hence no updated firmware had to be issued for it.

You can also check the firmware portal at hikvision.com which tends to be updated more frequently. But the product is likely EOL (end of life) so doesn't get updates unless for something serious like CVE-2021-36260

Or check at the Europe version which seems to have a lot more to choose from:


If someone has information that conflicts with what I've said please chime in - I don't have any HiLook kit.
Hi, really sorry to disturb you mate. I was wandering if i was to provide you my NVR external ip address would you be able to check if device is vulnerable to this RCE bug. Have been trying to use the Bashis POC tool but having trouble using Python, keep getting error messages while trying to execute commands. Would help me to sleep better at night
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Hi guys, was wandering if i was to provide you guys my NVR external ip address would you be able to check if device is vulnerable to this RCE bug. Have been trying to use the Bashis POC tool but having trouble using Python, keep getting error messages while trying to execute commands. Would help me to sleep better at night
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Hi guys, I’ve recently purchased some Hilook/Hikvision products. Was having issues with my previous Wifi camera setup in our estate with people jamming the cameras. Having issues with my new hikvision products which has led me to believe my devices are being hacked.



Are there any tools out there which i can use to test my devices for the vulnerability. Even better still, if i was to provide the ip addresses is there anyone who can test the devices for me as im very new to this whole networking stuff. Am willing to pay for the service.



If no one is available to do this maybe they know someone who can. Would be grateful if they could pass on the contact details.



Appreciate the help. Thanks
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Have been trying to use the Bashis POC tool but having trouble using Python, keep getting error messages while trying to execute commands.
Not much to go on here ...
We could help more if you showed the command that you used and the error message that was returned.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Are there any tools out there which i can use to test my devices for the vulnerability.
If you are deliberately exposing your device to the entire internet by using port forwarding on your router, there's a good chance the device, and potentially the other devices and data on your LAN, are at risk of being compromised either now or in the furure.

Check this out for some good advice :

And there are numerous threads with members experiences in setting up a VPN as a much more secure method of external access.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Thanks. Can anyone recommend me a more secure cctv system than HIKVISION. Seems like they have to many security issues
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,436
Reaction score
47,560
Location
USA
EVERY camera manufacturer with a system connected to the internet has been hacked, including high end Axis. Swapping out Hikvision for someone else is just switching one unknown for another. Best practice is to not give them internet access, regardless of who makes it.

If you set up VPN you reduce the risk tremendously.
 
Last edited:

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
EVERY camera manufacturer with a system connected to the internet has been hacked, including high end Axis. Swapping out Hikvision for someone else is just switching one unknown for another. Best practice is to not give them internet access, regardless of who makes it.

If you set up VPN you reduce the risk tremendously.
Thanks Wittaj. Really appreciate all the help you’ve been providing. But need to pick your genius networking brain again if i may.

i know you recommended an Asus router but as they’re a little bit expensive ive decided to buy a TP Link Archer routet which also has built in VPN capabilities.

wanted to know if i could have 2 routers at my property and connect the nvr via ethernet to the TP Link router and just keep the NowTV router for everything else. Would that work?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,436
Reaction score
47,560
Location
USA
That is possible. Do a search here for ISP provided router and how folks have gone about doing that where they are forced to use the ISP provided router. You might have to put yours in bridge mode.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
That is possible. Do a search here for ISP provided router and how folks have gone about doing that where they are forced to use the ISP provided router. You might have to put yours in bridge mode.
If i bridge the tplink and have the old router as primary will the setup for the nvr still be secure? Will the vpn still be affective?
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Typically, you'd do it the other way - bridge the ISP router, use the TP-Link for your VPN.

The bridging permits the connection to your ISP in the way that it wants and just passes everything through to your router.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
26
Reaction score
5
Location
London
Not much to go on here ...
We could help more if you showed the command that you used and the error message that was returned.
Ah sorry Alastair completely missed this post. I tried typing the following into Python (never used Python before). This is taken from Bashis Poc tool on Github:



[Examples]
Safe vulnerability/verify check:
$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
OK -
That would imply you've customised the HTTP port to 8080 from 80.
If not - the check will fail.

And it would also imply that the device coincidentally has the same IP address as @bashis used in an example.
If not - the check will fail.

Suggestion :
Re-try with the actual values of your device so that you get a real result.
 
Top