SSH
When logging in via SSH, the system of the Hikvision camera (for me: DS-2CD2132-I, V5.2.0, BusyBox v1.19.3) checks only the first eight characters of the password. So if the SSH port of your camera is open to the Internet, I can only advise against it. Basically you should allow only SSH key authentication, which unfortunately is not possible with Hikvision cameras. More about SSH key authentication: https://wiki.archlinux.org/index.php/SSH_keys
HTTPS
Has anyone already done it to replace the TLS key and certificate by a self-generated key and certificate (for instance SHA-512 / RSA 4096 bits) ?
What is also problematic in the current 5.2.0 version:
- Vulnerable to "POODLE attack" (SSLv3 should be disabled)
- Vulnerable to "OpenSSL CCS" (CVE-2014-0224) -> EXPLOITABLE
- Several insecure ciphers are supported
You can check SSL/TLS settings of your camera here: https://www.ssllabs.com/ssltest/
RTSP
There are multiple Buffer Overflow vulnerabilities in the RTSP Handling. Meanwhile, there is also a Metasploit exploit module.
https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities
http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities
Solutions?
Allow only access via OpenVPN or OpenSSH.
I can also recommend the use of sshuttle (https://github.com/apenwarr/sshuttle).
What would be nice, if we could use the Hikvision Web interface behind an Apache or NGINX Reverse Proxy. Thereby we could secure access via TLS Client Certificate Authentication. I had tested this with Apache, but then unfortunately the web plugin was working no longer.
If someone could help me here, I would appreciate a response.
When logging in via SSH, the system of the Hikvision camera (for me: DS-2CD2132-I, V5.2.0, BusyBox v1.19.3) checks only the first eight characters of the password. So if the SSH port of your camera is open to the Internet, I can only advise against it. Basically you should allow only SSH key authentication, which unfortunately is not possible with Hikvision cameras. More about SSH key authentication: https://wiki.archlinux.org/index.php/SSH_keys
HTTPS
Has anyone already done it to replace the TLS key and certificate by a self-generated key and certificate (for instance SHA-512 / RSA 4096 bits) ?
What is also problematic in the current 5.2.0 version:
- Vulnerable to "POODLE attack" (SSLv3 should be disabled)
- Vulnerable to "OpenSSL CCS" (CVE-2014-0224) -> EXPLOITABLE
- Several insecure ciphers are supported
You can check SSL/TLS settings of your camera here: https://www.ssllabs.com/ssltest/
RTSP
There are multiple Buffer Overflow vulnerabilities in the RTSP Handling. Meanwhile, there is also a Metasploit exploit module.
https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities
http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities
Solutions?
Allow only access via OpenVPN or OpenSSH.
I can also recommend the use of sshuttle (https://github.com/apenwarr/sshuttle).
What would be nice, if we could use the Hikvision Web interface behind an Apache or NGINX Reverse Proxy. Thereby we could secure access via TLS Client Certificate Authentication. I had tested this with Apache, but then unfortunately the web plugin was working no longer.
If someone could help me here, I would appreciate a response.