HOA demanding Hikvision NVR replaced with Milestone, Seriously?

[EOppie]

I got word that a 15k unexpected expense for our HOA was coming to a meeting for approval tomorrow to replace an existing Hikvision NVR with Milestone. The reason they cited was "security concerns" and I will ask them to elaborate at the meeting. I received a copy of the quote, and was a bit blown away.

Vendor will provide the labor to replace the existing HikVision NVR. We will furnish and install (3) Axis 2MP Fixed dome cameras with IR to replace the (3) existing Analog cameras on the system. We will also furnish and install (2) new Network Switches with POE and (1) new 8TB server to be mounted on the customer provided rack. Our proposal also includes (10) surge protectors to be install on any existing outdoor camera, left over surge protectors will be provided to the customer for future use. Customer is to provide TeamViewer credentials and device passwords for setup. Should the passwords not be provided a change order will be submitted for the addition labor hours required do default all the camera passwords to be able to program them to the new server.

Also included in this quote:

• 1 New Xprotect Xpress+ base license (Supports up to 48 cameras, single server)
• 31 New camera licenses Optional, price not included
• 1 year of Car Plus software maintenance ($434.00 per year)

Their cost is $14,060.00. The majority of the system is using existing Hikvision cameras, and they do not detail out what NVR they will use.

Am I wrong in thinking this line of thinking is absurd? If they are worried about the Hikvision NVR being hacked or spied on, secure it.

Couldn't this be solved by:

• Isolate all network cameras using Virtual LANs (VLANs)
• Disable uPNP
• Disable P2P
• Disable anonymous visit
• Disable SSH

 

[mat200]

I got word that a 15k unexpected expense for our HOA was coming to a meeting for approval tomorrow to replace an existing Hikvision NVR with Milestone. The reason they cited was "security concerns" and I will ask them to elaborate at the meeting. I received a copy of the quote, and was a bit blown away.

Their cost is $14,060.00. The majority of the system is using existing Hikvision cameras, and they do not detail out what NVR they will use.

Am I wrong in thinking this line of thinking is absurd? If they are worried about the Hikvision NVR being hacked or spied on, secure it.

Couldn't this be solved by:

• Isolate all network cameras using Virtual LANs (VLANs)
• Disable uPNP
• Disable P2P
• Disable anonymous visit
• Disable SSH

Hi @EOppie

I'd also add a strong firewall to the mix .. indeed a good IT sec pro can do a great job limiting any Hikvision or other IoT / Internet connected issues.

HOAs - from what I have been reading, a lot really depends on the quality of the people and their sensibilities running the HOA. Some HOA leaders are great.. and others are absolutely horrible.

If you are a part of that HOA, I would propose an alternative solution which costs less .. and they can pick between the 2.

 

[EOppie]

Hi @EOppie

I'd also add a strong firewall to the mix .. indeed a good IT sec pro can do a great job limiting any Hikvision or other IoT / Internet connected issues.

HOAs - from what I have been reading, a lot really depends on the quality of the people and their sensibilities running the HOA. Some HOA leaders are great.. and others are absolutely horrible.

If you are a part of that HOA, I would propose an alternative solution which costs less .. and they can pick between the 2.

Thank you for the quick response. The recommendation is coming from the result of an investigation by another member of the community, which I think our Management Company is taking his word on since this isn't in their wheelhouse. I understand the news surrounding HIkvision can seem scary, but some basic IT Security should be able to resolve their concerns in my opinion, but I am not an expert. This isn't a large-scale government operation, it's a clubhouse with a pool and activity room

My alternate proposal would be hiring an IT consultant to come in and secure the existing equipment, there isn't anything wrong with the system other than wanting to replace a few analog cameras with IP, which could still be done by a vendor.

 

[mat200]

Thank you for the quick response. The recommendation is coming from the result of an investigation by another member of the community, which I think our Management Company is taking his word on since this isn't in their wheelhouse. I understand the news surrounding HIkvision can seem scary, but some basic IT Security should be able to resolve their concerns in my opinion, but I am not an expert. This isn't a large-scale government operation, it's a clubhouse with a pool and activity room

My alternate proposal would be hiring an IT consultant to come in and secure the existing equipment, there isn't anything wrong with the system other than wanting to replace a few analog cameras with IP, which could still be done by a vendor.

fwiw - easiest solution is to disconnect it from the internet...

 

[c hris527]

I got word that a 15k unexpected expense for our HOA was coming to a meeting for approval tomorrow to replace an existing Hikvision NVR with Milestone. The reason they cited was "security concerns" and I will ask them to elaborate at the meeting. I received a copy of the quote, and was a bit blown away.

Their cost is $14,060.00. The majority of the system is using existing Hikvision cameras, and they do not detail out what NVR they will use.

Am I wrong in thinking this line of thinking is absurd? If they are worried about the Hikvision NVR being hacked or spied on, secure it.

Couldn't this be solved by:

• Isolate all network cameras using Virtual LANs (VLANs)
• Disable uPNP
• Disable P2P
• Disable anonymous visit
• Disable SSH

Seems like a lot of $$$ for a pool, In the quote it says about replacing "analog" cameras. Is this a older analog system? Do you know what the specs are for the old system?
I have a few clients who are still running ten year old Dahua systems, needless to say as far as security issues I took them off the Internet years ago as support for them has long expired and no way to patch them to today's standards. Their is NO way in the best of circumstances I would put them back on. What I see trending and driving these things are Insurance company's who have cyber security policies. Two times this year I had to deal with them and If I want to keep my clients they are requiring that I also
carry a million dollar policy, so basically If the IT people do not have it, they will not Insure the client. They actually send people out to evaluate the in house IT setup and if they see older or dated equipment that is prone to security breaches, it has to go or they do not get Insured. Even If I would or could patch the older system with a VPN or put it on a VLAN to somewhat secure it, knowing that that piece of hardware is deemed a security risk, I would not, knowing that if something did happen they would be coming for me. Most likely not your case but If they are worried about security over the Internet, you could do this, See if your ISP (I Have spectrum) will upgrade your system so the NVR has its own public IP address . I think last time I had to do that it was like a extra $40 a month for what they called a 5 block. (5 static IP's) I Isolated the NVR from the main network and used a simple Router based VPN so the client could view his Cameras from home and on his phone. In that case it was their credit card company that was squawking about the NVR being on the network. Hope this helps a little not knowing all the reasons for the upgrade.

 

[user8963]

Question:

They want to replace only the NVR and let all Hikvision cameras in place ??

Is this a joke ?

 

[wittaj]

Sounds like a member in your community is drinking the kool-aid.

Hacking vulnerabilities are the same regardless of who makes the cameras...or any IoT for that matter...and that is why most of us here isolate our cameras from the internet...it's just irony that they are surveillance cameras...it flows better saying security cameras are not very secure but many here do not consider them security cameras as they are for surveillance!

And our wonderful government decided to ban Hik and Dahua from government installations due to being partly owned by the Chinese government...yet fail to recognize the real problem are the cameras can be breached and then they get exploited with other manufactures cameras because they failed to isolate them from the internet. End result is people/governments that shouldn't see the camera feeds are now seeing them...

Yep, instead of our government forbidding agencies forbidding them from using Chinese brand cameras like Dahua and Hikvision because they could be used to be spied on by the Chinese government, they should have been looking at what the real issue is, and it is this issue that will be same regardless of who makes a camera. You need to get the cameras off the internet period.

 

[bigredfish]

Stupid expensive

We have 7 cameras for our little HOA, on two poles at opposite ends of the street, with 2 NVRs recording them, connected via VPN. Including the 2 NEMA boxes and two 14ft poles. Total with electrician costs was around $15k.
Granted this was in 2016 and I’ve since upgraded the shitty Axis cams to Dahua at 1/3 the price.

I’m not a pro installer so take it for what it is, but sounds to me like $5000-6000 of overpriced equipment and $8-10K worth of overpriced install/consulting

Without seeing it and assuming ethernet cable exists (no mention of pulling cable) you should be able to install a better system with more cameras for 1/2 the money

 

[EOppie]

Question:

They want to replace only the NVR and let all Hikvision cameras in place ??

Is this a joke ?

Correct, this is what is ridiculous to me. The majority of the cameras are IP-based. There are only two cameras that are analog that they want to update.

The rest of the cameras are all less than 3 years old, and to my knowledge are all working.

 

[user8963]

The majority of the cameras are IP-based. There are only two cameras that are analog that they want to update.

i already see their arguments... they will say that its no problem, because their mileshit nvr has a seperate lan for the cameras, so they will not be able to talk over the internet...

then you will say... why not just disable internet on the hikvision nvr..

and they:

 

[bigredfish]

So does a PoE NVR. Cameras are assigned to a separate subnet than the NVR. Protect the NVR and you don’t need to worry much about the cameras.

 

[user8963]

So does a PoE NVR. Cameras are assigned to a separate subnet than the NVR. Protect the NVR and you don’t need to worry much about the cameras.

and what prevents your terrorist china cameras to use undiscovered exploits on your mileshit nvr and talk to the internet?

i dont see the point by saying hikvision nvr = bad, security issues .... hikvision camera = can stay, because no risk..

if you have these concerns about chinese gov companys, then you have to go full axis ...
but it will not prevent you that chinese/russia government knows/find unknown backdoors of axis systems and will use it ...

if you have enough money you will find a door in any device which is connected to the internet. there must be implemented backdoors because axis is 5 eyes friend...


and this thread is the reason why HOAs should be avoided. You will always have a guy who is stupid, reads too much IPVM / CNN /... and will reduce your life energy/money.

 

[VorlonFrog]

The worst offenders are the low-budget no-name Chinesium IP cameras simply plopped onto someone's home network. Their firmware often contains hard-coded lists of well-known DNS servers to use when the DNS and IP gateway settings fail to gain Internet access. These are the worst-case scenario. IP cameras connected to an NVR present significantly less risk because they cannot reach beyond the NVR's built-in network switch and subnet. As others have already suggested, block internet access to/from the NVR, and the cameras are very effectively cut off.

Now, it you have a suspect NVR, then first document how it's doing wrong. Record the WAN activity, document it, and disable these connections at the router/firewall. Then repeat until there are no more WAN requests reaching outside the LAN.

"But, but!! We want remote access from our phones." Then provide OpenVPN access into the LAN. Either use OpenVPN built into the router (good) or setup a separate OpenVPN server on either a Raspberry Pi or other device (better). But by no means, ever open or redirect network ports to/from the NVR, without DOCUMENTING what is done. Too many people "just want all this to work" but also "I don't want to know about any of that stuff". Too bad, so sad. If you want the convenience, you perform the DUE DILIGENCE and DOCUMENT IT so anyone and everyone knows exactly what's possible and what's not.

 

[Holbs]

I mean.... I know HOA's likes to keep secrets that if got out would be sure blackmail or cause a rise up revolution to destabilize the board! A hacked NVR showing trees blowing in the wind and parking lots full of cars would bring about a new Dark Age.
But I'd like to know more about that Milestone vendor salesman. Probably sells used cars on the side with the "hikvision evil, milestone good" pitch.

 

[wittaj]

And I like this part of the price quote:

31 New camera licenses Optional, price not included

The cost of one camera license in Milestone is more than the entire Blue Iris program...

 

[Mike]

Def absurd. It's funny how everyone is freaking out over Hikvision, as if the routers, firewalls, phones, computers, networking equipment all isn't made in China. I got news for you, they can get into any network or camera they want.

 

[wittaj]

And therein lies the problem that our government doesn't realize with these bans LOL - what good is it if the outer shell, bracket, support, etc. is made in the USA but the actual chip parts and inner workings, you know the parts that can actually be coded to phone home, is not made in the USA...

 

[The Automation Guy]

Any CCTV system should be isolated from the internet. It doesn't matter if it is Chinese manufactured or not. That should be the #1 argument you make. Therefore any efforts to "secure" the existing system should revolve around this fact. Odds are there is already adequate solutions in place (firewall/router) that could be tweaked to prevent the cameras from having internet access (like all the things you mentioned in the first post), but perhaps it is time to invest in a good quality firewall with VPN support. There is certainly no need to replace existing CCTV equipment in the name of "security". This is a total scam from the CCTV company trying to prey on the uninformed. They want to make a sale and "security" is currently the magic word that gets everyone on board.

If in this process, the HOA feels that it is time to replace and upgrade the analog cameras/system in place, then that is a different story. However, if they are happy with the current coverage/results then there is no need to spend 14k for "security". I sure as hell wouldn't use this vendor for any of it either, given the predatory sales tactics they have already shown. Hopefully there is a reputable and trustworthy vendor in your area. If not I would DIY install before I used this vendor.

 

[The Automation Guy]

I should also say that I understand the Government's ban. At first I felt that it is an admission that their IT people are worthless and don't know how to set up a secure network. But the truth is that the Chinese government will go to extreme lengths/expense to hack US Government systems and it isn't too far of a stretch to believe they have (or could) installed all kinds of shit capable of doing that on CCTV cameras (and everything else network related too), internet access or not. I think back to the hacking of the Iranian centrifuges a few years back. That facility didn't have internet access, yet the worm/virus got in from the outside via an infected laptop. A newly installed CCTV camera could easily be the carrier for such a focused attack. I believe it is this type of attack the US Government is trying to prevent and it is easier and safer to ban these items from Government facilities because they know the Chinese wouldn't hesitate to use something like CCTV cameras as a trojan horse to accomplish this type of attack.

The Chinese are not going to use the same extreme measures/expense to hack "John Q Public", US citizen, however. Long story short, these potential exploits aren't something the average user needs to worry about if they simply take the basic precaution of insulating their CCTV system from the internet which again should be done on every CCTV system, Chinese made or not. Of course if you (or your HOA in this case) have nuclear centrifuges or something else that enticing to a foreign power, maybe you should consider your own ban on Chinese CCTV and network equipment.

 

[user8963]

The Chinese are not going to use the same extreme measures/expense to hack "John Q Public", US citizen, however.

I always asking me...

WHY ?! There are lot of people hiding their webcam from laptops (but not on their phones LOL) , speaking about hikvision/dahua/huawei ...... i mean ..... why would china need so many information about zeros worldwide ?
So they watching my favorite porn ? watching me watching my favorite porn ? reading my spam emails about viagra, nigerian relatives ....? watching my trees doing nothing ? What do they do with all the data ?

the only concerns i have... they can attack other countries and turn off all their stuff before , so everything colapses and its a second blitzkrieg