NVR plugged direct into modem... concerns

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
Let me preface this with I didn't do this. I didn't have my router set up yet in my new house, and the "security folks" I hired to help get the cameras set up and wired in clearly are not super bright which I previously did not know. They plugged the new NVR they provided me directly into my modem, which theoretically allowed every single port to be accessible from anyone with prying eyes. We all know how many random attempts at port 22 gets on a daily basis, I am just wondering if there are any exploitable vectors into a hikvision NVR from this sort of situation.

I am by no means a network security pro, but I do know enough to know enough, and what I know tells me this was incredibly stupid and negligent on their part. I don't know what ports these things have open, I don't know what default passwords exist, I don't know what sort of privilege escalation could be used on whatever custom flavor of linux these box's run on, nor what avenues there are for OTA firmware updates exist and if that could be exploited. Point is, I know things can go badly, and I am just wondering if this is a situation where it is now mostly that this box is compromised seeing as it was plugged in like this for about a month (its a vacation house, I just have not been there in a while). Obviously, no, I am not a high value target. But it just takes one random bot to port scan me, see I am wide open, try a few random known ports and credentials, alert the script kiddie my box is open, and away they go having a fun little Tuesday morning breaking into my box.

Anyways, is there a way to guarantee this didn't happen/assure me its not possible. Or and I correct, and this was incredibly stupid of the installer and they should provide me a new box?

With that, I am not even sure if via this, somehow they could have tampered with the IP cameras themselves.... they are plugged directly into the NVR.

Anyways, just looking for info.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Check the NVR log to see if there were any interesting entries such as failed or successful logins.
Access is unlikely though as the modem presumably has no DHCP server, so the NVR default IP address will not match your public IP address.
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
Check the NVR log to see if there were any interesting entries such as failed or successful logins.
Access is unlikely though as the modem presumably has no DHCP server, so the NVR default IP address will not match your public IP address.
I would tend to agree, but after talking to them they did confirm it was working when they left. I am new to these NVR's, I am typically used to needed to open router ports (or set up a VPN which is what I typically do) to be able to view the cams when not on the LAN, but I guess this system uses the hikvision connect via the iVMS-4500 iphone app?

This thing is brand new to me, so I could be getting some verbiage wrong. But to the point, they had created an account, a password, told me it was working even though I have no idea how it was working plugged into a modem directly... I agree, I am not sure how it would have gotten connection. Whats more fun though, I can't even log into the box when there locally.

I was there last weekend settings things up (LIKE MY ROUTER), I tried to login with the sticky note username and password they left me and that didn't work, hell when I plugged the NVR into my Nest wifi it didn't even pick it up as a device being plugged in; it didn't give it a DHCP-ed IP. And since the credentials didn't work, I couldn't even log in to see wtf network settings were messed with. Maybe the manually input IP info so it would connect?

I know this doesn't make a hell of a lot of sense, honestly I am pretty confused by this entire ordeal. But the fact I can't even log into the box locally with a mouse and monitor, and the fact my router doesn't even see it as being plugged in, and them saying "it worked when we left" and saying it worked on their phone app, just all weird to me.

Modem, router or modem-router (combo in one unit) ?
I believe it is just a modem. Does it have some router functionality if it sees a non-router plugged in? That I am not 100% sure. But it is just a modem from Spectrum. My own router (Nest Wifi) was not set up yet. It is set up now, internet works as expected, except fort the NVR not working stated above.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Whats more fun though, I can't even log into the box when there locally.
is this via the HDMI/VGA interface, or attempting to reach the NVR web GUI?
Did you reach the NVR web GUI login page?

If you don't already have it ...
SADP will find the NVR over the network, independent of the PC IP address.
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
is this via the HDMI/VGA interface, or attempting to reach the NVR web GUI?
Did you reach the NVR web GUI login page?

If you don't already have it ...
SADP will find the NVR over the network, independent of the PC IP address.
I should have specified, HDMI to monitor.

I don't have SADP, that may be useful.
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
Any info on this? It’s a Hikvision CommP NVR. Anyone know what version of Linux these things are based off of? What hardening goes into them? Is there re-writable flash on the boards that could have been compromised?

Supposedly the installer was able to view the camera feed from LTE on his phone after setup. If that’s in fact true, this device was sitting in what is effectively a DMZ. Granted. There was no router... so there “wasn’t a DMZ”, but my point of being wide open to the net stands, which is the concern. Any thoughts?
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Any info on this? It’s a Hikvision CommP NVR. Anyone know what version of Linux these things are based off of? What hardening goes into them? Is there re-writable flash on the boards that could have been compromised?

Supposedly the installer was able to view the camera feed from LTE on his phone after setup. If that’s in fact true, this device was sitting in what is effectively a DMZ. Granted. There was no router... so there “wasn’t a DMZ”, but my point of being wide open to the net stands, which is the concern. Any thoughts?
He could have been using hikvision p2p.
 

SamM

Pulling my weight
Joined
Mar 29, 2020
Messages
245
Reaction score
109
Location
SA
Sounds like they setup HikConnect.

Whats the model and version of the NVR?
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
He could have been using hikvision p2p.
What is that?
Sounds like they setup HikConnect.

Whats the model and version of the NVR?
All I currently know is it’s a CommP 8 Port NVR. Also, what’s HikConnect?

Sorry, I have not been hands on since I can’t even log into it when I have physical access, the user account they created me has no rights to any settings...

Really just trying to determine if there are attack vectors someone could have exploited.
 

SamM

Pulling my weight
Joined
Mar 29, 2020
Messages
245
Reaction score
109
Location
SA
HikConnect is the platform to register your device (using the serial number and your chosen unique code found on the machine), Hikvision's cloud service to access the devices without port forwarding, however any cloud service has inherent risks.

Download the HikConnect app on your mobile and submit the registered account details and the device will be available.

Use the SADP as per @alastairstevenson to access on your local machine using the LAN IP. You will still require the username and password to authenticate to the device.
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
HikConnect is the platform to register your device (using the serial number and your chosen unique code found on the machine), Hikvision's cloud service to access the devices without port forwarding, however any cloud service has inherent risks.

Download the HikConnect app on your mobile and submit the registered account details and the device will be available.

Use the SADP as per @alastairstevenson to access on your local machine using the LAN IP. You will still require the username and password to authenticate to the device.
If you still can't access it, you need to smack the installers upside the head and have them come back and either fix it, or show you how to login.
I am sure I can get it to work one way or another. But again, trying to understand any possible exploits that could have been, well, exploited. Does anyone know of a way to modify the OS of these boxes, and could that be done via some random default service/admin password on a totally wide open, non-fire walled box?
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
I am sure I can get it to work one way or another. But again, trying to understand any possible exploits that could have been, well, exploited. Does anyone know of a way to modify the OS of these boxes, and could that be done via some random default service/admin password on a totally wide open, non-fire walled box?
It may well be hacked, if not already, hooked directly to the modem.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
But again, trying to understand any possible exploits that could have been, well, exploited. Does anyone know of a way to modify the OS of these boxes, and could that be done via some random default service/admin password on a totally wide open, non-fire walled box?
In reality, no-one is going to give you a definitive answer to that question.
We can't guess what may or may not have happened when your NVR had its feet held to the fire.

It's well understood that these embedded Linux systems can have and have had and no doubt will have plenty of security vulnerabilities, some of which have been well exploited. Though it's fair to say it's been mostly cameras as opposed to NVRs.
Just look at the CVEs for Dahua and Hikvision. And don't even think about Xiongmaitech.
And many do not depend on any access credentials.

My suggestion would be to do a precautionary firmware refresh, and when you get round to actually using the device, just block it's access to the internet so it can't beacon out.
And maybe hope that the installer company decides to swap it out.

Does anyone know of a way to modify the OS of these boxes,
Yes, and I've done this lots of times.
Though most have required physical access to the device.
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
In reality, no-one is going to give you a definitive answer to that question.
We can't guess what may or may not have happened when your NVR had its feet held to the fire.

It's well understood that these embedded Linux systems can have and have had and no doubt will have plenty of security vulnerabilities, some of which have been well exploited. Though it's fair to say it's been mostly cameras as opposed to NVRs.
Just look at the CVEs for Dahua and Hikvision. And don't even think about Xiongmaitech.
And many do not depend on any access credentials.

My suggestion would be to do a precautionary firmware refresh, and when you get round to actually using the device, just block it's access to the internet so it can't beacon out.
And maybe hope that the installer company decides to swap it out.


Yes, and I've done this lots of times.
Though most have required physical access to the device.
I agree, there is 0 way to know. I’m just trying to get a sense of the likelihood. If I am told there is relatively 0 known exploits, that would have been one thing. Knowing they are known to have exploits, that’s another.
One of my friends let me know they are known to being hacked into routers although I’m not exactly sure why that would be useful to someone being nefarious. I assume there is no TPM modules in them, so code could be changed/injected and it would have 0 idea or cares.

Also, how could I cut internet to it AND view remotely. No way to do that... unless I go the route of vpn. Hmm. How frustrating. Why couldn’t they have just NOT done this.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Also, how could I cut internet to it AND view remotely. No way to do that... unless I go the route of vpn. Hmm. How frustrating. Why couldn’t they have just NOT done this.
You will have to use a vpn regardless. Port forwarding and hikvision p2p are not secure.
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
You will have to use a vpn regardless. Port forwarding and hikvision p2p are not secure.
Oh, hikvision isn’t secure? I mean, obviously any cloud basted service has potential issues. But is hikvision known to not be secure? This is literally all new to me, my other setups are DVR’s which I access via r-pi VPN. I asked the installer if I should use a VPN, he said no need.... this is me trying to actually learn what I just bought which I fully appreciate was the wrong way of going about this. I usually research first, but out of haste I just trusted a “security expert”.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Oh, hikvision isn’t secure? I mean, obviously any cloud basted service has potential issues. But is hikvision known to not be secure? This is literally all new to me, my other setups are DVR’s which I access via r-pi VPN. I asked the installer if I should use a VPN, he said no need.... this is me trying to actually learn what I just bought which I fully appreciate was the wrong way of going about this. I usually research first, but out of haste I just trusted a “security expert”.
Yes is not secure at all. Understand that your installer likely knows less then you do and most of the time they barely have a grasp of ip addresses. Search the forum and google for hikvision hacked. This is the same for dahua and all others. Cannot be trusted. Here is a taste of the latest news from dahua.
 

miceacas

n3wb
Joined
Jul 29, 2018
Messages
25
Reaction score
1
Location
California
Yes is not secure at all. Understand that your installer likely knows less then you do and most of the time they barely have a grasp of ip addresses. Search the forum and google for hikvision hacked. This is the same for dahua and all others. Cannot be trusted. Here is a taste of the latest news from dahua.
Thank you for this, that’s the sort of info I have been looking for. I want to call the installer out, but I don’t like doing that unless I have actual information. If you have any links to hikvision, that would be helpful. I specifically asked if I should set up a VPN and they said it’s not needed. Like, it’s not at all beyond me, I inquired if I should buy an r-pi as I have already for my other setup, he said no need. Not sure why I listened, but either way the direct to model issue would have still occurred, which right now the real issue anyways. I can also set up a vpn later and just not have remote viewing for the short term.

Anyways, if you do have any specific links, I’d love to see them. I will do my own googling as well. I plan to be out there tomorrow and he will either be there or be on the phone with me to “help me fix this”. More info I have the better, I don’t like speaking ignorantly.

Thanks a bunch!
 
Top