NVR plugged direct into modem... concerns

M

miceacas

n3wb
Jul 29, 2018
25
1
California
Let me preface this with I didn't do this. I didn't have my router set up yet in my new house, and the "security folks" I hired to help get the cameras set up and wired in clearly are not super bright which I previously did not know. They plugged the new NVR they provided me directly into my modem, which theoretically allowed every single port to be accessible from anyone with prying eyes. We all know how many random attempts at port 22 gets on a daily basis, I am just wondering if there are any exploitable vectors into a hikvision NVR from this sort of situation.

I am by no means a network security pro, but I do know enough to know enough, and what I know tells me this was incredibly stupid and negligent on their part. I don't know what ports these things have open, I don't know what default passwords exist, I don't know what sort of privilege escalation could be used on whatever custom flavor of linux these box's run on, nor what avenues there are for OTA firmware updates exist and if that could be exploited. Point is, I know things can go badly, and I am just wondering if this is a situation where it is now mostly that this box is compromised seeing as it was plugged in like this for about a month (its a vacation house, I just have not been there in a while). Obviously, no, I am not a high value target. But it just takes one random bot to port scan me, see I am wide open, try a few random known ports and credentials, alert the script kiddie my box is open, and away they go having a fun little Tuesday morning breaking into my box.

Anyways, is there a way to guarantee this didn't happen/assure me its not possible. Or and I correct, and this was incredibly stupid of the installer and they should provide me a new box?

With that, I am not even sure if via this, somehow they could have tampered with the IP cameras themselves.... they are plugged directly into the NVR.

Anyways, just looking for info.
 
Check the NVR log to see if there were any interesting entries such as failed or successful logins.
Access is unlikely though as the modem presumably has no DHCP server, so the NVR default IP address will not match your public IP address.
 
  • Like
Reactions: fenderman
miceacas said:
They plugged the new NVR they provided me directly into my modem,.....
Click to expand...
Modem, router or modem-router (combo in one unit) ?
 
alastairstevenson said:
Check the NVR log to see if there were any interesting entries such as failed or successful logins.
Access is unlikely though as the modem presumably has no DHCP server, so the NVR default IP address will not match your public IP address.
Click to expand...

I would tend to agree, but after talking to them they did confirm it was working when they left. I am new to these NVR's, I am typically used to needed to open router ports (or set up a VPN which is what I typically do) to be able to view the cams when not on the LAN, but I guess this system uses the hikvision connect via the iVMS-4500 iphone app?

This thing is brand new to me, so I could be getting some verbiage wrong. But to the point, they had created an account, a password, told me it was working even though I have no idea how it was working plugged into a modem directly... I agree, I am not sure how it would have gotten connection. Whats more fun though, I can't even log into the box when there locally.

I was there last weekend settings things up (LIKE MY ROUTER), I tried to login with the sticky note username and password they left me and that didn't work, hell when I plugged the NVR into my Nest wifi it didn't even pick it up as a device being plugged in; it didn't give it a DHCP-ed IP. And since the credentials didn't work, I couldn't even log in to see wtf network settings were messed with. Maybe the manually input IP info so it would connect?

I know this doesn't make a hell of a lot of sense, honestly I am pretty confused by this entire ordeal. But the fact I can't even log into the box locally with a mouse and monitor, and the fact my router doesn't even see it as being plugged in, and them saying "it worked when we left" and saying it worked on their phone app, just all weird to me.

TonyR said:
Modem, router or modem-router (combo in one unit) ?
Click to expand...

I believe it is just a modem. Does it have some router functionality if it sees a non-router plugged in? That I am not 100% sure. But it is just a modem from Spectrum. My own router (Nest Wifi) was not set up yet. It is set up now, internet works as expected, except fort the NVR not working stated above.
 
miceacas said:
Whats more fun though, I can't even log into the box when there locally.
Click to expand...
is this via the HDMI/VGA interface, or attempting to reach the NVR web GUI?
Did you reach the NVR web GUI login page?

If you don't already have it ...
SADP will find the NVR over the network, independent of the PC IP address.

SADP Tool

Locate Hikvision brand cameras within the same network, including their IP address and port.
ipcamtalk.com ipcamtalk.com
 
alastairstevenson said:
is this via the HDMI/VGA interface, or attempting to reach the NVR web GUI?
Did you reach the NVR web GUI login page?

If you don't already have it ...
SADP will find the NVR over the network, independent of the PC IP address.

SADP Tool

Locate Hikvision brand cameras within the same network, including their IP address and port.
ipcamtalk.com ipcamtalk.com
Click to expand...
I should have specified, HDMI to monitor.

I don't have SADP, that may be useful.
 
Any info on this? It’s a Hikvision CommP NVR. Anyone know what version of Linux these things are based off of? What hardening goes into them? Is there re-writable flash on the boards that could have been compromised?

Supposedly the installer was able to view the camera feed from LTE on his phone after setup. If that’s in fact true, this device was sitting in what is effectively a DMZ. Granted. There was no router... so there “wasn’t a DMZ”, but my point of being wide open to the net stands, which is the concern. Any thoughts?
 
miceacas said:
Any info on this? It’s a Hikvision CommP NVR. Anyone know what version of Linux these things are based off of? What hardening goes into them? Is there re-writable flash on the boards that could have been compromised?

Supposedly the installer was able to view the camera feed from LTE on his phone after setup. If that’s in fact true, this device was sitting in what is effectively a DMZ. Granted. There was no router... so there “wasn’t a DMZ”, but my point of being wide open to the net stands, which is the concern. Any thoughts?
Click to expand...
He could have been using hikvision p2p.
 
Sounds like they setup HikConnect.

Whats the model and version of the NVR?
 
fenderman said:
He could have been using hikvision p2p.
Click to expand...

What is that?
SamM said:
Sounds like they setup HikConnect.

Whats the model and version of the NVR?
Click to expand...
All I currently know is it’s a CommP 8 Port NVR. Also, what’s HikConnect?

Sorry, I have not been hands on since I can’t even log into it when I have physical access, the user account they created me has no rights to any settings...

Really just trying to determine if there are attack vectors someone could have exploited.
 
HikConnect is the platform to register your device (using the serial number and your chosen unique code found on the machine), Hikvision's cloud service to access the devices without port forwarding, however any cloud service has inherent risks.

Download the HikConnect app on your mobile and submit the registered account details and the device will be available.

Use the SADP as per @alastairstevenson to access on your local machine using the LAN IP. You will still require the username and password to authenticate to the device.
 
SamM said:
HikConnect is the platform to register your device (using the serial number and your chosen unique code found on the machine), Hikvision's cloud service to access the devices without port forwarding, however any cloud service has inherent risks.

Download the HikConnect app on your mobile and submit the registered account details and the device will be available.

Use the SADP as per @alastairstevenson to access on your local machine using the LAN IP. You will still require the username and password to authenticate to the device.
Click to expand...
looney2ns said:
If you still can't access it, you need to smack the installers upside the head and have them come back and either fix it, or show you how to login.
Click to expand...

I am sure I can get it to work one way or another. But again, trying to understand any possible exploits that could have been, well, exploited. Does anyone know of a way to modify the OS of these boxes, and could that be done via some random default service/admin password on a totally wide open, non-fire walled box?
 
miceacas said:
I am sure I can get it to work one way or another. But again, trying to understand any possible exploits that could have been, well, exploited. Does anyone know of a way to modify the OS of these boxes, and could that be done via some random default service/admin password on a totally wide open, non-fire walled box?
Click to expand...
It may well be hacked, if not already, hooked directly to the modem.
 
miceacas said:
But again, trying to understand any possible exploits that could have been, well, exploited. Does anyone know of a way to modify the OS of these boxes, and could that be done via some random default service/admin password on a totally wide open, non-fire walled box?
Click to expand...
In reality, no-one is going to give you a definitive answer to that question.
We can't guess what may or may not have happened when your NVR had its feet held to the fire.

It's well understood that these embedded Linux systems can have and have had and no doubt will have plenty of security vulnerabilities, some of which have been well exploited. Though it's fair to say it's been mostly cameras as opposed to NVRs.
Just look at the CVEs for Dahua and Hikvision. And don't even think about Xiongmaitech.
And many do not depend on any access credentials.

My suggestion would be to do a precautionary firmware refresh, and when you get round to actually using the device, just block it's access to the internet so it can't beacon out.
And maybe hope that the installer company decides to swap it out.

miceacas said:
Does anyone know of a way to modify the OS of these boxes,
Click to expand...
Yes, and I've done this lots of times.
Though most have required physical access to the device.
 
  • Like
Reactions: fenderman
alastairstevenson said:
In reality, no-one is going to give you a definitive answer to that question.
We can't guess what may or may not have happened when your NVR had its feet held to the fire.

It's well understood that these embedded Linux systems can have and have had and no doubt will have plenty of security vulnerabilities, some of which have been well exploited. Though it's fair to say it's been mostly cameras as opposed to NVRs.
Just look at the CVEs for Dahua and Hikvision. And don't even think about Xiongmaitech.
And many do not depend on any access credentials.

My suggestion would be to do a precautionary firmware refresh, and when you get round to actually using the device, just block it's access to the internet so it can't beacon out.
And maybe hope that the installer company decides to swap it out.


Yes, and I've done this lots of times.
Though most have required physical access to the device.
Click to expand...
I agree, there is 0 way to know. I’m just trying to get a sense of the likelihood. If I am told there is relatively 0 known exploits, that would have been one thing. Knowing they are known to have exploits, that’s another.
One of my friends let me know they are known to being hacked into routers although I’m not exactly sure why that would be useful to someone being nefarious. I assume there is no TPM modules in them, so code could be changed/injected and it would have 0 idea or cares.

Also, how could I cut internet to it AND view remotely. No way to do that... unless I go the route of vpn. Hmm. How frustrating. Why couldn’t they have just NOT done this.
 
miceacas said:
Also, how could I cut internet to it AND view remotely. No way to do that... unless I go the route of vpn. Hmm. How frustrating. Why couldn’t they have just NOT done this.
Click to expand...
You will have to use a vpn regardless. Port forwarding and hikvision p2p are not secure.
 
fenderman said:
You will have to use a vpn regardless. Port forwarding and hikvision p2p are not secure.
Click to expand...
Oh, hikvision isn’t secure? I mean, obviously any cloud basted service has potential issues. But is hikvision known to not be secure? This is literally all new to me, my other setups are DVR’s which I access via r-pi VPN. I asked the installer if I should use a VPN, he said no need.... this is me trying to actually learn what I just bought which I fully appreciate was the wrong way of going about this. I usually research first, but out of haste I just trusted a “security expert”.
 
miceacas said:
Oh, hikvision isn’t secure? I mean, obviously any cloud basted service has potential issues. But is hikvision known to not be secure? This is literally all new to me, my other setups are DVR’s which I access via r-pi VPN. I asked the installer if I should use a VPN, he said no need.... this is me trying to actually learn what I just bought which I fully appreciate was the wrong way of going about this. I usually research first, but out of haste I just trusted a “security expert”.
Click to expand...
Yes is not secure at all. Understand that your installer likely knows less then you do and most of the time they barely have a grasp of ip addresses. Search the forum and google for hikvision hacked. This is the same for dahua and all others. Cannot be trusted. Here is a taste of the latest news from dahua.

Bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials

https://github.com/mcw0/PoC/blob/master/Dahua-3DES-IMOU-PoC.py @bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials 1. Dahua DES/3DES (broken) authentication implementation and PSK 2. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM...
ipcamtalk.com ipcamtalk.com
 
  • Like
Reactions: looney2ns
fenderman said:
Yes is not secure at all. Understand that your installer likely knows less then you do and most of the time they barely have a grasp of ip addresses. Search the forum and google for hikvision hacked. This is the same for dahua and all others. Cannot be trusted. Here is a taste of the latest news from dahua.

Bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials

https://github.com/mcw0/PoC/blob/master/Dahua-3DES-IMOU-PoC.py @bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials 1. Dahua DES/3DES (broken) authentication implementation and PSK 2. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM...
ipcamtalk.com ipcamtalk.com
Click to expand...
Thank you for this, that’s the sort of info I have been looking for. I want to call the installer out, but I don’t like doing that unless I have actual information. If you have any links to hikvision, that would be helpful. I specifically asked if I should set up a VPN and they said it’s not needed. Like, it’s not at all beyond me, I inquired if I should buy an r-pi as I have already for my other setup, he said no need. Not sure why I listened, but either way the direct to model issue would have still occurred, which right now the real issue anyways. I can also set up a vpn later and just not have remote viewing for the short term.

Anyways, if you do have any specific links, I’d love to see them. I will do my own googling as well. I plan to be out there tomorrow and he will either be there or be on the phone with me to “help me fix this”. More info I have the better, I don’t like speaking ignorantly.

Thanks a bunch!
 
You must log in or register to reply here.
Top Bottom