Onvif Security Question

vwsplitty · Sep 20, 2017

Hi,

i have a question regarding the onvif and loging in to webcams. I have a couple of hikvision cams and two no brand cheapo cams. ALL have a admin account set up with password but when i use the Onvif manager
i can log in to the non brand ones without any input of the admin details, and i can not on the hiks. If i then put in the admin details on the top level of onvif manager i can then log in to those hik cameras.
what is going on, surly i should not be able to log in to anything until i put the admin details in?

at the moment all i can think to do is change the default ports for connection;

before it would of just been http://192.xxx.xxx.xxx/onvif/device_service
now http://192.xxx.xxx.xxx:xxxx/onvif/device_service

cheers for any help

alastairstevenson · Sep 20, 2017

vwsplitty said:
what is going on, surly i should not be able to log in to anything until i put the admin details in?

I think you need to ask the supplier of your (unspecified) cameras about the ONVIF implementation of the cameras.

This simply underlines that IP surveillance cameras are just not secure, they are all hackable.
The Hikvision cameras have quite a number of security vulnerabilities too, including a particularly open 'backdoor' - for example : Backdoor found in Hikvision cameras

vwsplitty said:
at the moment all i can think to do is change the default ports for connection;

That will do nothing, as the ONVIF services are discovered by broadcast, the camera will respond as before with the needed details to any device that requests them.

vwsplitty · Sep 20, 2017

alastairstevenson said:
I think you need to ask the supplier of your (unspecified) cameras about the ONVIF implementation of the cameras.

This simply underlines that IP surveillance cameras are just not secure, they are all hackable.
The Hikvision cameras have quite a number of security vulnerabilities too, including a particularly open 'backdoor' - for example : Backdoor found in Hikvision cameras

That will do nothing, as the ONVIF services are discovered by broadcast, the camera will respond as before with the needed details to any device that requests them.

They are cheap in branded ones and had for a while. So that’s it no other option I guess than like they are at the moment have no internet access.

Once I changed the ports the Onvif tool would not find them with out using the port numbers on the end of the ip so I presumed
Unless someone knew the new port numbers and was on my network they could access them?

alastairstevenson · Sep 20, 2017

vwsplitty said:
Once I changed the ports the Onvif tool would not find them with out using the port numbers on the end of the ip so I presumed
Unless someone knew the new port numbers and was on my network they could access them?

Normally ONVIF Device Manager would find ONVIF devices on the same network automatically, with no need to specify IP addresses or ports.
But I see in your screenshot you have added the devices manually. Were they not found automatically?

Different ONVIF implementations often have different ONVIF and HTTP ports, all found automatically.

vwsplitty · Sep 20, 2017

alastairstevenson said:
Normally ONVIF Device Manager would find ONVIF devices on the same network automatically, with no need to specify IP addresses or ports.
But I see in your screenshot you have added the devices manually. Were they not found automatically?

Different ONVIF implementations often have different ONVIF and HTTP ports, all found automatically.

how do i use auto discovery with the tool?

alastairstevenson · Sep 20, 2017

Have the cameras and the PC on the same LAN, using the same IP address range.
Start ODM and it should just self populate.

vwsplitty · Sep 20, 2017

I must admit I’m am doing this over vpn as away at the moment but it does not s or populate. I have to manually add any camera and for the two crappy un branded ones I have to add the port????

alastairstevenson · Sep 20, 2017

vwsplitty said:
I must admit I’m am doing this over vpn as away at the moment but it does not s or populate.

Presumably ODM isn't running in a VM with a NATed network interface?

vwsplitty · Sep 21, 2017

alastairstevenson said:
Presumably ODM isn't running in a VM with a NATed network interface?

im running it on my laptop at work, my blue iris is running on a VM inside hyper v. ill try running it directly on the VM

Edit:

you are correct. i run it directly on the VM and it found all devices AND the cheapo one gave up the video streams without any login details. That is really poor.
so im asuming the best i can do is block them from the internet via the router seperate them on the LAN

alastairstevenson · Sep 21, 2017

vwsplitty said:
cheapo one gave up the video streams without any login details. That is really poor.

And I'll guarantee that even if it did require authentication, the firmware is readily hackable.
I've used maybe 7 or 8 brands of camera, and it's been fairly easy to find ways in on all of them, big brand or not.

vwsplitty · Sep 21, 2017

alastairstevenson said:
And I'll guarantee that even if it did require authentication, the firmware is readily hackable.
I've used maybe 7 or 8 brands of camera, and it's been fairly easy to find ways in on all of them, big brand or not.

ok duly noted!

i had isolated them from the internet anyway it just i have gotten back in to the cameras so to speak after a while as im going to start adding some more, and find and a few more things about how eveything works is never a bad thing.

Search

Onvif Security Question

vwsplitty

Young grasshopper

Attachments

alastairstevenson

vwsplitty

Young grasshopper

alastairstevenson

vwsplitty

Young grasshopper

alastairstevenson

vwsplitty

Young grasshopper

alastairstevenson

vwsplitty

Young grasshopper

alastairstevenson

vwsplitty

Young grasshopper