Potential vulnerability in NVR

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
2
Location
AU
They have probably got in via the backdoor and that is why they logins look to be local.

We had someone here about 6 months ago with a similar issue with a Hikvision NVR and they thought they were being attempted to be hacked by someone within their house that they didn't give access to. It ended up being a backdoor vulernability.
I am after finding this backdoor so that I can fix it with perimeter security if the code itself is vulnerable- any info would be of help
 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
2
Location
AU
OK, so unless you are VPNing back into your system, you either scanned a QR code or typed in the serial number or forwarded a port, thus putting your device on the internet and making it vulnerable to one of the many backdoor exploits that seem to always pop up OR thru someone/bot trying to guess the password...

Edit - you respond within the grey areas of replies, but you mentioned you have P2P on - that is how this is happening...
Is there any alternative to P2P to securely connect to NVR remotely to live stream the videos or video clips when a (physical) intruder or trip wire alarms is triggered, Using a VPN will allow to connect to the NVR itself, I believe the mobile app connects to vendor's cloud and video are stream through it

NVR-->Live stream pushed to (Cloud provider) <------------ mobile app connect to this cloud (using P2P) for live stream
 

SpacemanSpiff

Getting comfortable
Joined
Apr 15, 2021
Messages
924
Reaction score
1,300
Location
USA
Is there any alternative to P2P to securely connect to NVR remotely to live stream the videos or video clips when a (physical) intruder or trip wire alarms is triggered, Using a VPN will allow to connect to the NVR itself, I believe the mobile app connects to vendor's cloud and video are stream through it

NVR-->Live stream pushed to (Cloud provider) <------------ mobile app connect to this cloud (using P2P) for live stream
Several members already provided alternatives to P2P in their replies to this thread.

 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
2
Location
AU
There has been another attempt to break-in to my NVR again ;(. Though I have locked down most of the ports on the router/firewall

P2P, uPnP - disabled on NVR & Firewall no port forwarding

On Firewall
All inbound traffic to NVR Management (Private IP) interface BLOCKED

Only below inbound traffic to NVR Management interface is allowed on firewall

8800:8803/UDP
3702/UDP

Outbound traffic from LAN->WAN

ALL UDP Ports
TCP/8888 - for Mobile Push notification
TCP/37777/37778 - Assuming this will enable viewing the short video clip when a mobile push notification is triggered from AI Alarms.

Not sure how they are still able to connect to my NVR ? and attempt authentication ( though they are failing) , this time they have changed their tactics to limit there repeated attempt to avoid triggering alarm (long beep)

No constructive response from local partner or Dauha cyber security team yet!

Any thoughts ?
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
2,678
Reaction score
3,898
I think he was asking about these from your post above:

Only below inbound traffic to NVR Management interface is allowed on firewall

8800:8803/UDP
3702/UDP
Why open and have you tried blocking those?
 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
2
Location
AU
I think he was asking about these from your post above:



Why open and have you tried blocking those?
Believing that ports are used by mobile application DMSS to enable viewing the camera feed remotely, anyway was not able to watch live camera feed. however have disabled that firewall rule as well after noticing recent break-in attempt.
 

awonson

Pulling my weight
Joined
Feb 7, 2020
Messages
138
Reaction score
112
Location
Australia
@funtoosko, block all incoming ports to your cameras and NVR. For the DMSS notifications to appear, I have outgoing ports 8888 and 2195 open along with outgoing port 587 for email. So if you want these notifications and email, open only those ports outgoing. They are the only ones that pass traffic out according to my syslog server when notifications and email are generated by the NVR and cameras. To access the management of the NVR, or to view the live stream from your home, set up a VPN in your router or use a raspberry Pi (www.pivpn.io) or use Zero Tier on an always-on computer to access the NVR from outside your home. The notification will come to your phone - if you are outside your home, you then turn on the VPN on your phone and you can then access DMSS to view. Alternatively you can view the snapshot photo that may have been sent with the email but you don't need VPN for that.

I have my NVR and cameras setup as above and have had no intrusions. Double check that P2P is disabled on your cameras and NVR. Change your password on your NVR and cameras.

I am also confused by what you have written regarding whether you have ports opened or not. It seems you have ports opened??

I would start by blocking ALL ports to NVR and cameras and changing the NVR and camera password and see what happens over the 24 hours. Double check that P2P is OFF and that it remains off after your reboot the cameras and NVR. If you want, you can also check if there is a firmware update for your NVR.
 
Top