Secure remote access to new Hikvision system

[sponcam]

Hi,

We're UK based and just had a new 4k Hikvision system installed to protect our office and overall premises. I asked the installer if we could connect remotely to view via the Hikvision app. over SSL i.e. securely and they assured us we could. I'm far from expert but I know a bit about servers etc and I'm pretty confident that we are not set up to connect securely. There is facility to generate a self-signed SSL certificate on the NVR but this is not set up.

The installer reckons everything is "encrypted" but is it really? Is connection remotely via the Hikvision app actually safe please? The kit is connected to our network and I reckon some relatively trivial packet sniffing could reveal connections details irrespective of how long the admin password is. It's also pretty simple to find open router ports even though we shifted these from the defaults.

Another issue is that I can see the installer forwarded 6 or 7 ports - the NVR and the cams. I didn't think this was necessary either but I'm new to all of this so could well be wrong.

The kit works fine and the images are excellent. Even the intrusion detection is pretty good too. However, I do need to understand that the installers (apparently experienced and reputable) actually set the job up as securely as possible i.e. minimal ports forwarded and remote access via SSL if this is possible. I can set up a VPN on our remote devices but this seems like a pain if we can access over SSL.

It would be ironic to have a CCTV system installed only to be hacked as a result of it. Or am I being paranoid?

Slight aside but should the NVR fan also be very loud? Apparently related to POE but again I'm not totally sure and just want to know it's typical and safe.

Cheers for your help and please go easy with the technical stuff as I'm definitely at the base of the learning curve

Thanks
Dave

 

[fenderman]

The installer is inept. Its not encrypted and the NVR is vulnerable. VPN is your best bet. Even with port forwarding, there is no reason to forward 6-7 ports, only 2. For remote mobile viewing using ivms4500 all you need to forward is the rtsp and media ports.
Yes the fans are loud.

 

[Securame]

You would have to use EZVIZ to be able to have everything encrypted. The SSL certificate is only for web access, you could also use HTTPS, but only from Windows computers. Not when you connect from Hikvision's client (iVMS-4500 for mobile, iVMS-4200 for computers).

Only two ports are needed for connecting from the outside. You do not need any open ports for the cameras, just the NVR. With EZVIZ (P2P) you would not need to open any ports, but I do not think you want to use P2P if you are that worried about security.

That said, yes, you are being paranoid. If you want to be completely safe, use VPN. And do not forget to change admin password, create non-admin accounts for watching the cameras, and you can even make it so the admin account can only be used from a given IP inside your network (watch it with this one; do not mess up, and lock yourself out).

 

[sponcam]

Thank you for the prompt responses and patience with my beginner's questions. Here are a few more if I may please.

We have a service contract with the installer - is this why he has provided direct access to each cam or can he reach them via the NVR please?

If we move to just two ports forwarded, the risk of finding them is reduced but it's not too tricky to do. So 6 ports or just 2 ports forwarded wouldn't seem to make much difference as long as the firmware on each device is up-to-date?

Presumably a hack could only occur if the firmware of any of the port-forwarded devices was compromised (as seemed to happen back in 2014?) - other than that it's just like any other web connected system e.g. like an admin area to a content management system for a website? Is Hikvision proactive with security and updates these days please?

For the VPN solution, are you recommending that we create a secure tunnel into our main network and then view the NVR via the web GUI on a PC browser pointed to its local IP address; or can you set up VPN directly to the NVR please. Sorry if that sounds daft but it's all new to me as I noted earlier. So far we've just viewed the system via Internet Exploder with some crappy active x plugin or via the IVMS app. Is there a browser actually on the NVR please. Sorry :redface-new: - idiots guide needed here please!

The mobile app is quite cool but now appears to be a bit of a liability if it can't connect securely? If I run a VPN on a mobile device and then launch the app, would that be secure - although it still relies on a couple of router ports being open?

If you could take a few minutes to address each of those points I would be very grateful and it will give me something to go back to the installer with. I particularly like the idea of the non-admin accounts for remote viewing and I'll do anything else needed to button up the system as well as I can.

Thanks again,
Dave

 

[fenderman]

Hikvision is months/years behind any exploits. You cannot rely on firmware updates for security. If you run vpn you dont open any ports.

 

[sponcam]

Sorry for ignorance but how do I do that please? I'm looking to connect periodically and remotely from laptop and IVMS. Dumb question but having established the VPN on the remote device, what do I connect to please? Presumably the installer would also be able to do that to fulfil their service contract and load new firmware etc? Can the IVMS app run this way as well as via a browser please?

Thanks again,
Dave

 

[Securame]

You don't feel safe with a new entry point to your network? How about geting a dedicated internet connection for your camera system, and just let the installer open as many ports as he needs?

 

[sponcam]

It's an option and one I would consider as a last resort. But I prefer to tighten up the existing configuration as much as possible first. Our router will allow the creation of a VPN although I need to check out how exactly. A quick look suggests "OpenVPN" and then run that on the remote devices. With that set up, can I then connect directly to the NVR please? Would that just be via the Internet Explorer browser or can the IVMS app also run through that? Again, sorry for ignorance.

If so, can the installer also do similar *and* carry out maintenance/firmware updates just via the VPN route and not via port forward direct to the cams please?

Thanks
Dave

 

[Securame]

Yes, using an VPN would be the same as being inside the network, so you can do everything.
But, would you want your installer to roam freely inside your network?

 

[sponcam]

Good point. I can see that there is no easy solution here! Ironic that the CCTV manufacturers seem to be quite some way behind with all this. I may just move to VPN, kick the remote app into touch, drop the installer maintenance and do my own updates. Is there an alternative to IVMS that can run securely on a phone or tablet?

Thanks
Dave

 

[thomas2013]

I use OpenVPN to access my network and security cameras. Works great! On my smartphone or tablet, I use the OpenVPN for Android app to make the connection. Then launch the security camera app (e.g., tinyCam Monitor, iVMS-4500, NVMS7000, etc.). You setup the app using the internal IP address of NVR (e.g., 192.168.1.###), port, username, password, etc.

 

[Enabler]

Personally I'd have the cameras/NVR in a DMZ and they'd have no access to Company LAN/WAN, or outgoing to Internet, but LAN/WAN clients would have access to them (as appropriate) as would authenticated (more than jjust Hikvision login) Internet access (VPN would be good).

Then even if the cameras/NVR was compromised your company network should be safe - though I suppose webcomponents.exe could be infected and then downloaded to company PCs. I guess it depends on what risk you consider acceptable.