Subscriber Discussion

Hikvision Cameras Defaulting? [Upnp Facilitating Hacks]

UI
Undisclosed Integrator #1
Oct 17, 2017

Hi, We seem to have certain sites of ours with Hikvision cameras just resetting to factory defaults? Has anyone seen this themselves? 

So far three sites this week? It’s only just started to happen. We upgraded the f/w and reset the admin password,reset the IP to what is required, but they drift back to factory default? VMS is Milestone 

[IPVM Note: After this discussion and suggestions provided, integrator followed up:

Hi, Issue found - firmware level is lower than required to prevent these hacks as suggested. Also uPNP was on so they were in effect available on the internet.. We tested and proved remote access to the camera with no human entered port forwards

All locked down now.

]

(1)
UI
Undisclosed Integrator #2
Oct 17, 2017

What Firmware are you updating to?

UI
Undisclosed Integrator #1
Oct 17, 2017

I don’t have the exact version I can find that out, when I spoke to our tech he told me it “was the lastest off the him website” :)

UI
Undisclosed Integrator #2
Oct 17, 2017

Anything that is not at least V5.4.5 and still has port forwarding setup for the camera is most likely being hacked and set to factor default. 

(1)
(2)
UD
Undisclosed Distributor #5
Oct 18, 2017

this has nothing to do with a hack, please check my post below. hacking is not an issue on this fw version

UI
Undisclosed Integrator #2
Oct 18, 2017

Two things UD5:

  1. My comment was posted before any FW Version was stated/given. It was just inferred he was using updated FW from his tech. 
  2. What I said is factual. If UI1 is running on FW less than V5.4.5 and they have port forwarding setup for the camera it is vulnerable to the most recent exploit. Hence why I asked the question. 

 

(1)
BP
Bas Poiesz
Oct 18, 2017

without knowing the FW I can see where you are coming from, makes sense

U
Undisclosed #3
Oct 17, 2017

 Are the cameras accessible from internet?

UI
Undisclosed Integrator #1
Oct 17, 2017

Behind a router, customers router.

U
Undisclosed #3
Oct 17, 2017

Are the cameras reseting themselves one by one randomly or all at the same time?

If we assume Milestone doesn't have anything to do with it and that the cameras themselves are fine, I was wondering if someone else is doing that to them. Are there port forwards in place to access the cameras behind the router? Check if the firmware version in them is recent enough to have vulnerability updates for the simple hacks that have plagued these recently.

U
Undisclosed #4
Oct 18, 2017

Is your system located on separate subnet?

UI
Undisclosed Integrator #1
Oct 18, 2017

Actually that got me thinking. I wonder if the cameras have UPNP enabled?

U
Undisclosed #3
Oct 18, 2017

If they're accidentally exposed and should not be, disable UPnP from the router altogether. I'm not sure if Hiks ship with UPnP enabled, but it's very possible.

Avatar
John Scanlan
Oct 18, 2017
IPVM • IPVMU Certified
UD
Undisclosed Distributor #5
Oct 18, 2017

what model are you using from hik?

if it is the DS-2CD23x5FWD-I model, we have had cases where the SD-slot was opened and the lit put back upside down. This caused the rubber to push on the reset button and creates what you are describing

UM
Undisclosed Manufacturer #6
Oct 18, 2017

Hi UD#5,

I just checked one of the model but the lit is asymmetrical, how can one put it back upside down without noticing it does not match? Even the screws of the lit aren't located in the medium points of both sides.

Also the rubber has a opening at the SD-slot. If upside down, wouldn't the opening on top of the reset button and not pushing it?

My model is DS-2CD2355FWD-I.

UD
Undisclosed Distributor #5
Oct 18, 2017

yes that's the one! The lit can only be re-applied in one way, but the rubber in the lit can be put back the wrong way. Let me get you a picture, hold on

UD
Undisclosed Distributor #5
Oct 18, 2017

 

I hope this clarifies it. The metal part can only be applied in one way, the rubber can be re-applied the wrong way

UM
Undisclosed Manufacturer #6
Oct 18, 2017

Ah that makes a lot of sense now. Let me try on my camera to see if I can reproduce this issue.

UM
Undisclosed Manufacturer #6
Oct 18, 2017

Yeah the issue is reproduced.

However I took an OEM version of this camera seems they changed the design of this and the "tongue" of the rubber pad is removed, also there are changes in the design of placement of SD-slot and reset button. They are aligned in a slim opening in the OEM version and CVBS out is removed. Moreover, the location of the lit is closer to the lens than the Hik.

My assumption is, Hik noticed this issue and changed their design. I don't think the OEM would customize such thing.

(1)
UD
Undisclosed Distributor #5
Oct 18, 2017

we recently received a shipment of 500 pieces in black, also a specific order, and there too the issue was rectified. glad it helped!

UI
Undisclosed Integrator #7
Oct 18, 2017

I haven't had Hikvision cameras to default but I continue to have a weird issue with 7 Hikvision cameras connected to an Exacq NVR. Whenever I enable time and date through the OSD of the Hikvision camera it keeps going away. This is an unusual setup where the cameras are recording to the NVR but also FTPing an image to a website every 2 minutes which is why I have time and date enabled on the camera itself. 

UI
Undisclosed Integrator #1
Oct 18, 2017

Hi, Further update these are the models..

 

UI
Undisclosed Integrator #1
Oct 18, 2017

Hi, Issue found - firmware level is lower than required to prevent these hacks as suggested. Also uPNP was on so they were in effect available on the internet.. We tested and proved remote access to the camera with no human entered port forwards

All locked down now.

 

* red faced *

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions