Subscriber Discussion

How Did My Customer's Hikvision Camera Get Hacked?

UI
Undisclosed Integrator #1
Feb 25, 2018

Ran across this curious situation last week. 

Background:The install is a college fraternity house we installed a camera system for a few years ago and have added additional cameras more recently.  The NVR is a LTS (HIK) 32 Channel and the original cameras were LTS most still had default passwords. The more recently added cameras were HIK brand with much stronger (13 character) passwords.  The NVR is accessible on the Internet via port forwarding using non standard ports (ie: not 80, 8000, 554). Firmware upgrades have been done in the last six months.  The NVR also has a strong 13 character password.

Customer called me and said one camera was out.  Went on site and found that the camera was discoverable but not accessible.  It was one of the newer ones with the 13 character password, and it was rejecting all attempts to log in.  I emailed HIK for the reset, and upon resetting it I discovered the camera was set to Black and White, and displayed this:

I performed a factory default and it's back up and running, but I'm perplexed as to how this happened, and how prevent it going forward.

The NVR sits in a locked closet and I'm quite confident a local frat prankster was not the culprit.  The cameras are not directly accessible per se via the internet.  This particular camera has as it's IP address 192.168.1.24. Would that address expose it to some sort of routing vulnerability?

JH
John Honovich
Feb 25, 2018
IPVM

#1, do you know what specific firmware version the hacked camera was on? This would help better focus on what caused it.

Also, have you reported this to Hikvision's cybersecurity team? I would recommend that so that they can investigate and see what response they provide.

UI
Undisclosed Integrator #1
Feb 25, 2018
In reply to John Honovich

Interesting, John in that I just tried to obtain it and couldn't find it remotely through the NVR. I can get full access to the NVR remotely either through a browser or IVMS-4200.  Can see all of the cameras, but the only settings I can seem to see or change are the IP address, protocol and port.  The cameras are set to the default port 8000 but I don't have that port open on the router. The NVR is set to a different port, as I mentioned.  The camera in question was purchased in July 2017, I know it required a stronger password than the old '12345' to activate. It did not respond to the HIK reset tools that you've previously linked, so I think it was a fairly recent firmware.

 

I did just remember 2 additional things I didn't post in the original thread.

1. Most of the cameras are connected to a POE switch along with the NVR.  That switch is connected to the cable modem/router, so in theory most of the cameras are theoretically reachable via the internet. They are all on a 192.168.1.xxx scheme which is what the router defaults to.   

2. UPnP was enabled on the NVR.  I just disabled it.  (not exactly sure what that might have exposed it to)

3. Only ports I forwarded on the modem/router were Server, HTTP, and RTSP which were forwarded to the NVR's IP address.

I'm not sure if any additional ports may have been open in the Router by default, but usually they are not forwarded to a specific address.   I just tried accessing port 80 and did not connect to anything.  The cameras were all set up with a gateway of 192.168.1.1 which is the modem/router, however I don't know if they have a DNS set up by default or not. 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions