Hikvision Hardening Guide Recommends Port Forwarding

By: John Honovich, Published on Jun 09, 2017

Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below:

In this note, we examine the risks in this approach and Hikvision's commitment to network security.

Hardening **********

********* **** ** ****** vulnerabilities *** ******** *** security ** *******. ********* guides *** ******* ** IT *** ******* ** video ************ ** ***** seek ***** ** ******* security ** *** ******* they ******. *** *******, here *******'* ***** ** ****** Cisco *** ******* ******* ************** ********* *****.

Port ********** *****

**** ********** ***** ***** ports ********* ** *** public ********. ***** **** makes ** **** *** the **** ** *** remote ****** ** ***** devices, ** **** ****** attackers / ******* ** probe / ****** ***** devices. ** ***** *** vulnerabilities *** *** ****** (e.g.,*********'* ****** ********, *** **** ***** of ******* *********, ***., whatever *** ************* ** exposed ***** **** ****, next ****, ***.), **** forwarding ***** ** **** to ******* ****. ******, Hikvision ******* ****,******* ************* ***** **** service**** **** **** *********** depends ** **** **********.

**** ********** ** * cheaper / ****** *********** to ***** * *** (e.g., *** **** ** *** ** VPN ***** **********) *** **** ********** is *** * *** to '******' * ****** or * *******. ** is *** ***** *** a ************ ** ******* how ** *** **** forwarding *** ******* ** recommend ** ** ** a ******** ************* ** hardening.

HikConnect ***?

*************, *********'* ********* ***** did *** **********-*******, ***** *** / cloud *******, ***** ********** *** need *** **** ********** and ** * ******* they *** ********* ** a *********** ** ***** DDNS ********.

*******, ***-******* ******** ****** Hikvision ****** ** * user's ******** ******* / LAN, ***** ****** *** own *** ** **** given *********'* ************* ***** record *** ******* ********** ownership.

Cisco *** ****** ****?

********* ********* ** **** their ************* ***********, ********* hiring ****** *** ******** ****** *****. *******, ***** *** Rapid7 *** ****** *** recommending **** ********** ** a '******** *************' ** 'hardening'.

** *** ***** ****, it ** **** ** blame ***** *** ****** since **** ** *** parties **** **** **** clear **** **** *** providing ** ********* ****** ***** releases.

Featuring ******* *******?

*******, *** ****** ** Linksys ******* ** *********'* hardening ******* ** ********.

******* ******* ***, ** their *** ******, ******** to **** *** *** users. *** ******* *******, like *********,**** *** ***** *** ongoing ******** ******.

******* ** ***, ** Hikvision ** ********* ***** are ******* ***** ********* their ******* / ********, port ********** ******* ******* is *** * **** way ** ** ****.

Comments (18)

I must have missed the memo where Cisco sold Linksys to Belkin? I was going to comment that most Linksys gear was now labeled Cisco, hence the Hikvision connection (a reach, I know), but even that is now bunked. 

My only guess is the Linksys is sort of a de facto standard for SOHO routers, which if you need their advice for port forwarding, you likely aren't running a Sonicwall, pFsense, or anything corporate above these SMB routers. 

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways. 

I must have missed the memo where Cisco sold Linksys to Belkin?

Note to others: Cisco sold Linksys to Belkin 4 years ago, March 2013.

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways.

That's funny because it's true but presumably Hikvision is releasing a network hardening guide because it wants to build trust with larger / enterprise buyers who care about cybersecurity. Featuring a Linksys router with port forwarding instructions is unlikely to do that.

I must have missed the memo where Cisco sold Linksys to Belkin?

Don't worry, Jon, I missed that one too. But maybe because I don't follow the soho market much anymore.

Installed my first Hikvision, I started getting random invalid login attempts at all hours of the day and night in the first week! Now half the cameras stopped working. Ugh, why did I bother. 

That's strange, out of the hundreds of Hikvision products we have installed, none have been hacked to my knowledge and have only ever had a few RMAs. 

However, I have had quite a few Dahua devices get hacked, so I can sympathize somewhat.

But, neither brand has been unreliable. We've had maybe 20 RMAs in the history of using Dahua and Hikvision products since 2010.

To stay on topic though, if you followed this "hardening guide", you should expect a "knock at the door" very soon. 

I started getting random invalid login attempts at all hours of the day and night in the first week

Did you port forward it or? Typically such invalid login attempts come from devices being exposed to the public Internet, which faces numerous bots and scripts continuously probing / attacking devices.

Related, a popular article from last year: "The Inevitability of Being Hacked. We built a fake web toaster, and it was compromised in an hour."

I have it straight facing on the WAN with a public IP. Probably not the best way, but it's the only device there and if I was going to open up all the ports needed anyway, I didn't see a need for a router. Guess I'll need to put it behind one and see if it helps. Not sure if I'm getting notification of false logins that their using some kind of backdoor being that the system is recognizing a failed login attempt.

A router may not mitigate the issue if the same port required for the stream is the same one that authentication requires, or if a hack can be made on the streaming port. Where a router might help is if the it has the capability of permitting incoming traffic only from a specified source IP, and whatever needs to connect to the camera (like an NVR) is from a known source IP.

I was going to comment on the main article, that my guess is that Hik is recommending to use port forwarding vs. simply putting the device behind the modem with all ports open.  However, this is a very rare case, as usually there are other devices on the network requiring the use of a router.  In your case, yes I would recommend a router as standard business practice.  Most ISPs will provide a modem/router combo, which IMHO I hate and would rather use a belkin or linksys any day.

One benefit of using port forwarding vs. simply hanging the device off the modem is that any "undocumented" port, such as discovery, ONVIF, telnet, SSH, etc., is then not accessible if you didn't forward the port.  If it is on the modem, then everything is accessible from the Internet.

 

I typically recommend using port forwarding if VPN or other technologies can not be used, and then to forward only the minimum ports and devices.  Only forward the NVR and not each camera.  Ports you don't need for remote access, don't forward.

The biggest thing in this article that jumps out at me is that they are not recommending P2P.  P2P was going to be the end-all, be-all answer in the easy setup nirvana but now I guess they see the inevitable hacks and distrust for them as a reason to go away from it.  Anyway, that was my take on it.  And oh yeah, using an older SOHO router was just funny, like they told someone to make a hardening guide with the stuff he could find in the basement.

now I guess they see the inevitable hacks and distrust for them as a reason to go away from it

I do not know if that was the case. We raised our concerns about the hardening guide to Hikvision prior to publication but no response.

Btw, Hikvision did update the guide yesterday, June 8th, after we contacted them but the port forwarding section still remains.

Here's the 1.1 April 2017 version and the 1.2 June 2017 version for those looking to compare.

One thing that clearly is new, post IPVM's notification to Hikvision, is a warning section about using port forwarding that follows the Linksys screencap / instructions that remains:

As the excerpt shows, they are still clearly recommending port forwarding for Internet access generally and in their 'hardening' guide.

I took a brief look at their entire hardening guide and I think if you did every single step on their it would be pretty secure. I would have added that one should change port 80 to something else and should have put more of an emphasis of only opening the ports needed for the DVR (to avoid the risk of someone DMZ'ing)

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device? Or how/what else should have they mentioned instead. Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

"I would think port forwarding is a more secure setup than any P2P setup?? Or nay?"

Why do you think port forwarding more secure?

 

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device?

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

That depends what you think of the security / precautions / readiness / proficiency of your P2P / cloud provider.

There is one clear benefit. When a vulnerability is found in a P2P or cloud service, it is fixed once and patched for all users. When a vulnerability is found in a remote unmanaged device that uses port forwarding, the vulnerability will, as a matter of practice exist for many years in most devices since firmware upgrades of individual users lag, to say the least.

P2P is the worst protocol to have been introduced in IP camera systems, regarding security. It's purposefully designed to punch through safety/control measures. Some may say ONVIF is worse, but I digress. :D

NOTICE: This comment has been moved to its own discussion: P2P Is The Worst Protocol To Have Been Introduced In IP Camera Systems, Regarding Security

Trust us for all of your cyber security needs.

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Understand, I just think you have to blend practicality in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical. I mean if you really want to truely harden your system you can include these instructions "You see that network cable that is connected to the back of your device, unplug it!"

I too am a little confused why they didn't mention P2P though. To me this would be the most practical situation. We still however do not get the full remote management features through P2P like we do with normal port forwarding. Its also "slower" than port forwarding. 

in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical.

Sure, so if someone does not care about cybersecurity and just wants to see video remotely, letting them know it's possible to use port forwarding is perfectly reasonable (with appropriate warning about risks).

But it's strange to put port forwarding as 'standard configuration' inside of a hardening guide. Many people who are serious about cyber security are going to see and conclude negatively about Hikvision (i.e., a company with that many past problems who then goes and recommends port forwarding Linksys routers in a hardening guide either lacks skill or seriousness in cyber security).

Read this IPVM report for free.

This article is part of IPVM's 6,538 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Dedicated Vs Converged IP Video Networks Statistics 2020 on Sep 10, 2020
Running one's video system on a converged network with other devices can save...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
The Future of H.266 For Video Surveillance Examined on Aug 17, 2020
First H.264, now H.265, is H.266 next? H.266 was recently announced amid...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Quantum Dots Potential for Surveillance Cameras Explained on Sep 08, 2020
Quantum dots are starting to be used in TVs for better images, but how will...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Seek Scan Thermal Temperature Screening System Tested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...
ZKTeco Body Temperature and Mask Detection Reader Tested on May 26, 2020
While dedicated fever cameras emerged first, now tablet/kiosk fever detectors...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS,...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...