Hikvision Hardening Guide Recommends Port Forwarding

By: John Honovich, Published on Jun 09, 2017

Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below:

In this note, we examine the risks in this approach and Hikvision's commitment to network security.

*********'* ******* ******** ********* Guide********** **** ********** ** a '******** *************', *********** below:

** **** ****, ** examine *** ***** ** this ******** *** *********'* commitment ** ******* ********.

[***************]

Hardening **********

********* **** ** ****** vulnerabilities *** ******** *** security ** *******. ********* guides *** ******* ** IT *** ******* ** video ************ ** ***** seek ***** ** ******* security ** *** ******* they ******. *** *******, here *******'* ***** ** ****** Cisco *** ******* ******* ************** ********* *****.

Port ********** *****

**** ********** ***** ***** ports ********* ** *** public ********. ***** **** makes ** **** *** the **** ** *** remote ****** ** ***** devices, ** **** ****** attackers / ******* ** probe / ****** ***** devices. ** ***** *** vulnerabilities *** *** ****** (e.g.,*********'* ****** ********, *** **** ***** of ******* *********, ***., whatever *** ************* ** exposed ***** **** ****, next ****, ***.), **** forwarding ***** ** **** to ******* ****. ******, Hikvision ******* ****,******* ************* ***** **** service**** **** **** *********** depends ** **** **********.

**** ********** ** * cheaper / ****** *********** to ***** * *** (e.g., *** **** ** *** ** VPN ***** **********) *** **** ********** is *** * *** to '******' * ****** or * *******. ** is *** ***** *** a ************ ** ******* how ** *** **** forwarding *** ******* ** recommend ** ** ** a ******** ************* ** hardening.

HikConnect ***?

*************, *********'* ********* ***** did *** **********-*******, ***** *** / cloud *******, ***** ********** *** need *** **** ********** and ** * ******* they *** ********* ** a *********** ** ***** DDNS ********.

*******, ***-******* ******** ****** Hikvision ****** ** * user's ******** ******* / LAN, ***** ****** *** own *** ** **** given *********'* ************* ***** record *** ******* ********** ownership.

Cisco *** ****** ****?

********* ********* ** **** their ************* ***********, ********* hiring ****** *** ******** ****** *****. *******, ***** *** Rapid7 *** ****** *** recommending **** ********** ** a '******** *************' ** 'hardening'.

** *** ***** ****, it ** **** ** blame ***** *** ****** since **** ** *** parties **** **** **** clear **** **** *** providing ** ********* ****** ***** releases.

Featuring ******* *******?

*******, *** ****** ** Linksys ******* ** *********'* hardening ******* ** ********.

******* ******* ***, ** their *** ******, ******** to **** *** *** users. *** ******* *******, like *********,**** *** ***** *** ongoing ******** ******.

******* ** ***, ** Hikvision ** ********* ***** are ******* ***** ********* their ******* / ********, port ********** ******* ******* is *** * **** way ** ** ****.

Comments (18)

I must have missed the memo where Cisco sold Linksys to Belkin? I was going to comment that most Linksys gear was now labeled Cisco, hence the Hikvision connection (a reach, I know), but even that is now bunked. 

My only guess is the Linksys is sort of a de facto standard for SOHO routers, which if you need their advice for port forwarding, you likely aren't running a Sonicwall, pFsense, or anything corporate above these SMB routers. 

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways. 

I must have missed the memo where Cisco sold Linksys to Belkin?

Note to others: Cisco sold Linksys to Belkin 4 years ago, March 2013.

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways.

That's funny because it's true but presumably Hikvision is releasing a network hardening guide because it wants to build trust with larger / enterprise buyers who care about cybersecurity. Featuring a Linksys router with port forwarding instructions is unlikely to do that.

I must have missed the memo where Cisco sold Linksys to Belkin?

Don't worry, Jon, I missed that one too. But maybe because I don't follow the soho market much anymore.

Installed my first Hikvision, I started getting random invalid login attempts at all hours of the day and night in the first week! Now half the cameras stopped working. Ugh, why did I bother. 

That's strange, out of the hundreds of Hikvision products we have installed, none have been hacked to my knowledge and have only ever had a few RMAs. 

However, I have had quite a few Dahua devices get hacked, so I can sympathize somewhat.

But, neither brand has been unreliable. We've had maybe 20 RMAs in the history of using Dahua and Hikvision products since 2010.

To stay on topic though, if you followed this "hardening guide", you should expect a "knock at the door" very soon. 

I started getting random invalid login attempts at all hours of the day and night in the first week

Did you port forward it or? Typically such invalid login attempts come from devices being exposed to the public Internet, which faces numerous bots and scripts continuously probing / attacking devices.

Related, a popular article from last year: "The Inevitability of Being Hacked. We built a fake web toaster, and it was compromised in an hour."

I have it straight facing on the WAN with a public IP. Probably not the best way, but it's the only device there and if I was going to open up all the ports needed anyway, I didn't see a need for a router. Guess I'll need to put it behind one and see if it helps. Not sure if I'm getting notification of false logins that their using some kind of backdoor being that the system is recognizing a failed login attempt.

A router may not mitigate the issue if the same port required for the stream is the same one that authentication requires, or if a hack can be made on the streaming port. Where a router might help is if the it has the capability of permitting incoming traffic only from a specified source IP, and whatever needs to connect to the camera (like an NVR) is from a known source IP.

I was going to comment on the main article, that my guess is that Hik is recommending to use port forwarding vs. simply putting the device behind the modem with all ports open.  However, this is a very rare case, as usually there are other devices on the network requiring the use of a router.  In your case, yes I would recommend a router as standard business practice.  Most ISPs will provide a modem/router combo, which IMHO I hate and would rather use a belkin or linksys any day.

One benefit of using port forwarding vs. simply hanging the device off the modem is that any "undocumented" port, such as discovery, ONVIF, telnet, SSH, etc., is then not accessible if you didn't forward the port.  If it is on the modem, then everything is accessible from the Internet.

 

I typically recommend using port forwarding if VPN or other technologies can not be used, and then to forward only the minimum ports and devices.  Only forward the NVR and not each camera.  Ports you don't need for remote access, don't forward.

The biggest thing in this article that jumps out at me is that they are not recommending P2P.  P2P was going to be the end-all, be-all answer in the easy setup nirvana but now I guess they see the inevitable hacks and distrust for them as a reason to go away from it.  Anyway, that was my take on it.  And oh yeah, using an older SOHO router was just funny, like they told someone to make a hardening guide with the stuff he could find in the basement.

now I guess they see the inevitable hacks and distrust for them as a reason to go away from it

I do not know if that was the case. We raised our concerns about the hardening guide to Hikvision prior to publication but no response.

Btw, Hikvision did update the guide yesterday, June 8th, after we contacted them but the port forwarding section still remains.

Here's the 1.1 April 2017 version and the 1.2 June 2017 version for those looking to compare.

One thing that clearly is new, post IPVM's notification to Hikvision, is a warning section about using port forwarding that follows the Linksys screencap / instructions that remains:

As the excerpt shows, they are still clearly recommending port forwarding for Internet access generally and in their 'hardening' guide.

I took a brief look at their entire hardening guide and I think if you did every single step on their it would be pretty secure. I would have added that one should change port 80 to something else and should have put more of an emphasis of only opening the ports needed for the DVR (to avoid the risk of someone DMZ'ing)

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device? Or how/what else should have they mentioned instead. Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

"I would think port forwarding is a more secure setup than any P2P setup?? Or nay?"

Why do you think port forwarding more secure?

 

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device?

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

That depends what you think of the security / precautions / readiness / proficiency of your P2P / cloud provider.

There is one clear benefit. When a vulnerability is found in a P2P or cloud service, it is fixed once and patched for all users. When a vulnerability is found in a remote unmanaged device that uses port forwarding, the vulnerability will, as a matter of practice exist for many years in most devices since firmware upgrades of individual users lag, to say the least.

P2P is the worst protocol to have been introduced in IP camera systems, regarding security. It's purposefully designed to punch through safety/control measures. Some may say ONVIF is worse, but I digress. :D

NOTICE: This comment has been moved to its own discussion: P2P Is The Worst Protocol To Have Been Introduced In IP Camera Systems, Regarding Security

Trust us for all of your cyber security needs.

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Understand, I just think you have to blend practicality in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical. I mean if you really want to truely harden your system you can include these instructions "You see that network cable that is connected to the back of your device, unplug it!"

I too am a little confused why they didn't mention P2P though. To me this would be the most practical situation. We still however do not get the full remote management features through P2P like we do with normal port forwarding. Its also "slower" than port forwarding. 

in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical.

Sure, so if someone does not care about cybersecurity and just wants to see video remotely, letting them know it's possible to use port forwarding is perfectly reasonable (with appropriate warning about risks).

But it's strange to put port forwarding as 'standard configuration' inside of a hardening guide. Many people who are serious about cyber security are going to see and conclude negatively about Hikvision (i.e., a company with that many past problems who then goes and recommends port forwarding Linksys routers in a hardening guide either lacks skill or seriousness in cyber security).

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Guide

Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
IPVM Camera Calculator User Manual / Guide on Oct 16, 2019
Learn how to use the IPVM Camera Calculator. The guide below includes instructions, images, gifs, and videos demonstrating and explaining the...
Camera Focusing Tutorial on Oct 14, 2019
Camera focus is fundamental to quality imaging. Mistakes can significantly reduce details, making cameras less effective. In this guide, we...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Camera Cable Whip Guide on Oct 02, 2019
Cable whips are one of integrator's least favorite camera features but seem to be unavoidable, now commonplace on dome, turret, and bullet cameras...
Wide Dynamic Range (WDR) Guide on Oct 01, 2019
Understanding wide dynamic range (WDR) is critical to capturing high quality images in demanding conditions. However, with no real standards, any...
Access Control Mustering Guide on Sep 30, 2019
In emergencies, determining where employees are located can be critical for knowing whether they are in danger. Access systems can be used for...
Access Control Mantraps Guide on Sep 26, 2019
One of access's primary goals is keeping people out of places they should not be, but slipping through open doors (ie: Tailgating) is often...
Access Control Time & Attendance Guide on Sep 24, 2019
Access control systems can do more than lock doors. With little or no extra equipment, they can be used to track labor hours for employees...
Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...

Most Recent Industry Reports

Alarm Veteran "Demands A Criminal Investigation" Of UL on Oct 18, 2019
The Interceptor's Project pressure against UL continues to rise. Following Keith Jentoft's allegation that "UL Has Blood On Their Hands", Jentoft...
Camect "Worlds Smartest Camera Hub" Tested on Oct 18, 2019
Camect is a Silicon Valley startup that claims the "Smartest AI Object Detection On The Market", detecting not only people and vehicles, but...
Hikvision Global News Reports Directory on Oct 17, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Camera Calculator V3.1 Release Improves User Experience on Oct 17, 2019
IPVM has released a new version of our Camera Calculator, V3.1, with significant user experience improvements, a new development plan, and an...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Access Control Course Fall 2019 - Last Chance on Oct 17, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party)...
Pelco Sarix Pro3 Camera Tested on Oct 16, 2019
Pelco has released their Sarix Professional Series 3 cameras, claiming "more security detail in challenging scenes with excellent low light and...
IPVM Camera Calculator User Manual / Guide on Oct 16, 2019
Learn how to use the IPVM Camera Calculator. The guide below includes instructions, images, gifs, and videos demonstrating and explaining the...
Altronix Claims Tango 'Eliminates Electricians' on Oct 15, 2019
Power supply provider Altronix claims its new Tango power supply 'eliminates the need for an electrician, dedicated conduit and wire runs'. In...