Hikvision Hardening Guide Recommends Port Forwarding

By: John Honovich, Published on Jun 09, 2017

Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below:

In this note, we examine the risks in this approach and Hikvision's commitment to network security.

*********'* ******* ******** ********* Guide********** **** ********** ** a '******** *************', *********** below:

** **** ****, ** examine *** ***** ** this ******** *** *********'* commitment ** ******* ********.

[***************]

Hardening **********

********* **** ** ****** vulnerabilities *** ******** *** security ** *******. ********* guides *** ******* ** IT *** ******* ** video ************ ** ***** seek ***** ** ******* security ** *** ******* they ******. *** *******, here *******'* ***** ** ****** Cisco *** ******* ******* ************** ********* *****.

Port ********** *****

**** ********** ***** ***** ports ********* ** *** public ********. ***** **** makes ** **** *** the **** ** *** remote ****** ** ***** devices, ** **** ****** attackers / ******* ** probe / ****** ***** devices. ** ***** *** vulnerabilities *** *** ****** (e.g.,*********'* ****** ********, *** **** ***** of ******* *********, ***., whatever *** ************* ** exposed ***** **** ****, next ****, ***.), **** forwarding ***** ** **** to ******* ****. ******, Hikvision ******* ****,******* ************* ***** **** service**** **** **** *********** depends ** **** **********.

**** ********** ** * cheaper / ****** *********** to ***** * *** (e.g., *** **** ** *** ** VPN ***** **********) *** **** ********** is *** * *** to '******' * ****** or * *******. ** is *** ***** *** a ************ ** ******* how ** *** **** forwarding *** ******* ** recommend ** ** ** a ******** ************* ** hardening.

HikConnect ***?

*************, *********'* ********* ***** did *** **********-*******, ***** *** / cloud *******, ***** ********** *** need *** **** ********** and ** * ******* they *** ********* ** a *********** ** ***** DDNS ********.

*******, ***-******* ******** ****** Hikvision ****** ** * user's ******** ******* / LAN, ***** ****** *** own *** ** **** given *********'* ************* ***** record *** ******* ********** ownership.

Cisco *** ****** ****?

********* ********* ** **** their ************* ***********, ********* hiring ****** *** ******** ****** *****. *******, ***** *** Rapid7 *** ****** *** recommending **** ********** ** a '******** *************' ** 'hardening'.

** *** ***** ****, it ** **** ** blame ***** *** ****** since **** ** *** parties **** **** **** clear **** **** *** providing ** ********* ****** ***** releases.

Featuring ******* *******?

*******, *** ****** ** Linksys ******* ** *********'* hardening ******* ** ********.

******* ******* ***, ** their *** ******, ******** to **** *** *** users. *** ******* *******, like *********,**** *** ***** *** ongoing ******** ******.

******* ** ***, ** Hikvision ** ********* ***** are ******* ***** ********* their ******* / ********, port ********** ******* ******* is *** * **** way ** ** ****.

Comments (18)

I must have missed the memo where Cisco sold Linksys to Belkin? I was going to comment that most Linksys gear was now labeled Cisco, hence the Hikvision connection (a reach, I know), but even that is now bunked. 

My only guess is the Linksys is sort of a de facto standard for SOHO routers, which if you need their advice for port forwarding, you likely aren't running a Sonicwall, pFsense, or anything corporate above these SMB routers. 

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways. 

I must have missed the memo where Cisco sold Linksys to Belkin?

Note to others: Cisco sold Linksys to Belkin 4 years ago, March 2013.

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways.

That's funny because it's true but presumably Hikvision is releasing a network hardening guide because it wants to build trust with larger / enterprise buyers who care about cybersecurity. Featuring a Linksys router with port forwarding instructions is unlikely to do that.

I must have missed the memo where Cisco sold Linksys to Belkin?

Don't worry, Jon, I missed that one too. But maybe because I don't follow the soho market much anymore.

Installed my first Hikvision, I started getting random invalid login attempts at all hours of the day and night in the first week! Now half the cameras stopped working. Ugh, why did I bother. 

That's strange, out of the hundreds of Hikvision products we have installed, none have been hacked to my knowledge and have only ever had a few RMAs. 

However, I have had quite a few Dahua devices get hacked, so I can sympathize somewhat.

But, neither brand has been unreliable. We've had maybe 20 RMAs in the history of using Dahua and Hikvision products since 2010.

To stay on topic though, if you followed this "hardening guide", you should expect a "knock at the door" very soon. 

I started getting random invalid login attempts at all hours of the day and night in the first week

Did you port forward it or? Typically such invalid login attempts come from devices being exposed to the public Internet, which faces numerous bots and scripts continuously probing / attacking devices.

Related, a popular article from last year: "The Inevitability of Being Hacked. We built a fake web toaster, and it was compromised in an hour."

I have it straight facing on the WAN with a public IP. Probably not the best way, but it's the only device there and if I was going to open up all the ports needed anyway, I didn't see a need for a router. Guess I'll need to put it behind one and see if it helps. Not sure if I'm getting notification of false logins that their using some kind of backdoor being that the system is recognizing a failed login attempt.

A router may not mitigate the issue if the same port required for the stream is the same one that authentication requires, or if a hack can be made on the streaming port. Where a router might help is if the it has the capability of permitting incoming traffic only from a specified source IP, and whatever needs to connect to the camera (like an NVR) is from a known source IP.

I was going to comment on the main article, that my guess is that Hik is recommending to use port forwarding vs. simply putting the device behind the modem with all ports open.  However, this is a very rare case, as usually there are other devices on the network requiring the use of a router.  In your case, yes I would recommend a router as standard business practice.  Most ISPs will provide a modem/router combo, which IMHO I hate and would rather use a belkin or linksys any day.

One benefit of using port forwarding vs. simply hanging the device off the modem is that any "undocumented" port, such as discovery, ONVIF, telnet, SSH, etc., is then not accessible if you didn't forward the port.  If it is on the modem, then everything is accessible from the Internet.

 

I typically recommend using port forwarding if VPN or other technologies can not be used, and then to forward only the minimum ports and devices.  Only forward the NVR and not each camera.  Ports you don't need for remote access, don't forward.

The biggest thing in this article that jumps out at me is that they are not recommending P2P.  P2P was going to be the end-all, be-all answer in the easy setup nirvana but now I guess they see the inevitable hacks and distrust for them as a reason to go away from it.  Anyway, that was my take on it.  And oh yeah, using an older SOHO router was just funny, like they told someone to make a hardening guide with the stuff he could find in the basement.

now I guess they see the inevitable hacks and distrust for them as a reason to go away from it

I do not know if that was the case. We raised our concerns about the hardening guide to Hikvision prior to publication but no response.

Btw, Hikvision did update the guide yesterday, June 8th, after we contacted them but the port forwarding section still remains.

Here's the 1.1 April 2017 version and the 1.2 June 2017 version for those looking to compare.

One thing that clearly is new, post IPVM's notification to Hikvision, is a warning section about using port forwarding that follows the Linksys screencap / instructions that remains:

As the excerpt shows, they are still clearly recommending port forwarding for Internet access generally and in their 'hardening' guide.

I took a brief look at their entire hardening guide and I think if you did every single step on their it would be pretty secure. I would have added that one should change port 80 to something else and should have put more of an emphasis of only opening the ports needed for the DVR (to avoid the risk of someone DMZ'ing)

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device? Or how/what else should have they mentioned instead. Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

"I would think port forwarding is a more secure setup than any P2P setup?? Or nay?"

Why do you think port forwarding more secure?

 

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device?

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

That depends what you think of the security / precautions / readiness / proficiency of your P2P / cloud provider.

There is one clear benefit. When a vulnerability is found in a P2P or cloud service, it is fixed once and patched for all users. When a vulnerability is found in a remote unmanaged device that uses port forwarding, the vulnerability will, as a matter of practice exist for many years in most devices since firmware upgrades of individual users lag, to say the least.

P2P is the worst protocol to have been introduced in IP camera systems, regarding security. It's purposefully designed to punch through safety/control measures. Some may say ONVIF is worse, but I digress. :D

NOTICE: This comment has been moved to its own discussion: P2P Is The Worst Protocol To Have Been Introduced In IP Camera Systems, Regarding Security

Trust us for all of your cyber security needs.

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Understand, I just think you have to blend practicality in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical. I mean if you really want to truely harden your system you can include these instructions "You see that network cable that is connected to the back of your device, unplug it!"

I too am a little confused why they didn't mention P2P though. To me this would be the most practical situation. We still however do not get the full remote management features through P2P like we do with normal port forwarding. Its also "slower" than port forwarding. 

in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical.

Sure, so if someone does not care about cybersecurity and just wants to see video remotely, letting them know it's possible to use port forwarding is perfectly reasonable (with appropriate warning about risks).

But it's strange to put port forwarding as 'standard configuration' inside of a hardening guide. Many people who are serious about cyber security are going to see and conclude negatively about Hikvision (i.e., a company with that many past problems who then goes and recommends port forwarding Linksys routers in a hardening guide either lacks skill or seriousness in cyber security).

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2019 on Oct 25, 2019
Remote access can make systems more usable but also more vulnerable. How are integrators delivring remote access in 2019? How many are using...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
HTTPS / SSL Video Surveillance Usage Statistics on Apr 01, 2019
HTTPS / SSL / TLS usage has become commonplace for websites to improve security and, in particular, to help mitigate attackers reading or modifying...

Most Recent Industry Reports

Pivot3 Mass Layoffs on Mar 27, 2020
Pivot3 has conducted mass layoffs, the culmination of grand hopes, a quarter of a billion dollars in VC funding, and multiple failures to gain...
Athena CEO Criticizes 'Deplorable' 'Nitpicking', IPVM Refutes on Mar 27, 2020
Athena Security's CEO Lisa Falzone has strongly objected to IPVM's reporting on Athena, calling it 'deplorable' and repeatedly criticizing IPVM's...
Hikvision Admits Sanctions Harming Its Financial Performance on Mar 27, 2020
While Hikvision initially downplayed being sanctioned for human rights abuses, the company is now admitting a significant impact in a new PRC...
New Axis M30 Cameras Tested on Mar 26, 2020
Axis has released a new generation of, for them, relatively low cost M30 series cameras, claiming to deliver "sharp video quality even in poor...
Coronavirus Shuts Down ADT Door Knockers on Mar 26, 2020
Coronavirus has another victim - this time, alarm giant ADT has stopped all door to door sales. Door knockers are a critical but controversial...
Access Control Course Spring 2020 - Save $50 Last Day on Mar 26, 2020
Register Now - Spring 2020 Access Control Course. Today, March 26th is the last day to save $50. IPVM offers the most comprehensive access...
Convergint Coronavirus Cuts on Mar 25, 2020
One of the world's largest security integrators, Convergint, has made a major move to handle the impact of coronavirus, with cuts across the...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud video. But what does it mean? How does it all work? Inside this...
TVT / InVid Facial Recognition Tested on Mar 25, 2020
Facial recognition is frequently sold for thousands of dollars per channel but some China manufacturers are offering full facial recognition...
IPVM Launches On-Demand Courses on Mar 24, 2020
For nearly a decade, IPVM has been a leader in online live courses. Now, we have added on-demand versions for all courses. The same course...