Are the default external/internal port numbers always the same?
What happens to the assignments if there is more than one camera online?
Hikvision UPnP Hacking Risk
Published Dec 04, 2017 19:11 PM
********* ** ******* *** ***** ****** even *** *** ***** *** *** not *** ** **** ********** *** believed ***** ******* **** '****' ****** firewalls.
*** ******* ** **** ***, **** specifically, *** ********* *** ********** **** UPnP **** *** *****.
** **** ****, ** **** ** the ******** ***** ** *********'* **** practices, ***** **** **** ***** ** reduce ** *** *************** **** **** remain.
********
**** *** **** *** ******, ******** confused *** ********* ***** **** ***** their ********* ** ******* ******. *** most ****** ******** **** ** *** camera ***** ******* '******':
** ***** *****, ******* *** ***** to ******* ********, ** ********* ** an ********** ** ** **** **********:
**** ******* **** ** ***** ***** is **** **** **** *** ***** of ******** ***** ******* ** *** public ********, *** ******** **********'* ************** ** **** *******, **** **** *** ********** ******* access ** ***** *******, ***** ** their **** ****** **** **** **** from ******** ******.
Vulnerability: **** *** *********
** *** ********** ** *** *****-********** discussion ***** ***, ***** ******** ************ time *** ****** ***************, ********* *** enabled **** *** ********* ** *******,** ** *********:
********* ******* ******* **** *** *********, automatically ******** ***** *** ******** ***** to ***** ******* ****** ***** *** May ****, *.*.* ********. **** ** a ************* ** *** *** *** combined **** ************ ********, ** ****** **** ******* ** anyone ****** *** ****** ********. ******** UPnP *** ********* ** *******, *** combining ** **** ** ******-********* ******** set ***** ******* ** *** ******. Attackers **** ********** ****, ******* ** large ******* ** ********* ******* ***** altered ** **** "******" **** ** the ***** ***** ** ***** ******** entirely ** ****** ***** ************* ***** out, ** *** **** * ****** loop.
Failed ** ******* **** ****
*********'* **** ************* ** ***'********* **********'************** ** ******* *** ***** ** UPnP. ******,********* ********* *** ************ ** ******* ****** ** **** behind ***** *******:
*** ************ ******** *********** ********** ******** ******* * ********* ***, Hikvision **** ********, ** *****-***** *** software. ** ****, ******** *** ************** ********* ** ******* ** ** open ** ****** ******, ******** *** risk ** *** ************* ********. ** date, ********* ***** ***** ** *** ******* ** malicious ****************** **** **** *************. [******** *****]
** ******, *** ***** *** ********** reports ** ********* ********, *********** ** many **** ** *********'* **** ****** and ***** ******* ** *********** ***** risks.
UPnP ******* ******** *.*.* *** *******
** ********* ***** ** *.*.*, **** was ******* ** *******, **** *** camera's *** ********* ******* ***** ***** being ********* *** ****, ****, *** "Server ****" (*******/******* ****).
*******, ***** *** **** ***** ***** only ***** *****, **** ******** ******** UPnP ** * ******, **** ***** were ******** *********: *** ***** ***** as **** ** **** *** ****, described ** "*************" *** "****************."
* ********* ******** [**** ** ****** available] ********* ***** ***** ** **** for ***** (***-*******) ******* *** **** View, *** **** **** ** ***** possible *** ***-*******/***** **** **** ***** ports *** ******.
UPnP ******** ** ******* ** *.*
***, ** ******** ******** *.*.* *** later, **** *** **** ******** ** default:
**** ** ******** ** *******. ***-******* platform ***** ****** **** **** ****** is ***** *** ******* **** **** camera ** ******* **** ***-******* ********. Upgrading ***** *** ****** *** **** configuration.
***** ******* ** *** **** **** manually ****** ** ** *** ******'* web ********* ** **** ******** **** it ** **** ****** ** ***-******* (see *****).
Not ******** ** *******
**** **** ***** **** ** ****** off ** *******, ** ************* **** ********* ********. **** ***** that ** ***** ******** **** * version ***** **** *.*, ****** *** the **** ******** ** ********* ******* older **** * *** ******, **** will ***** ** ******* ****** ***** manually ******** **.
Enabled ** ***-*******
*** ****** *** ** ***** **** is ******* ** **** ***-*******, ***** directs ***** ** ****** '**** *******' which **** **** (** ***** ** the *** *** *****):
******* ***-******* ***** ***** ***** *******, Hikvision ******** **** ***** *** ****** configuration.
UPnP = ******** ****
******* **** ********* *** **** ********** process *** ** ****** ** ** default ** **** ******* ******** ** ISPs, ***** *** ****** *** ** aware ***** ******* *** **** ********* to *** ******** *** *********** ********** to ****** (************ ******** *******). *******, **** ***** *** *** aware **** *** ******* **** ********** on *** *** ** ***** ** what ******** *** *******, ** *** all ***** *** ********** ** *** camera's *** *********.
Future ***************
********** ******* ********* ** *** ******** eventually *** ******, **** *** **** true ***** *** ******** ****** ***** popularity **+ ***** ***. ********* ***** hacks *** ******, *** ******* ** create *******, ** ** *** **** of ******** ****** ***** ** ***** *******, ***** ***** *** ***** *** less ******, *** ***** ***** **** or *********** ** *****. ** ********** seeing ******* ******* ********** ********* ******* escalate, ** **** **** *** * very ***** *** **** ********* ****** when ******* **** **** *** ********* enabled, *** ****** ********* ********* **** require ****** ****** **** *******.
Comments (22)
U
Undisclosed #1
Dec 04, 2017
Ethan Ace
Dec 04, 2017Defaults are always the same (80/554/8000). If there's more than one camera online, the port numbers are incremented, so camera 2 would use port 81, camera 3 uses port 82, etc., etc.
Sean Nelson
Dec 04, 2017Despite Hik-Connect being their cloud service, Hikvision requires open ports for remote configuration.
This is not true for Hik-Connect. They just suggest using UPNP to automatically port forward to make a quicker connection then relying solely on the P2P cloud service. You can click the Skip Icon and the cloud service still works fine. Matter of fact, I wish they would just simply remove the UPNP step, its confusing and UPNP works less than half the time on routers.
An even more annoying feature with the new updated Hik Connect is when the app "senses" there is a poor network connection. It suggests that you "map the ports" to make a quicker connection. This is basically turning on UPNP. I hope they remove that feature because I can just hear my customers calling right now " My app says I have a poor connection, how do I map my ports?"
Ethan Ace
Dec 04, 2017This is not true for Hik-Connect. They just suggest using UPNP to automatically port forward to make a quicker connection then relying solely on the P2P cloud service. You can click the Skip Icon and the cloud service still works fine.
So if you skip it, you can configure camera or recorder settings how? Via the app? iVMS? Other? How do I remotely connect to configure a VMD zone without port forwarding, for example?
If this is true I'd like to test it and correct.
U
Undisclosed #2
Dec 05, 2017Sean is right!
You configure settings locally
and use Hik-Connect to "connect" :)
Sean Nelson
Dec 05, 2017U can do it thru ivms for sure, all settings are available thru ivms via p2p. Also, there are more and more settings u can set thru the phone app as well with each update. For example, you can block out motion areas in the image when i was using their new doorbell the other day. I assume these features will get pushed to all devices soon. Btw , are u guys going to test the doorbell soon?
Ethan Ace
Dec 05, 2017Camera settings changes fail via cloud in iVMS. I've tried this on multiple cameras at multiple locations, and the Hik-Connect app itself only includes turning notifications on or off.
You can configure recorders through iVMS, but it's ridiculously slow. Over a minute to load settings initially in all our testing, and 10-15 seconds to switch between settings pages.
Sean Nelson
Dec 05, 2017Confirmed, My Bad. I never tried to get to settings with a cam, only a DVR and assumed it would work on cams.
U
Undisclosed #1
Dec 06, 2017Btw , are u guys going to test the doorbell soon?
Excuse me, but it’s a door station;)
Sean Nelson
Dec 06, 2017U
Undisclosed #1
Dec 06, 2017Not seeing any doorbells, just door stations on the u.s. site. Is it available here yet?
U
Undisclosed #2
Dec 06, 2017
Ethan Ace
Dec 06, 2017It's in the product quick guide, but not on the website. The Hikvision branded version is not yet available at ADI, Anixter, Tri-Ed, etc. We plan to test it when it's available from these sources, branded Hikvision.
There are OEM doorbells available for awhile now, though. LTS is selling it, and you can find it online elsewhere, but my concern is that the overseas doorbell part number is different from what is in the quick guide, so I'd rather wait and test the model with local support.
U
Undisclosed #2
Dec 06, 2017@Ethan,
Can you please do Hik-Connect DVR test for open ports
scan DVR from outside for open ports
before and after connection
Thanks
U
Undisclosed #1
Dec 05, 2017I wish they would just simply remove the UPNP step, its confusing and UPNP works less than half the time on routers.
I guess were lucky that it doesn’t work so well. Every Cloud has a silver lining.
DS
David Shepherd
Dec 06, 2017I remember hearing about the security issues with UPnP 10 years ago, it surprises me that its still included on new devices...
DR
Dennis Ruban
Dec 19, 2017UPnP is just a way how residential customers do their DIY projects. If you have qualified installer and commercial project, all those potential holes will be disabled, including UPnP on your router
JH
John Honovich
Dec 19, 2017UPnP is just a way how residential customers do their DIY projects. If you have qualified installer and commercial project
Dennis, and how many installers are qualified in IP networks? We've already discussed this at length here (for others to review) but I'll simply reiterate 2 points:
- Lots of installers are not qualified in IP networks.
- Hikvision's auto UPnP tactic is quite uncommon among video surveillance manufacturers so it is not something that most would expect would happen.
DR
Dennis Ruban
Dec 19, 2017And, as I stated before, don't go to a not qualified installer. When you go to a car shop, would you expect techs to be qualified so you'll stay alive driving your car after tire change?
JH
John Honovich
Dec 19, 2017don't go to a not qualified installer.
1. Hikvision does not restrict sales to 'qualified' installers.
2. How is an end user supposed to figure out if an installer is qualified in networking? Keeping in mind that they the end user is no an expert in this field.
To be clear, I agree aspirationally that installers should be qualified, manufacturers should strive to limit their partners to qualified installers and end users should be able to choose qualified installers, but in reality, that's hard to achieve.
JH
John Honovich
Apr 05, 2018Good example of people still being impacted by the Hikvision UPnP problem: IPCamTalk Hikvision vulnerability detected by Rogers, user realizes UPnP is enabled and his old vulnerable Hikvision cameras are exposed to the public Internet.
bm
bashis mcw
Apr 05, 2018You can't simply rely that UPnP has be disabled in the IPC/router/(or whatever) and no ports has been forwarded, you will need to check actively by your self.
You can do that in different ways, one is to have your own box outside and do portscan of all 65535 ports towards your external IP, or secondly check with
https://www.zoomeye.org/searchResult?q=<IP address>
https://www.shodan.io/host/<IP address>
To many times I've seen UPnP active in one way or another, even it's disabled in Web GUI.
Note: zoomeye.org seems to be most accurate in my tests.