NMAPing IP Cameras
Author: Ethan Ace, Published on Mar 05, 2015
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.
Related Reports on ONVIF
Axis Releases First New Access Controller In 5 Years (A1601)
on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test).
Now, Axis has released its second...
H.265 / HEVC Codec Tutorial
on Jun 07, 2018
H.265 support has improved significantly in 2018, with H.265 camera/VMS compatibility increased compared to only a year ago, and more manufacturers...
S2 Access Control / 'Unified Security Management' Profile
on May 08, 2018
In our 13th access control company profile, we examine S2 Security's Netbox platform:
Unified Security Management Platform positioning
Core...
Vivotek 12MP Fisheye Camera Tested (FE9391-EV)
on May 08, 2018
Next in our 12MP fisheye camera evaluation, we bought and tested Vivotek's latest generation FE9391-EV, a new model claiming improved smart IR...
Last Chance - May 2018 Camera Course
on May 03, 2018
This is the last chance to register as the course starts next week.
This is the only independent surveillance camera course, based on in-depth...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits
on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly.
We have summarized exploits by date and by manufacturer,...
Axis Launches ~$100 HD Camera
on Apr 11, 2018
Chinese manufacturers, led by Hikvision, have come to dominate the low end of the Western market, driven by ~$100 cameras.
While Axis has...
Hanwha Mega ISC West Product Releases
on Apr 05, 2018
While overall new product releases have been slowing over the past few years, Hanwha is releasing a slew of 6 new offerings for ISC West,...
VMS New Developments Spring 2018 (Avigilon, Exacqvision, Genetec, Hikvision, Milestone, Network Optix)
on Apr 04, 2018
What's new with VMS software? In this report, we examine new features and releases for Spring 2018 to track different areas of potential...
ADI W-Box Dropping Hikvision (Tested)
on Mar 05, 2018
The next generation of ADI's W-Box (ADI's competition against their manufacturing partners) is here.
And unlike the previous generation, which was...
Most Recent Industry Reports
July 2018 IP Networking Course
on Jun 16, 2018
The last chance to save $50 on registration is this Thursday, June 21st. Register now and save.
This is the only networking course designed...
The Dumb Ones: PSA's Bozeman On Cybersecurity
on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring Dahua as a 'cyber responsible partner',...
Amazon Ring Launches $10 Monthly Professional Alarm Monitoring
on Jun 15, 2018
Amazon's Ring has announced an alarm system with 24/7 professional alarm monitoring for $10 per month, a fraction of the $30+ per month traditional...
Axis Releases First New Access Controller In 5 Years (A1601)
on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test).
Now, Axis has released its second...
Hikvision 12MP Fisheye Camera Tested (DS-2CD63C2F-IV)
on Jun 14, 2018
Hikvision's DS-2CD63C2F-IV is their flagship panoramic camera, with a 12MP imager, 15m integrated IR, smart codec, and more. We tested the 63C2 in...
Four Major Outdoor Camera Install Problems
on Jun 14, 2018
Over 140 integrators told us the top four camera installation mistakes that lead to unexpected problems and failures. Their comments often...
Security Sales Course Summer 2018
on Jun 14, 2018
Based on member's interest, IPVM is offering a security sales course this summer.
Register Now - IPVM Security Sales Course Summer...
China Public Video Surveillance Guide: From Skynet to Sharp Eyes
on Jun 14, 2018
China is expanding its video surveillance network to achieve “100%” nationwide coverage by 2020, including facial recognition capabilities and a...
IPVM For PR / Marketing People
on Jun 13, 2018
This post helps PR and Marketing people understand and productively work with IPVM (as much as possible given our independent, often critical,...
Avigilon H4 Multi-Sensor Adds 32MP, H.265, Analytics
on Jun 13, 2018
Avigilon has announced the H4 Multisensor, the successor to their repositionable multi imager line, adding features like H.265, integrated IR,...
The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.
Comments (10)
Eric Taylor
This is a great article. Thank you.
Create New Topic
Pat Villerot
This is a great article. I was not aware of this tool. Thank you for posting.
Create New Topic
Steve Mitchell
This article does a great service, thanks.
One thing that's been nagging at me in these various Hikvision discussions recently.. I get the feeling many people here are thinking about Hikvision cameras and what vulnerabilities may be present. Maybe because when they hear Hikvision they think "camera."
In Hikvision's statement from last year they do admit some vulnerabilities in their cameras. They talk about the default password, and telnet being available, and released new camera firmware at that time to disable telnet and enforce better password policy. In the same statement they talk about their DVR firmware--also discussing default passwords, telnet, and password policy. (I'm talking about this statement: https://ipvm-uploads.s3.amazonaws.com/uploads/8341/3f4f/HikvisionOutlinesUpdatesToSurveillanceProducts.pdf )
Of course, default passwords, weak passwords, and telnet (because it exposes passwords in the clear) could all be used to gain user or admin level access to a device. But in some cases that vulnerability may be of limited risk due to the additional need to elevate ones permissions in order to further exploit the device/network. I.e, "you can log in and change the resolution of my camera, big deal."
But the other discussions surrounding actual Hikvision exploits talk about their DVRs in particular and the RTSP buffer overflow issue (wired article: http://www.wired.com/2014/04/hikvision/ , SecurityWeek article: http://www.securityweek.com/multiple-vulnerabilities-found-hikvision-dvr-devices ). The DVRs appear to be running a linux (/dev/watchdog). And the exploits are shown to provide "full control" of the device.
I am just pointing this out because I've always felt that DVRs/NVRs are the real high risk components in a surveillance network. They tend to be more powerful devices, already hold all the video (if protecting video is your concern), tend to run a fuller linux (or Windows) command set if not running a full commodity OS and thus are at greater risk of rootkit, require more open protocol implementations for interoperability and integration, and may be based on a commodity hardware platform rather than the more exotic SoCs used in many cameras.
DVRs are big juicy targets, and are harder to protect than cameras. I suspect that's why Hikivision is in the doghouse today.
Create New Topic
Luke Maslen
Hi John, thank you for your very helpful article. For those cameras which do not offer ways to disable unnecssary ports, do you think adding rules to the firewall, to block ports on the cameras and NVR's, would be an adequate solution? Thank you.
Create New Topic
Ray Bernard
John, this is a great article. I would add one warning to it. If you run an Nmap scan on a network with older IP cameras, say cameras made before 2010, it is possible that some cameras would go offline. This wouldn't happen with Axis, Bosch, Panasonic or Sony cameras for example, but it could with popular low-cost competors. I've written about this twice in my Convergence Q&A column, as the experiences with this were classified as "incidents". In one case, relayed to me by a consulting colleague of mine, over 100 network cameras were taken offline when an IT tech did an Nmap scan. This was a deployment done in 2004. They were not PoE cameras. People had to be sent out to the camera locations to manually recycle their power. Not a fun day. I wrote about it again a couple of years later when a Nessus scan took an entire network of IP cameras offline, and it required more than just power cycling to get them back on (I don't know the technical details).
Because in each of these cases it was a practice the IT departments to periodically scan all devices on their network, ths was taken into account by adding the IP addresses of the cameras to the Do Not Scan list.
Performing both an Nmap scan and a Nessus scan - whether or not the cameras will be connected to a larger corporate network - should be a standard test before finalizing any network camera deployment.
I have had integrator techs tell me that they don't need to do that, because their cameras are on a physically independent network. However, you have to anticipate that the isolated network status could change in the future. Additionally, for deployments with older cameras that are vulnerable in this way, you have to remember that this is a security vulnerability, becasue attackers gaining access to the video network don't need a password or special skills to take the network down. They can just run the default scan.
I believe that two manufacturers involved in these incidents have since upgraded the firmware for their cameras to eliminate this vulnerabilty or fixed it in a replacement model. But it is common for deployed cameras not to get their firmware upgraded once everything is working well.
Standalone video networks still need to have securty measures in place, regardless of the age of the cameras, so that traffic from non-approved devices (such as an attacker's laptop) can't flood the network.
Create New Topic
Undisclosed Integrator #2
So I've been NMAPping the guest wifi here at Starbucks... still hasn't found anything, including my phone or the guy's laptop at the next table, but it's only 5% into the SYN scan. Neat tool, very inclusive. I've been using Advanced IP Scanner (from www.radmin.com) for a long time and will probably stick to that for finding stray network devices, like when my managed switch doesn't show up on the DHCP server, but this is definitely getting added to my toolbox for those times soemthing stonger is needed.
Create New Topic
Marc Pichaud
Very Usefull article.
Let's add that with some vendors, rtsp ports by default (factory settings) don't require credentials....so .... you can first sniff the network, get the IPs and then access video without passwords with Vlc. IF you can see the security from inside, then a physical introduction becomes very easy.. yahoo!
Create New Topic