Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1856 posts

Uber Geek
+1 received by user: 355

Subscriber

Topic # 192345 7-Mar-2016 16:05
Send private message

I do some voluntary IT work for a club and they are getting security cameras installed. The installers want port forwards added to the Spark 2wire ADSL modem/router as follows:-

 

 

 

"When setting up a NVR/DVR for Remote Access you will need to forward the below ports to

 

the NVR/DVR:

 

Minimum Requirements:

 

Device Port 8000 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Optimum Requirements:

 

Device Port 8000 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Web Port 80 TCP

 

When setting up an IP Camera for direct Remote Access you will need to forward the below

 

ports to the camera:

 

Minimum Requirements:

 

Device Port 8000 TCP/UDP

 

8200 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Optimum Requirements:

 

Device Port 8000 TCP/UDP

 

8200 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Web Port 80 TCP"

 

 

 

Does any of this pose any security risk for the club's network?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
26495 posts

Uber Geek
+1 received by user: 6038

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1507572 7-Mar-2016 16:14
10 people support this post
Send private message

Yes. Never under any circumstances set port forwards to a NVR or DVR unless you're locking it down to specific IP range(s).

 

If the company who installed the cameras thinks this is a good idea I'd find a new security company because they are cowboys.


26495 posts

Uber Geek
+1 received by user: 6038

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1507579 7-Mar-2016 16:17
Send private message

Want a simple example of why it's a bad idea? http://www.welivesecurity.com/2014/04/03/surveillance-cameras-hijacked-to-mine-bitcoin-while-watching-you/

 

Yes this issue is fixed, and the issue isn't something specific to Hikvision (who are a good brand) as there are plenty of other brands of cameras and NVRs that have been hacked in recent times. It's simply security 101.

 

If you want remote access a hardware inside a network then a VPN is the only secure way to access it.

 

 


3829 posts

Uber Geek
+1 received by user: 233

Trusted

  Reply # 1507584 7-Mar-2016 16:27
Send private message

As sbiddle mentioned, if you really want remote access to your NVR or DVR, make sure that the firewall rules lock it down it the specific IP that will be accessing it outside the internal network.





Do whatever you want to do man.

  

BDFL - Memuneh
60606 posts

Uber Geek
+1 received by user: 11542

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1507585 7-Mar-2016 16:27
3 people support this post
Send private message

https://www.shodan.io/

 

Never expose cameras to external networks. Even if this company says "it's ok". It's not.

 

If you really need access, create a VPN inside your network, access that and then the cameras. But never expose the cameras.





21134 posts

Uber Geek
+1 received by user: 4218

Trusted
Subscriber

  Reply # 1507586 7-Mar-2016 16:29
One person supports this post
Send private message

Portfowards to an unknown quality webserver on embedded hardware that noone will ever bother updating with newer versions, if they even bother to fix them, with minimal protection against having the password bruteforced and the login done in cleartext?

 

Yeah, not a good idea.

 

If you must do this, then lock down the source IP's to the ones that it needs to be accessed from, dont allow access to the whole thing from the entire internet, or you will end up on shodan.io with the world watching your cameras. You should have a VPN to the network to access it, which will need a router or appliance that supports it, and stuff installed on the phone/tablet/PC of anyone wanting to view it. Consumer router will probably not allow incoming VPN connections.

 

Depending on what exploits are available on the NVR's, if they can get a shell on it then it can be used to start attacking the rest of the network. If because of peoples lack of desire to install VPN on their phones etc to monitor it, then it should be put on its own seperate vlan which a real computer security place will be able to tell you how to do, but a consumer router will not cut it for that either.

 

Viewing the cameras should be done over a VPN only. Otherwise assume the cameras are an always on broadcast to the internet of what is happening at the place.

 

Any "security" installer that suggests port forwarding for the entire internet as being secure probably says bs like "They would need to know your IP address" and "Its too hard to find" - they are not looking for you, they are looking for exploitable computers on the internet, and an NVR is a very exploitable computer because of age of the software and that no hardening goes into their configuration.

 

 





Richard rich.ms

3134 posts

Uber Geek
+1 received by user: 1672

Subscriber

  Reply # 1507597 7-Mar-2016 16:42
Send private message

As above. Terrible idea.





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.




1856 posts

Uber Geek
+1 received by user: 355

Subscriber

  Reply # 1507773 7-Mar-2016 21:57
Send private message

Thanks very much for your expertise, guys. I had nothing to do with this exercise and got a surprise being asked to set up the porting. This is not what I have expertise in and I knew you guys had warned of the security issues hence my query.

 

But I fully understand what you are saying and I will advise the club manager of the situation. I certainly don't want any part in the implementation as it stands. 

 

Thanks once again.

 

 


3450 posts

Uber Geek
+1 received by user: 1211

Subscriber

  Reply # 1507800 7-Mar-2016 22:23
Send private message

My first option is always a VPN for remote access for CCTV. The problem is that for many many small businesses they simply don't have the kit the get a VPN in to the network - yes a Mikrotik is cheap but by the time someone has gone and configured it and all the clients it can easily turn it in to $700-$1000 job.

 

What we have set up for our customers that have a CCTV solution but we don't run their network is a VPN connection back to a router in our network and then they are NAT'd out a specific IP. The port forwarding on the routers are configured for this single IP address and also whitelisting is implemented on the NVR's. Seems to work really well. Certainly not ideal but it's pretty dam close I reckon.

 

Of course this also goes with not doing silly things like using 'admin' or 'user' as your usernames and a strong password.


3395 posts

Uber Geek
+1 received by user: 397

Trusted

  Reply # 1507834 8-Mar-2016 00:39
Send private message

Can you name the security company that suggested this and we can point them to this thread?






2874 posts

Uber Geek
+1 received by user: 720

Trusted
Lifetime subscriber

  Reply # 1507862 8-Mar-2016 08:13
Send private message

Well I am one of the bad guys that just used port forwarding however after reading this and having a think about it I have updated the network this morning to use VPN to access the camera's :)

 

 

 

 

 

 

 

 


26495 posts

Uber Geek
+1 received by user: 6038

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1507868 8-Mar-2016 08:25
Send private message

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

 

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

 

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

 

 

 

 

 

 


2874 posts

Uber Geek
+1 received by user: 720

Trusted
Lifetime subscriber

  Reply # 1507872 8-Mar-2016 08:40
Send private message

sbiddle:

 

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

 

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

 

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

 

 

 

 

 

 

 

 

Yes I did find an issue with the camera make I am using, if you deleted the admin account from the user list it would not show however the admin account would still work if you used the username "admin" with no password.

 

If you have the user "admin" with a password however it works correctly




1856 posts

Uber Geek
+1 received by user: 355

Subscriber

  Reply # 1507909 8-Mar-2016 09:15
Send private message

Zeon:

 

Can you name the security company that suggested this and we can point them to this thread?

 

 

Prefer not to at this stage but the option to point them here is always on!


xpd

Chief Trash Bandit
8764 posts

Uber Geek
+1 received by user: 1277

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1507917 8-Mar-2016 09:28
One person supports this post
Send private message

If a VPN isnt an option, then a different way, is use Teamviewer.... not exactly FPS friendly, but its an option.......





XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

Battlenet : XPD#11535    Origin/Steam/Epic/Uplay : xpdnz

 

Sea of Thieves Down Under


224 posts

Master Geek
+1 received by user: 45


  Reply # 1507921 8-Mar-2016 09:32
Send private message

Agree with the above about not doing port forwarding.

 

But I was wondering what is the opinion on systems where the camera is registered to a service (ezviz for example) and you can then remotely view the camera by logging on to the service. No manual port forwarding involved, but perhaps UPNP? More secure/same/less secure?


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Cove sells NZs first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.