Port forwards for Hikvision cameras

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Port forwards for Hikvision cameras

linw

2893 posts

Uber Geek
+1 received by user: 1205

#192345 7-Mar-2016 16:05

I do some voluntary IT work for a club and they are getting security cameras installed. The installers want port forwards added to the Spark 2wire ADSL modem/router as follows:-

"When setting up a NVR/DVR for Remote Access you will need to forward the below ports to

the NVR/DVR:

Minimum Requirements:

Device Port 8000 TCP/UDP

RTSP Port 554 TCP/UDP

Optimum Requirements:

Device Port 8000 TCP/UDP

RTSP Port 554 TCP/UDP

Web Port 80 TCP

When setting up an IP Camera for direct Remote Access you will need to forward the below

ports to the camera:

Minimum Requirements:

Device Port 8000 TCP/UDP

8200 TCP/UDP

RTSP Port 554 TCP/UDP

Optimum Requirements:

Device Port 8000 TCP/UDP

8200 TCP/UDP

RTSP Port 554 TCP/UDP

Web Port 80 TCP"

Does any of this pose any security risk for the club's network?

1 | 2

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1507572 7-Mar-2016 16:14

Yes. Never under any circumstances set port forwards to a NVR or DVR unless you're locking it down to specific IP range(s).

If the company who installed the cameras thinks this is a good idea I'd find a new security company because they are cowboys.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1507579 7-Mar-2016 16:17

Want a simple example of why it's a bad idea? http://www.welivesecurity.com/2014/04/03/surveillance-cameras-hijacked-to-mine-bitcoin-while-watching-you/

Yes this issue is fixed, and the issue isn't something specific to Hikvision (who are a good brand) as there are plenty of other brands of cameras and NVRs that have been hacked in recent times. It's simply security 101.

If you want remote access a hardware inside a network then a VPN is the only secure way to access it.

billgates

4705 posts

Uber Geek
+1 received by user: 671

Trusted

#1507584 7-Mar-2016 16:27

As sbiddle mentioned, if you really want remote access to your NVR or DVR, make sure that the firewall rules lock it down it the specific IP that will be accessing it outside the internal network.

Do whatever you want to do man.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1507585 7-Mar-2016 16:27

https://www.shodan.io/.

Never expose cameras to external networks. Even if this company says "it's ok". It's not.

If you really need access, create a VPN inside your network, access that and then the cameras. But never expose the cameras.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

richms

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#1507586 7-Mar-2016 16:29

Portfowards to an unknown quality webserver on embedded hardware that noone will ever bother updating with newer versions, if they even bother to fix them, with minimal protection against having the password bruteforced and the login done in cleartext?

Yeah, not a good idea.

If you must do this, then lock down the source IP's to the ones that it needs to be accessed from, dont allow access to the whole thing from the entire internet, or you will end up on shodan.io with the world watching your cameras. You should have a VPN to the network to access it, which will need a router or appliance that supports it, and stuff installed on the phone/tablet/PC of anyone wanting to view it. Consumer router will probably not allow incoming VPN connections.

Depending on what exploits are available on the NVR's, if they can get a shell on it then it can be used to start attacking the rest of the network. If because of peoples lack of desire to install VPN on their phones etc to monitor it, then it should be put on its own seperate vlan which a real computer security place will be able to tell you how to do, but a consumer router will not cut it for that either.

Viewing the cameras should be done over a VPN only. Otherwise assume the cameras are an always on broadcast to the internet of what is happening at the place.

Any "security" installer that suggests port forwarding for the entire internet as being secure probably says bs like "They would need to know your IP address" and "Its too hard to find" - they are not looking for you, they are looking for exploitable computers on the internet, and an NVR is a very exploitable computer because of age of the software and that no hardening goes into their configuration.

Richard rich.ms

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#1507597 7-Mar-2016 16:42

As above. Terrible idea.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Dell

Shop now for Dell laptops and other devices (affiliate link).

linw

2893 posts

Uber Geek
+1 received by user: 1205

#1507773 7-Mar-2016 21:57

Thanks very much for your expertise, guys. I had nothing to do with this exercise and got a surprise being asked to set up the porting. This is not what I have expertise in and I knew you guys had warned of the security issues hence my query.

But I fully understand what you are saying and I will advise the club manager of the situation. I certainly don't want any part in the implementation as it stands.

Thanks once again.

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#1507800 7-Mar-2016 22:23

My first option is always a VPN for remote access for CCTV. The problem is that for many many small businesses they simply don't have the kit the get a VPN in to the network - yes a Mikrotik is cheap but by the time someone has gone and configured it and all the clients it can easily turn it in to $700-$1000 job.

What we have set up for our customers that have a CCTV solution but we don't run their network is a VPN connection back to a router in our network and then they are NAT'd out a specific IP. The port forwarding on the routers are configured for this single IP address and also whitelisting is implemented on the NVR's. Seems to work really well. Certainly not ideal but it's pretty dam close I reckon.

Of course this also goes with not doing silly things like using 'admin' or 'user' as your usernames and a strong password.

Zeon

3926 posts

Uber Geek
+1 received by user: 759

Trusted

#1507834 8-Mar-2016 00:39

Can you name the security company that suggested this and we can point them to this thread?

Speedtest 2019-10-14

tripp

3848 posts

Uber Geek
+1 received by user: 1220

Trusted

Lifetime subscriber

#1507862 8-Mar-2016 08:13

Well I am one of the bad guys that just used port forwarding however after reading this and having a think about it I have updated the network this morning to use VPN to access the camera's :)

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1507868 8-Mar-2016 08:25

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

tripp

3848 posts

Uber Geek
+1 received by user: 1220

Trusted

Lifetime subscriber

#1507872 8-Mar-2016 08:40

sbiddle:

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

Yes I did find an issue with the camera make I am using, if you deleted the admin account from the user list it would not show however the admin account would still work if you used the username "admin" with no password.

If you have the user "admin" with a password however it works correctly

linw

2893 posts

Uber Geek
+1 received by user: 1205

#1507909 8-Mar-2016 09:15

Zeon:

Can you name the security company that suggested this and we can point them to this thread?

Prefer not to at this stage but the option to point them here is always on!

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#1507917 8-Mar-2016 09:28

If a VPN isnt an option, then a different way, is use Teamviewer.... not exactly FPS friendly, but its an option.......

XPD / Gavin

LinkTree

xontech

268 posts

Ultimate Geek
+1 received by user: 56

#1507921 8-Mar-2016 09:32

Agree with the above about not doing port forwarding.

But I was wondering what is the opinion on systems where the camera is registered to a service (ezviz for example) and you can then remotely view the camera by logging on to the service. No manual port forwarding involved, but perhaps UPNP? More secure/same/less secure?

1 | 2