Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1906 posts

Uber Geek
+1 received by user: 373

Subscriber

Topic # 192345 7-Mar-2016 16:05
Send private message

I do some voluntary IT work for a club and they are getting security cameras installed. The installers want port forwards added to the Spark 2wire ADSL modem/router as follows:-

 

 

 

"When setting up a NVR/DVR for Remote Access you will need to forward the below ports to

 

the NVR/DVR:

 

Minimum Requirements:

 

Device Port 8000 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Optimum Requirements:

 

Device Port 8000 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Web Port 80 TCP

 

When setting up an IP Camera for direct Remote Access you will need to forward the below

 

ports to the camera:

 

Minimum Requirements:

 

Device Port 8000 TCP/UDP

 

8200 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Optimum Requirements:

 

Device Port 8000 TCP/UDP

 

8200 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Web Port 80 TCP"

 

 

 

Does any of this pose any security risk for the club's network?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
26936 posts

Uber Geek
+1 received by user: 6379

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1507572 7-Mar-2016 16:14
10 people support this post
Send private message

Yes. Never under any circumstances set port forwards to a NVR or DVR unless you're locking it down to specific IP range(s).

 

If the company who installed the cameras thinks this is a good idea I'd find a new security company because they are cowboys.


26936 posts

Uber Geek
+1 received by user: 6379

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1507579 7-Mar-2016 16:17
Send private message

Want a simple example of why it's a bad idea? http://www.welivesecurity.com/2014/04/03/surveillance-cameras-hijacked-to-mine-bitcoin-while-watching-you/

 

Yes this issue is fixed, and the issue isn't something specific to Hikvision (who are a good brand) as there are plenty of other brands of cameras and NVRs that have been hacked in recent times. It's simply security 101.

 

If you want remote access a hardware inside a network then a VPN is the only secure way to access it.

 

 


3829 posts

Uber Geek
+1 received by user: 234

Trusted

  Reply # 1507584 7-Mar-2016 16:27
Send private message

As sbiddle mentioned, if you really want remote access to your NVR or DVR, make sure that the firewall rules lock it down it the specific IP that will be accessing it outside the internal network.





Do whatever you want to do man.

  

BDFL - Memuneh
61192 posts

Uber Geek
+1 received by user: 11974

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1507585 7-Mar-2016 16:27
3 people support this post
Send private message

https://www.shodan.io/

 

Never expose cameras to external networks. Even if this company says "it's ok". It's not.

 

If you really need access, create a VPN inside your network, access that and then the cameras. But never expose the cameras.





21389 posts

Uber Geek
+1 received by user: 4336

Trusted
Subscriber

  Reply # 1507586 7-Mar-2016 16:29
One person supports this post
Send private message

Portfowards to an unknown quality webserver on embedded hardware that noone will ever bother updating with newer versions, if they even bother to fix them, with minimal protection against having the password bruteforced and the login done in cleartext?

 

Yeah, not a good idea.

 

If you must do this, then lock down the source IP's to the ones that it needs to be accessed from, dont allow access to the whole thing from the entire internet, or you will end up on shodan.io with the world watching your cameras. You should have a VPN to the network to access it, which will need a router or appliance that supports it, and stuff installed on the phone/tablet/PC of anyone wanting to view it. Consumer router will probably not allow incoming VPN connections.

 

Depending on what exploits are available on the NVR's, if they can get a shell on it then it can be used to start attacking the rest of the network. If because of peoples lack of desire to install VPN on their phones etc to monitor it, then it should be put on its own seperate vlan which a real computer security place will be able to tell you how to do, but a consumer router will not cut it for that either.

 

Viewing the cameras should be done over a VPN only. Otherwise assume the cameras are an always on broadcast to the internet of what is happening at the place.

 

Any "security" installer that suggests port forwarding for the entire internet as being secure probably says bs like "They would need to know your IP address" and "Its too hard to find" - they are not looking for you, they are looking for exploitable computers on the internet, and an NVR is a very exploitable computer because of age of the software and that no hardening goes into their configuration.

 

 





Richard rich.ms

3292 posts

Uber Geek
+1 received by user: 1793

Trusted
Lifetime subscriber

  Reply # 1507597 7-Mar-2016 16:42
Send private message

As above. Terrible idea.





Information wants to be free. The Net interprets censorship as damage and routes around it.




1906 posts

Uber Geek
+1 received by user: 373

Subscriber

  Reply # 1507773 7-Mar-2016 21:57
Send private message

Thanks very much for your expertise, guys. I had nothing to do with this exercise and got a surprise being asked to set up the porting. This is not what I have expertise in and I knew you guys had warned of the security issues hence my query.

 

But I fully understand what you are saying and I will advise the club manager of the situation. I certainly don't want any part in the implementation as it stands. 

 

Thanks once again.

 

 


3559 posts

Uber Geek
+1 received by user: 1304

Subscriber

  Reply # 1507800 7-Mar-2016 22:23
Send private message

My first option is always a VPN for remote access for CCTV. The problem is that for many many small businesses they simply don't have the kit the get a VPN in to the network - yes a Mikrotik is cheap but by the time someone has gone and configured it and all the clients it can easily turn it in to $700-$1000 job.

 

What we have set up for our customers that have a CCTV solution but we don't run their network is a VPN connection back to a router in our network and then they are NAT'd out a specific IP. The port forwarding on the routers are configured for this single IP address and also whitelisting is implemented on the NVR's. Seems to work really well. Certainly not ideal but it's pretty dam close I reckon.

 

Of course this also goes with not doing silly things like using 'admin' or 'user' as your usernames and a strong password.


3404 posts

Uber Geek
+1 received by user: 399

Trusted

  Reply # 1507834 8-Mar-2016 00:39
Send private message

Can you name the security company that suggested this and we can point them to this thread?






3001 posts

Uber Geek
+1 received by user: 754

Trusted
Lifetime subscriber

  Reply # 1507862 8-Mar-2016 08:13
Send private message

Well I am one of the bad guys that just used port forwarding however after reading this and having a think about it I have updated the network this morning to use VPN to access the camera's :)

 

 

 

 

 

 

 

 


26936 posts

Uber Geek
+1 received by user: 6379

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1507868 8-Mar-2016 08:25
Send private message

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

 

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

 

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

 

 

 

 

 

 


3001 posts

Uber Geek
+1 received by user: 754

Trusted
Lifetime subscriber

  Reply # 1507872 8-Mar-2016 08:40
Send private message

sbiddle:

 

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

 

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

 

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

 

 

 

 

 

 

 

 

Yes I did find an issue with the camera make I am using, if you deleted the admin account from the user list it would not show however the admin account would still work if you used the username "admin" with no password.

 

If you have the user "admin" with a password however it works correctly




1906 posts

Uber Geek
+1 received by user: 373

Subscriber

  Reply # 1507909 8-Mar-2016 09:15
Send private message

Zeon:

 

Can you name the security company that suggested this and we can point them to this thread?

 

 

Prefer not to at this stage but the option to point them here is always on!


xpd

Chief Trash Bandit
8910 posts

Uber Geek
+1 received by user: 1318

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1507917 8-Mar-2016 09:28
One person supports this post
Send private message

If a VPN isnt an option, then a different way, is use Teamviewer.... not exactly FPS friendly, but its an option.......





XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

Battlenet : XPD#11535    Origin/Steam/Epic/Uplay : xpdnz


240 posts

Master Geek
+1 received by user: 51


  Reply # 1507921 8-Mar-2016 09:32
Send private message

Agree with the above about not doing port forwarding.

 

But I was wondering what is the opinion on systems where the camera is registered to a service (ezviz for example) and you can then remotely view the camera by logging on to the service. No manual port forwarding involved, but perhaps UPNP? More secure/same/less secure?


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.