Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2177 posts

Uber Geek

Subscriber

#192345 7-Mar-2016 16:05
Send private message

I do some voluntary IT work for a club and they are getting security cameras installed. The installers want port forwards added to the Spark 2wire ADSL modem/router as follows:-

 

 

 

"When setting up a NVR/DVR for Remote Access you will need to forward the below ports to

 

the NVR/DVR:

 

Minimum Requirements:

 

Device Port 8000 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Optimum Requirements:

 

Device Port 8000 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Web Port 80 TCP

 

When setting up an IP Camera for direct Remote Access you will need to forward the below

 

ports to the camera:

 

Minimum Requirements:

 

Device Port 8000 TCP/UDP

 

8200 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Optimum Requirements:

 

Device Port 8000 TCP/UDP

 

8200 TCP/UDP

 

RTSP Port 554 TCP/UDP

 

Web Port 80 TCP"

 

 

 

Does any of this pose any security risk for the club's network?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
29017 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1507572 7-Mar-2016 16:14
Send private message

Yes. Never under any circumstances set port forwards to a NVR or DVR unless you're locking it down to specific IP range(s).

 

If the company who installed the cameras thinks this is a good idea I'd find a new security company because they are cowboys.


29017 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1507579 7-Mar-2016 16:17
Send private message

Want a simple example of why it's a bad idea? http://www.welivesecurity.com/2014/04/03/surveillance-cameras-hijacked-to-mine-bitcoin-while-watching-you/

 

Yes this issue is fixed, and the issue isn't something specific to Hikvision (who are a good brand) as there are plenty of other brands of cameras and NVRs that have been hacked in recent times. It's simply security 101.

 

If you want remote access a hardware inside a network then a VPN is the only secure way to access it.

 

 


 
 
 
 


4193 posts

Uber Geek

Trusted

  #1507584 7-Mar-2016 16:27
Send private message

As sbiddle mentioned, if you really want remote access to your NVR or DVR, make sure that the firewall rules lock it down it the specific IP that will be accessing it outside the internal network.





Do whatever you want to do man.

  

BDFL - Memuneh
67429 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1507585 7-Mar-2016 16:27
Send private message

https://www.shodan.io/

 

Never expose cameras to external networks. Even if this company says "it's ok". It's not.

 

If you really need access, create a VPN inside your network, access that and then the cameras. But never expose the cameras.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


23374 posts

Uber Geek

Trusted
Subscriber

  #1507586 7-Mar-2016 16:29
Send private message

Portfowards to an unknown quality webserver on embedded hardware that noone will ever bother updating with newer versions, if they even bother to fix them, with minimal protection against having the password bruteforced and the login done in cleartext?

 

Yeah, not a good idea.

 

If you must do this, then lock down the source IP's to the ones that it needs to be accessed from, dont allow access to the whole thing from the entire internet, or you will end up on shodan.io with the world watching your cameras. You should have a VPN to the network to access it, which will need a router or appliance that supports it, and stuff installed on the phone/tablet/PC of anyone wanting to view it. Consumer router will probably not allow incoming VPN connections.

 

Depending on what exploits are available on the NVR's, if they can get a shell on it then it can be used to start attacking the rest of the network. If because of peoples lack of desire to install VPN on their phones etc to monitor it, then it should be put on its own seperate vlan which a real computer security place will be able to tell you how to do, but a consumer router will not cut it for that either.

 

Viewing the cameras should be done over a VPN only. Otherwise assume the cameras are an always on broadcast to the internet of what is happening at the place.

 

Any "security" installer that suggests port forwarding for the entire internet as being secure probably says bs like "They would need to know your IP address" and "Its too hard to find" - they are not looking for you, they are looking for exploitable computers on the internet, and an NVR is a very exploitable computer because of age of the software and that no hardening goes into their configuration.

 

 





Richard rich.ms

4130 posts

Uber Geek

Trusted
Lifetime subscriber



2177 posts

Uber Geek

Subscriber

  #1507773 7-Mar-2016 21:57
Send private message

Thanks very much for your expertise, guys. I had nothing to do with this exercise and got a surprise being asked to set up the porting. This is not what I have expertise in and I knew you guys had warned of the security issues hence my query.

 

But I fully understand what you are saying and I will advise the club manager of the situation. I certainly don't want any part in the implementation as it stands. 

 

Thanks once again.

 

 


 
 
 
 


4542 posts

Uber Geek

Trusted

  #1507800 7-Mar-2016 22:23
Send private message

My first option is always a VPN for remote access for CCTV. The problem is that for many many small businesses they simply don't have the kit the get a VPN in to the network - yes a Mikrotik is cheap but by the time someone has gone and configured it and all the clients it can easily turn it in to $700-$1000 job.

 

What we have set up for our customers that have a CCTV solution but we don't run their network is a VPN connection back to a router in our network and then they are NAT'd out a specific IP. The port forwarding on the routers are configured for this single IP address and also whitelisting is implemented on the NVR's. Seems to work really well. Certainly not ideal but it's pretty dam close I reckon.

 

Of course this also goes with not doing silly things like using 'admin' or 'user' as your usernames and a strong password.


3592 posts

Uber Geek

Trusted

  #1507834 8-Mar-2016 00:39
Send private message

Can you name the security company that suggested this and we can point them to this thread?





Speedtest 2019-10-14


3509 posts

Uber Geek

Trusted
Lifetime subscriber

  #1507862 8-Mar-2016 08:13
Send private message

Well I am one of the bad guys that just used port forwarding however after reading this and having a think about it I have updated the network this morning to use VPN to access the camera's :)

 

 

 

 

 

 

 

 


29017 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1507868 8-Mar-2016 08:25
Send private message

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

 

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

 

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

 

 

 

 

 

 


3509 posts

Uber Geek

Trusted
Lifetime subscriber

  #1507872 8-Mar-2016 08:40
Send private message

sbiddle:

 

One other thing to be aware of is many cameras and NVR's have UPnP active which opens your network up anyway.

 

There were stories in Stuff and NZ Herald about a year or two ago about a Russian (from memory) site that had links to tens of thousands of open CCTV networks around the world, including hundreds of them that were in NZ. Images could be viewed and showed a large numbers of venues such as bars and private homes. The vast majority in NZ were all using Hikvision gear and no doubt installed by idiots such as the security company involved in this install who quite frankly shouldn't be allowed to install CCTV gear.

 

There have been many backdoors into Hikvison gear in the past including backdoor passwords, and on many brands of equipment you'll be able to view ONVIF streams direct from a camera without needing a password. As most of these systems will probably never havge any maintenance performed to upgrade firmware if they're configured insecurely from day one the problems will likely never be fixed.

 

 

 

 

 

 

 

 

Yes I did find an issue with the camera make I am using, if you deleted the admin account from the user list it would not show however the admin account would still work if you used the username "admin" with no password.

 

If you have the user "admin" with a password however it works correctly




2177 posts

Uber Geek

Subscriber

  #1507909 8-Mar-2016 09:15
Send private message

Zeon:

 

Can you name the security company that suggested this and we can point them to this thread?

 

 

Prefer not to at this stage but the option to point them here is always on!


xpd

Budget Gamer
10599 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  #1507917 8-Mar-2016 09:28
Send private message

If a VPN isnt an option, then a different way, is use Teamviewer.... not exactly FPS friendly, but its an option.......





XPD^ / DemiseNZ

 

Blog         Free Games        Twitter

 

My TradeMe Goodies

 

Disclaimer - It wasn't me, the dog ate my keyboard, my account was hacked, I was drunk, ALIENS.


258 posts

Ultimate Geek


  #1507921 8-Mar-2016 09:32
Send private message

Agree with the above about not doing port forwarding.

 

But I was wondering what is the opinion on systems where the camera is registered to a service (ezviz for example) and you can then remotely view the camera by logging on to the service. No manual port forwarding involved, but perhaps UPNP? More secure/same/less secure?


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28


Apple announces Mac transition to Apple silicon
Posted 23-Jun-2020 08:18


OPPO A72 a top mid-tier smartphone
Posted 19-Jun-2020 18:02


D-Link A/NZ launches new smart AX1500 Wi-Fi 6 Router
Posted 19-Jun-2020 15:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.