Hikvision RCE Vulnerability

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
OK -
That would imply you've customised the HTTP port to 8080 from 80.
If not - the check will fail.

And it would also imply that the device coincidentally has the same IP address as @bashis used in an example.
If not - the check will fail.

Suggestion :
Re-try with the actual values of your device so that you get a real result.
Ok thanks will try that Alastair
 

Umut

Getting the hang of it
Joined
Apr 25, 2016
Messages
46
Reaction score
25
This vulnerability has a very limited effect on NVRs and it's not working with the same method used on IP cameras. So bashis's script is not valid for NVRs. Attackers can only use a few commands like reboot or halt on them. Use VPN solutions mentioned on the previous posts and disable UPnP on all your IP cameras, NVR and router. If your router can't be used as VPN server and port forwarding is a must, disable UPnP on all devices and use random ports like 18064, 25329, 50782 etc.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
This vulnerability has a very limited effect on NVRs and it's not working with the same method used on IP cameras. So bashis's script is not valid for NVRs. Attackers can only use a few commands like reboot or halt on them. Use VPN solutions mentioned on the previous posts and disable UPnP on all your IP cameras, NVR and router. If your router can't be used as VPN server and port forwarding is a must, disable UPnP on all devices and use random ports like 18064, 25329, 50782 etc.
Thanks for the advice Umut. I have 3 cams attached to the nvr with really old firmware. Wanted to know what a root access allows someone to do as ive been having issues lately.
Would it allow picking and choosing removal of event notifications, certain items on log etc

also would it allow removal or tampering of footage during certain times of the day?

thanks for the help
 

tech_junkie

Pulling my weight
Joined
Sep 2, 2022
Messages
332
Reaction score
238
Location
South Dakota
Hi guys, was doing alot of reading in IP Cam Talk and found it really helpful and informative. So thank you guys for all the info you’ve been providing. first post on this site so sorry if i got this wrong.

Living in an estate where there’s lot of drug dealing and break ins. Initially had some cheap wireless cams but found out they were being jammed so decided to invest in a Hilook NVR and some wired IP Cams.

Recently had an issue with the nvr getting rebooted and cams going offline suddenly . Did some research and found out about the big RCE Vulnerability issue that happened last year with Hikvision products. Also read that 1 of the ways hackers find out if the device is vulnerable to this RCE bug is by forcing a reboot with some commands. Read that this hack gives them a “Root Shell Access” to the devices. Have updated the latest firmware which is still old and most likely still vulnerable to the hack.

Just wanted to know what they’re able to do with a root shell access to my devices. Can they alter the footage as my cams are on continuous record or something along them lines? I know there’s still issues happening at my place but when looking through the footage cant seem to see anything.

Appreciate your help

You should see if your firmware needs to be updated on your devices:


And, you should update firmware so its never an issue again.

BTW, if the NVR's firmware is flagged vulnerable at the hik-connect server, It will cause the NVR to be rebooted and kicked offline the second you connect to it by the app. If this is happening. You must update its firmware (they call it firmware, but its actually software stored in eeprom). Which is a simple page in the NVR that you upload the file by a usb thumb drive. Cameras are a simular affair, just log into thier web interface and update it by uploading the file in its maintenance/update page.
 

Umut

Getting the hang of it
Joined
Apr 25, 2016
Messages
46
Reaction score
25
Thanks for the advice Umut. I have 3 cams attached to the nvr with really old firmware. Wanted to know what a root access allows someone to do as ive been having issues lately.
Would it allow picking and choosing removal of event notifications, certain items on log etc

also would it allow removal or tampering of footage during certain times of the day?

thanks for the help
When someone has a root access on your IP camera, he generally uses it for attacking another target using your internet connection. For example: Moobot botnet spreads by exploiting CVE-2021-36260 flaw in Hikvision products . 90-95% of the attackers are not interested in your device settings or record files. You can check NVR logs to find what caused these issues.

Also they can get your camera password if your firmware version is 5.3.X or 5.4.X (There is also another vulnerability for 5.2.X versions. This vulnerability is not valid for 5.2.X). If it's 5.5.0 or higher they can get your camera password as an encoded text. If it's not a complex password, it can be cracked and found. If the camera password is same with the NVR, they can log in. So, at least disable UPnP on all your IP cameras, NVR, and router. Use VPN or P2P connection (Hik-Connect) instead of port forwarding. If port forwarding is a must, only use for the NVR, but don't use common ports like 8000,8001,80,81,9000,9001 etc.

Note: There is also another very dangerous vulnerability on old Hikvision IP cameras valid for all firmwares released until 5.4.0 and old Hikvision DVRs/NVRs valid for all firmwares released until 2015-2016. This vulnerability is not publicly available, but it's more dangerous than the latest one.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
Ok thanks for that Umut. Just checked my cam firmware its V5.5.84 build 191010. I understand that hackers would want root access to attack higher profile my in my case it’s different, the attackers aren’t pro’s they just want to target me and my footage.
So would you be able to tell me if root access allows what i stated in my earlier post.
Been trying to get an answer to this but finding it difficult, been looking online but no luck. Please help
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
14,789
Reaction score
27,448
Location
USA
Root access gives said person access to EVERYTHING on that device and carry out commands the manufacturer didn't intend.

Think about a phone and rooting it (android) or jailbreaking it (iPhone) - that is giving a user root access. People do it intentionally to delete bloatware and other stuff or do things the manufacturer didn't intend. That can be good or bad depending on who has that access. Once that has been done, they can do whatever they want and often times without leaving a trail as they are considered superuser with unparalleled privileges.

The NVR is a linux unit....

 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
Ok thanks for that Wittaj. But can i just get clarification on 1 thing - in terms of root privileges on a cctv system, can someone alter the footage on my continuos record. Basically ive got things happening at my estate, but im going through the continuos record(even on 2X speed) but still cant see any activity. No missing times of recording either. Initially the same people were jamming my wireless cam setup but now ive changed to wired.

could it be the people using root access or just my paranoid brain?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,244
Reaction score
6,096
Location
Scotland
Im going through the continuos record(even on 2X speed) but still cant see any activity.
Provided you have the 'inform surveillance system' or similar enabled in the camera event linkage settings, you can use iVMS4200 to show you just the events on the continuous recording timeline.
That's so much quicker than ploughing through a full timeline.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
14,789
Reaction score
27,448
Location
USA
Ok thanks for that Wittaj. But can i just get clarification on 1 thing - in terms of root privileges on a cctv system, can someone alter the footage on my continuos record. Basically ive got things happening at my estate, but im going through the continuos record(even on 2X speed) but still cant see any activity. No missing times of recording either. Initially the same people were jamming my wireless cam setup but now ive changed to wired.

could it be the people using root access or just my paranoid brain?
It could be either LOL. That would mean someone went to the effort to splice out and record no movement over time and put that back in like they do in Hollywood movies LOL.

Or they could have changed the date/time so that when you are looking at it for a certain period, it is actually for a different time/day.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
Oh no. Can that actually be done so easily or are you joking Wittaj. Can they just remove chunks of footage and insert another days!?!
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
14,789
Reaction score
27,448
Location
USA
If someone knows what they are doing they can, but it would be easier to just start changing date and time in the NVR itself to times they know there would be no movement.

Try it LOL. Go change the date and time to a day in the past or a day in the future and let it record for an hour and watch what happens...
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
Hi guys. Been going through a stressful time with people targeting my cctv system.

As i was having issues i decided to completely unplug my system from the internet. But know as i have no remote viewing or notifications am having issues with people trying to tamper with the system physically.

wanted to know is there anyway of remotely accessing my camera feeds and receiving notifications without opening up ports to the internet?

also understand from reading other posts on this site that you can setup email notifications. I understand to do this i will still need to open up a port for the smtp setup. But can’t one get hacked via this port aswell?

appreciate all the help you guys have been giving, especially Wittaj, been bugging him alot lately lol
 

cm.

Getting the hang of it
Joined
Jul 17, 2022
Messages
17
Reaction score
29
Location
AU
Your router/firewall will usually allow all outbound connections so you dont need to setup any port forwarding for those services (e.g. sending an email).

just setup a VPN on your router and then configure the clients (such as your phone or laptop) to connect.

im using blue iris and not your nvr, however i can receive push notifications on my iphone without needing to port forward or be connected to the vpn. If i want to view the cameras, i must connect to my home vpn first.

the key here is that my blue iris pc does have internet but has no port forwarding.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
Thanks for that @cm. As im very new to this whole networking stuff can i just clarify a couple things please:

my nvr cant get hacked if i block all inbound traffic to my nvr via my routers firewall?
But by blocking all inbound traffic i will not be able to use apps like HikConnect and remotely access my nvr/cam live feed/playback etc?
With only outbound traffic for my nvr enabled i can receive emails and push notifications?

thanks
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
13,738
Reaction score
18,507
Location
Evansville, In. USA
Thanks for that @cm. As im very new to this whole networking stuff can i just clarify a couple things please:

my nvr cant get hacked if i block all inbound traffic to my nvr via my routers firewall?
But by blocking all inbound traffic i will not be able to use apps like HikConnect and remotely access my nvr/cam live feed/playback etc?
With only outbound traffic for my nvr enabled i can receive emails and push notifications?

thanks
You are making this a lot harder than it needs to be.
If you want a secure CCTV system:
1-Don't use Wifi Cameras.
2-Install a VPN on your router as previously suggested, or hire someone to do it.
3-You are just spinning your wheels at this point.
4-Answer to your questions, Yes.
5-I repeat, install a VPN on your router.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
You are making this a lot harder than it needs to be.
If you want a secure CCTV system:
1-Don't use Wifi Cameras.
2-Install a VPN on your router as previously suggested, or hire someone to do it.
3-You are just spinning your wheels at this point.
4-Answer to your questions, Yes.
5-I repeat, install a VPN on your router.
Thanks for the reply @looney2ns. My current router doesn’t support vpn so am currently looking to invest in one that does.

you said the answers to my questions are ‘yes’ but im really sorry i might be just thick lol can i just get further clarification on them:

1) if i block all inbound traffic to my nvr, the nvr cant get hacked?

2) but that would also mean apps like HikConnect will not work remotely and no access to remote live feed etc?

apologies if i keep repeating myself finding it difficult to understand.
 

cm.

Getting the hang of it
Joined
Jul 17, 2022
Messages
17
Reaction score
29
Location
AU
Your router/firewall will block unsolicited inbound connections by default. You dont need to change anything.

The vpn allows you to connect remotely to your LAN, i.e. it will be like you are sitting at home on your wifi but actually you can be anywhere across the world. From that point you can open your nvr gui to look at your cameras.
 

Mike_Larry

n3wb
Joined
Nov 9, 2022
Messages
23
Reaction score
5
Location
London
Your router/firewall will block unsolicited inbound connections by default. You dont need to change anything.

The vpn allows you to connect remotely to your LAN, i.e. it will be like you are sitting at home on your wifi but actually you can be anywhere across the world. From that point you can open your nvr gui to look at your cameras.
Just double checked my router and your right, all inbound is blocked by default.
But with this current setting i was still able to use HikConnect and access all my cameras/nvr remotely and i was still getting illegal logins from unknown ip addresses, random reboots and nvr settings being changed. Any idea whats going on?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
14,789
Reaction score
27,448
Location
USA
Because you set up the NVR with UPnP and P2P turned on....
 
Top