Hikvision vulnerability detected by Rogers

strathglass

strathglass

Getting the hang of it
Mar 12, 2015
100
21
My internet provider (Rogers) sent me an email and left me an automated voice mail of a somewhat threatening nature regarding, and I quote:
In technical terms: A device connected to your Rogers Internet connection is showing signs of an exploitable network device vulnerability.
In simple terms: There are devices connected to your Rogers Internet connection that may be vulnerable to remote unauthorized access. Successful exploitation of these vulnerabilities could lead to a malicious attacker escalating his or her privileges or assuming the identity of an authenticated user and obtain sensitive data.
Click to expand...

They link to a Hikvision page about a vulnerability: link is here.

So my question is: is it safe to follow the firmware upgrade procedure from that link?
Or does the firmware upgrade process have issues or risks?
Is there a better solution?

I have several 3MP Hikvision bullet cameras connected to by Blue Iris PC (They are a couple years old, so surely the firmware is not the latest).
I have port forwarding set up so I can access Blue Iris remotely using by IOS Blue Iris app.
 
Related point...I was wondering if it would be beneficial in any way (including addressing the above issue) if I used a second NIC in the Blue Iris PC and put all cameras on one switch connected to that NIC, so that there was no path from internet to camera?
 
strathglass said:
Related point...I was wondering if it would be beneficial in any way (including addressing the above issue) if I used a second NIC in the Blue Iris PC and put all cameras on one switch connected to that NIC, so that there was no path from internet to camera?
Click to expand...
You are not vulnerable unless you also Port forwarded to cameras.. lots of folks do this accidentally because the older cameras used to come with UPnP enabled and many routers have it enabled by default.... So disable UPnP and all your cameras as well as your router...
 
  • Like
Reactions: Q™
fenderman said:
You are not vulnerable unless you also Port forwarded to cameras.. lots of folks do this accidentally because the older cameras used to come with UPnP enabled and many routers have it enabled by default.... So disable UPnP and all your cameras as well as your router...
Click to expand...
OK thanks for the quick reply ... I checked and indeed you're right: cameras all had UPnP enabled, as did router: I disabled all of them.
Is that all I need to do?
Or should I also upgrade software? (Currently have four of model DS-2CD2032-I: 3 run V5.1.2 build 140116; 1 runs V5.0.2 build 130805.)
 
strathglass said:
OK thanks for the quick reply ... I checked and indeed you're right: cameras all had UPnP enabled, as did router: I disabled all of them.
Is that all I need to do?
Or should I also upgrade software? (Currently have four of model DS-2CD2032-I: 3 run V5.1.2 build 140116; 1 runs V5.0.2 build 130805.)
Click to expand...
Ensure that the router didn't create its own port forwarding rules if it did delete them.....
You really don't have to upgrade the firmware will provide no benefit if the cameras are not exposed to the internet... If you insist on upgrading ensure that you have World region cameras so that you don't have an issue...
 
Yup ... router had a quite a lot of port forwarding rules already! See sample below.
Those rules are now all disabled.Safe now!?!?

41243588701_39d531a2ab_b.jpg
 
  • Like
Reactions: fenderman
A device connected to your Rogers Internet connection is showing signs of an exploitable network device vulnerability.
Click to expand...
On the one hand, it's helpful to you that they are advising you of a situation you may not know about where you might suffer adverse consequences.
On the other hand - the implication is that they are in some way monitoring your traffic - which begs the serious questions:
What does the monitoring consist of, at what level of detail is it done, how is the data handled and stored and protected and shared, and most importantly - what else do they do with the data?
Whilst I'd like to think that the contents of private, sensitive communications are sufficiently obscured as to be unreadable, monitoring such that endpoints and behavioural aspects are being recorded should be worrisome.
Does this aspect get covered in their T&Cs ?
 
  • Like
Reactions: fenderman
@strathglass,
I too am a Rogers customer and have never gotten any warning from them.

What modem/router are you using? or just their Hitron modem?

First thing I did was set my Hitron into bridge mode and let my router to do all the work.

It was unbelievable what they leave open by default on their modem.

EDIT:
Do you have a VPN setup? This will ensure that your connection to BI is secure.
 
Note cross-post with IPVM, Hikvision UPnP Hacking Risk

You can't simply rely that UPnP has be disabled in the IPC/router/(or whatever) and no ports has been forwarded, you will need to check actively by your self.

You can do that in different ways, one is to have your own box outside and do portscan of all 65535 ports towards your external IP, or secondly check with

https://www.zoomeye.org/searchResult?q=<IP address>

https://www.shodan.io/host/<IP address>

To many times I've seen UPnP active in one way or another, even it's disabled in Web GUI.

Note: zoomeye.org seems to be most accurate in my tests.
 
  • Like
Reactions: fenderman and alastairstevenson
  • Like
Reactions: fenderman
alastairstevenson said:
Yes indeed - but the context of my comment was checking for an access vulnerability for a specific (but likely varying) internet IP address, where the user wished to determine if the access configuration was safe.
Click to expand...

80 more days until you can for this specific, but less than 5 days for another similar.
 
  • Like
Reactions: alastairstevenson
strathglass said:
...Or should I also upgrade software? (Currently have four of model DS-2CD2032-I: 3 run V5.1.2 build 140116; 1 runs V5.0.2 build 130805.)
Click to expand...

Mine had 5.1.6 for the longest time on mine. I upgraded them due to what I think was likely a memory leak.. every few months they'd die and require power cycling to restart (unplug PoE & plug back in).
Also, prior to 5.4.5 they are vulnerable to the password hack, which shouldn't be much of an issue now that you've cut off external access.
 
OK, thanks for the replies, ...here is an update.

I ran the full port test at ShieldsUp!! Unfortunately it does not give a report. Despite the results indicating this:
"Solicited TCP Packets: RECEIVED (FAILED)As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection."
...there is in fact no report below. :( So kind of useless.
It did identify 9 ports as closed, the rest as stealth (of the 1056 ports examined).

Zoomeye and Shodan had similar looking results. Seemed interesting! Although not entirely clear Zoomeye reported these results (nothing under the Vulnerability tab):
82/HTTP: Must have got a response - it includes some HTTP code (it includes some Chinese characters and some language checking javascript; one of the Chinese strings translated as "Chinese needs to distinguish Simplified and Traditional").
83/HTTP: same (with what looks like identical HTML code)
8080/HTTP: It detected the Blue Iris server.
Consistent with the above details it reports 3 HTTP services: 2 webcam, 1 unknown.
Product list shows BlueIris and 2 HikVision IP cameras.
Now I am not sure why only two HikVisions are showing since I have 4 ... it might be the way they are networked - two are plugged into a switch that goes to a switch that the Blue Iris sever connects to, so maybe those two aren't being seen outside?
Should/Can I disable the two HikVision cameras from appearing on port 82? Not even sure why they are using that port...I can still login to them locally using their IP (and can connect using the SADP tool).
Actually, all the port forwarding rules on the router related to the 4 HikVision cameras had been turned off, so how can this actually occur? (2 cameras had 3 portforwarding rules each, 1 had 9 and 1 had 15, crazy! that included HTTP rules).
So now I just deleted all those rules in the router and re-tested with no change!!! (I will reset the Rogers Hitron router after I post that to see if it makes a difference.)

I have a Rogers Hitron cable modem (with wifi and router): just that and several switches, no other router.
At my old house the Rogers device was in bridge mode and I used a router running the Shibby Tomato Firmware that was nice ... I used that to only allow specified MAC addresses onto the network, and to not broadcast my SSID.
At the new house the Rogers wifi worked so well I didn't bother with my own router (and the old house router was getting kind of old so would need to be replaced).
Should I go back to bridge mode on the Rogers cable modem and use my own router/wifi? If I do that, it would be a bit of a hassle as now I have to pick a router. And would likely get some kind of mesh wifi (again a hassle to go figure out what is best).
 
strathglass said:
OK, thanks for the replies, ...here is an update.

I have a Rogers Hitron cable modem (with wifi and router): just that and several switches, no other router.
At my old house the Rogers device was in bridge mode and I used a router running the Shibby Tomato Firmware that was nice ... I used that to only allow specified MAC addresses onto the network, and to not broadcast my SSID.
At the new house the Rogers wifi worked so well I didn't bother with my own router (and the old house router was getting kind of old so would need to be replaced).
Should I go back to bridge mode on the Rogers cable modem and use my own router/wifi? If I do that, it would be a bit of a hassle as now I have to pick a router. And would likely get some kind of mesh wifi (again a hassle to go figure out what is best).
Click to expand...

@strathglass,
If your happy with your Hitron, Login to it and turn off uPNP.

What is your old modem? if it can handle the high speed download of your connection, I would bridge Rogers and use the modem.
 
Hmmm...reset the router and Zoomeye still finds those 2 HikVision cameras, yet all port forwarding is off. How does this happen? Maybe it is cached and not really re-running the test?

Also forgot to add: no VPN here. Not sure that is worth the trouble? I don't want to spend more money on hardware...lets save that for more cameras.
 
58chev said:
@strathglass,
If your happy with your Hitron, Login to it and turn off uPNP.
What is your old modem? if it can handle the high speed download of your connection, I would bridge Rogers and use the modem.
Click to expand...

If you will read upstream you will note as per fenderman that UPnP is already turned off.
My old modem does not have great wifi...I would replace it if I decided to bridge my Hitron.
 
You must log in or register to reply here.
Top Bottom