Interesting article about dvrs with "hardcoded" passwords

[pal251]

http://www.csoonline.com/article/3034284/security/hard-coded-password-exposes-up-to-46000-video-surveillance-dvrs-to-hacking.html

Interesting article about hard coded passwords set into dvrs

 

[ruppmeister]

Thanks for posting this @pal251.

Here is the resulting CERT vulnerability note from the RBS research. - https://www.kb.cert.org/vuls/id/899080

Bottom line, put this crap behind a firewall and use a VPN to access your DVRs.

 

[j4co]

Perhaps best to move the nvr and camera's into a vlan behind an decent firewall to restrict acces from outside, and prevent phone home access.

 

[alastairstevenson]

Every time we get one of these exposures I imagine an agency operative muttering 'Damn! I need to move on to my next banked exploit.'
This does not say a lot for the vendor assessment procedures of some of the well known names who re-brand this stuff.
Incompetents r'Us.

 

[Travieso]

how do you set up a VPN on a Hikvision NVR?

 

[alastairstevenson]

The VPN would typically be on the edge of your network, on a security appliance, the router is the usual place, if it supports that facility. If it doesn't, it's easily replaced with one that does.
Then, having established the VPN capability, secure access from outside the network to selected internal parts such as the NVR becomes possible.

 

[Defender666]

Anyway if the rootpassword is known I bet you still can change it to something different in SSH console

 

[alastairstevenson]

Anyway if the rootpassword is known I bet you still can change it to something different in SSH console

Not if the associated UserID/password is 'hardcoded' into the system operating firmware, as opposed to being saved in the flash with other configuration items.
This was what the original article was about - privileged access that could not be removed or changed.

 

[ruppmeister]

Not if the associated UserID/password is 'hardcoded' into the system operating firmware, as opposed to being saved in the flash with other configuration items.
This was what the original article was about - privileged access that could not be removed or changed.

Bingo! That is why it was important to relay this info on the forum here to help others understand the vulnerability of opening a port to their internal network to the Internet. The root username and password are always going to be available on the listed hardware and cannot be removed.