Hikvision IP Camera Security

[Brent Miller]

So after hearing about the latest internet attacks against the internet directory services, I have a few questions regarding my IP camera security. It seems that most of the DDoS attacks were coming from things like internet based cameras.
I have 3 Hikvision DS-2CD2032-1 cameras using hardwired enet POE cable feeding to a NAS hard drive on my home network. All the default user names and passwords have been changed from their default settings. Is there anything else I should be doing to ensure that my cameras are secure. I do have an ESET internet security program that runs on my computer.

 

[morph]

Yes. It depends whether you need access to the cameras from the internet or not. If these are just used to record to internal storage and you are not using a viewing app to see the images while away from the location, then you can shutdown UPnP and close ports on the cameras to prevent it making itself available externally. The problem with the attacks you describe are mainly due to a combination of default passwords and also, passwords for services that cannot be turned off or changed (telnet and ssh). Hikvision does not suffer from such problems to my knowledge.

Under Advanced Config/Network you can change the default ports used. And whether it uses UPnP to control your local router for port access from the outside. Under NAT you can see whether that port mapping has worked and what the external IP address appears to be. In most cases you do not need Platform access.

Under Security you should disable "anonymous visits" and also untick telnet and ssh under Security Service.

If you *do* need external access for a viewing app, it's still unlikely you need ssh/telnet/anonymous visits, nor do you need platform access unless you are using the Hikvision EZ Viz solution.

In my case, I changed the default ports for external access, so any of those scanning solutions out there will not find it on the usual places.

 

[Kieran]

Good stuff from morph.
You can also consider setting up a VPN too if you're concerned about security and remote access is essential - they're very available and easy to set up nowadays

 

[morph]

Well. After some further examination I find that despite turning off EzVIZ in the "platform" section on the camera, it still opens a UPnP port of the same on my router (ports 9010 and 9020). This is irritating and a potential security issue. When I disable EzViz I expect the camera to NOT open any ports.

There is also another port opened which seems to be 200 beyond the base of where I reset for the Server port. It's not configurable either, nor can I disable the Server port (I don't use this feature), and neither are the EzViz ports configurable. Anyone else find this? I can see what's opened on my router under the "port connections" menu. They disappear when rebooted, and come back when the camera starts.

EDIT: it gets worse. If you block those EzViz ports at the router, the camera asks for the next incremental port and gets it (9011 and 9021). This is a bit crap given all the IoT security nightmares. The only way around this is to disable UPnP and individually forward the ports at the router ... for every camera. This seems a bit dumb to me.