- Messages
- 5,037
- Points
- 113
HikVision cameras & NVRs can use upnp (universal plug 'n' play) to quickly/easily/automatically configure port mapping/forwarding in your office/home router to facilitate remote access to your HikVision cameras. NB upnp also needs to be enabled in your router (but often is by default).
Unfortunately, this can present a risk of unwanted remote access. The ports that are forwarded are well known AND upnp actually forwards more ports than has up to now been clear (five rather than the three declared below).
HikVision updated their firmware to fix the back door access hack in May 2017 (V5.4.5).
From HikVision firmware version V5.5.0 onwards upnp is disabled by default i.e. if you want to use it, you have to knowingly enable it.
Unfortunately, if you upgrade from a version below V5.5.0, where upnp was on by default, the firmware update does not disable it (it remains at the prior default - set to upnp enabled).
Therefore, potentially, even if you believed you had not intentionally port forwarded your cameras for remote internet access - they may have used upnp and automatically configured your router to port forward and allow external access to the cameras.
At lower firmware releases, prior to V5.4.5 this ability to find cameras combined with the backdoor password left many devices vulnerable - and many were hacked.
So, if you do not wish to enable remote access to your cameras, please disable upnp (screenshot below).
I post this with some trepidation, I know it is going to throw up so many 'What if?' enquiries!
Hik-Connect access will enable upnp and use it to automatically port forward - that's fine if you're using the latest firmware and have thereby prevented the use of the backdoor password to gain control of your password.
However, we have a duty to share with our customers any vulnerabilities we become aware of as soon as possible.
If you are unsure of how your remote access has been configured, please screenshot your settings before disabling upnp (as the port numbers are likely to be different for each camera if you have multiple devices configured for remote access).
Hat tip to IPVM for sharing - Hikvision UPnP Hacking Risk
Unfortunately, this can present a risk of unwanted remote access. The ports that are forwarded are well known AND upnp actually forwards more ports than has up to now been clear (five rather than the three declared below).
HikVision updated their firmware to fix the back door access hack in May 2017 (V5.4.5).
From HikVision firmware version V5.5.0 onwards upnp is disabled by default i.e. if you want to use it, you have to knowingly enable it.
Unfortunately, if you upgrade from a version below V5.5.0, where upnp was on by default, the firmware update does not disable it (it remains at the prior default - set to upnp enabled).
Therefore, potentially, even if you believed you had not intentionally port forwarded your cameras for remote internet access - they may have used upnp and automatically configured your router to port forward and allow external access to the cameras.
At lower firmware releases, prior to V5.4.5 this ability to find cameras combined with the backdoor password left many devices vulnerable - and many were hacked.
So, if you do not wish to enable remote access to your cameras, please disable upnp (screenshot below).
I post this with some trepidation, I know it is going to throw up so many 'What if?' enquiries!
Hik-Connect access will enable upnp and use it to automatically port forward - that's fine if you're using the latest firmware and have thereby prevented the use of the backdoor password to gain control of your password.
However, we have a duty to share with our customers any vulnerabilities we become aware of as soon as possible.
If you are unsure of how your remote access has been configured, please screenshot your settings before disabling upnp (as the port numbers are likely to be different for each camera if you have multiple devices configured for remote access).
Hat tip to IPVM for sharing - Hikvision UPnP Hacking Risk
