Hello everyone,On Monday we discovered that our DVR had been hacked over the weekend. The attack turned all sixteen cameras black (using color settings) and replaced the title 'CAM 3' with 'HACKED 3', etc, on all sixteen cameras. This resulted in the loss of about 61 hours of footage, but all in all, not that big a deal.My investigation determined that this was due to the admin user's password being set to the default, 'admin', for the last three years and that this was bound to happen eventually.We did the following to fix this:. changed the Admin user's password and deleted all other users. moved the DVR to its own public IP address (before it was port-forwarded on our prod network).
![](/uploads/1/2/6/5/126564620/695943251.jpg)
tattled to the FBITwo days later, it was hacked again. Same thing, all cameras named 'HACKED' and blacked out.
The Hikvision IP Camera Backdoor is a magic string that Hikvision secretly included that easily allows backdooring the camera, regardless of the strength of the password. Aug 04, 2017 HIKVISION technical support team will return key which consists of number and letter (8 bytes). Input the key, type in the new password and confirm. Click Confirm and your password will be reset. Reset password via NVR/DVR local menu In NVR/DVR local GUI, you can double click the left bottom of login interface to pop out password reset.
I checked the log and can see that this attack came from another IP address, but did the exact same thing. Big Green Man wrote:Have you gone through IC Realtime's guide to securing your DVR?I saw that, but I'll look it over again. It's more or less a best practices article, which we are already 60% in compliance with.
Probably the best thing we can do is get that thing updated.John4120 wrote:I would start with a malware search on anything (iPhone, local desktop machine) that connects to that DVR and see if anything comes up in that scan. Is there a way to change the username or disable the default admin account, maybe the vulnerability is right there.I'll have a look at his phone, but last I've heard there are no iPhone scanners since Apple insists that there are no viruses. I'll make sure he has third-party apps disabled, which is the best I can do for that.Error 170 wrote:Those things are notorious for lax security. IT could be a number of bugs, hardcoded backdoor passwords, etc. The correct answer is to put it behind a firewall and either VPN in to use it, or use whitelisted trusted incoming IPs only.I was thinking of doing something along these lines as we have a spare SonicWALL we can use. The only issue is that he accesses the device from his iPhone and I can't know what his IP will be at any given time.
He also takes trips overseas, so it may not be possible to restrict by IP and make him happy at all. Perhaps I can set up a VPN on the SonicWALL and have him connect to that first.
Rockn wrote:Do you have anything on this DVR open to the interwebs? If so start logging the NAT rule and if you do NOT need it pointing public disable the NAT rule.It is facing the internet so that the CEO can watch it on his phone from home. Originally we had two ports NAT'd to the device as it sat on our production network.
After the first attack I moved it to another IP address and off of the network. Unfortunately this also meas that it is no longer behind a firewall. That's where we can step in with the second SonicWALL to lock it down to just one port. PatrickFarrell wrote:You don't expose NVRs or Cameras to the internet. VPN is the only way to go here. It shouldn't be a hard conversation now as it's no longer hypothetical.
Here is a scarier thought.What else was done that you don't know about? Was firmware changed? Were they able to use the cameras as a jump point to launch attacks against anything else internally?A VPN is what I am leaning towards at this point. I don't think I can trust this device anymore, and it might not be cost effective to upgrade quite yet.That scarier thought is exactly what prompted me to move it off of the network. Though the fact that they made it obvious that they were there indicates a lack of ambition with the device. They could have deleted all footage, cleared the logs, added more users, really anything. But they just blacked out the cameras, named them 'HACKED', and rebooted the device.
Toby wells wrote:I was intrigued right up to the point you said it was exposed to the internetNever ever expose devicesVPN is easy but I wouldnt even want cameras on production network as they are often in exposed areas where people could unplug the cable and connect a rogue device to your LANIt's an analog system, so there is no risk of the camera leading to LAN access. However, the internet connectivity is a considerable threat. It was deployed about a year before my time here and I never looked into it, but I certainly would like to have known that it had an internet-facing default password.Error 170 wrote:It appears that ICRealtime uses Dahua firmware, which was famous earlier this year for having holes you could drive a truck through. You'll definitely want to put it behind a VPN if the CEO will be traveling internationally.Dahua, huh? Thanks for the tip, I'll look into it.
I'm sure this hasn't been auto-updating, so whatever truck parking garages were discovered are certainly wide open here. Ngreene wrote:Had this happen at two sites as well.Check the log and it will tell you what IP it's connected from.One was Argentina, other was Minnesota.Did it happen just recently?
I found another post where someone had this a few days ago, with newer hardware and firmware. I'm starting to think this is a new attack against this platform specifically. It happened to my CEO's home system last night as well. Not sure about his attack, but the ones at the office were from Wyoming and Oregon. I suspect this is caused by malware rather than somebody actually looking for DVRs. Yes within past two days.Interestingly enough, both sites they logged into to the DVR using the 88888 account, IIRC is a local account that cannot be used remotely.Both IPs in the log where outside addresses. One was Argentina and the other was Minnesota.The Minnesota one was a little craftier in the camera name.
Instead of saying 'Hacked' it spelled out 'Hacked' 'Update' 'Your' 'Firmware' in the 4 cells across on a 4x4 view.I laughed.I reset the systems, educated the users one 'call me when you make a decision or buy something', set complex passwords, updated the firmware, changed the 80 and 37777 ports (as they were only ones they opened) to something up in the range 55000+ and billed them nicely for it.A couple things puzzled me about this:. Besides changing the names on the cameras, and adjusting the sliders down to 0. The only other thing they do is change the IP address from a LAN address to a WAN address. Just so I can't connect to it, and have to go on-site? Why not just change it to 1.1.1.1, but it would be something just seeming random.
Different both times. Why not change passwords or attempt anything else? It's almost like a 'Hey friendly reminder your DVR is not secure' message, versus a real 'hacked' scenario. PatrickFarrell wrote:It could be just that, someone doing a 'service' and letting you know.Now, how long were your cams compromised by others who didn't bother to change the title?That's what I was thinking. There is no way to find whose vulnerable DRV is listening on a specific IP address, or I suspect they'd give us a call instead.
![Dvr Dvr](/uploads/1/2/6/5/126564620/670478094.jpg)
But they're doing the internet a favor anyway and alerting the vulnerable operator of the vulnerability the only way they can.And that's what creeps me out the most. For three years, anyone in the would could have just logged in and watched us work. At least the cameras aren't high enough resolution to see anything sensitive on the computer monitors. They found you on viralcams or insecams because you had already been hacked. There are groups of people doing exactly what you said as a service. They change the sliders to 'close the window' until you catch on.
This turns the camera black on the website it is being broadcast to though still being broadcast. Usually they use the least invasive means of telling you. However when kids are being shown they have been known to take more drastic measures more quickly up to disabling routers and setting off cameras alarms repeatedly.
I don't know a parent that would be mad or a prosecutor that would (or even could) do anything. They did you a massive service.
![](/uploads/1/2/6/5/126564620/695943251.jpg)