Hikvision Hardening Guide Recommends Port Forwarding

JH
John Honovich
Published Jun 09, 2017 11:18 AM

Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below:

In this note, we examine the risks in this approach and Hikvision's commitment to network security.

Hardening **********

********* **** ** ****** *************** *** increase *** ******** ** *******. ********* guides *** ******* ** ** *** growing ** ***** ************ ** ***** seek ***** ** ******* ******** ** the ******* **** ******. *** *******, here *******'* ***** ** ****** ***** *** Devices ******* ************** ********* *****.

Port ********** *****

**** ********** ***** ***** ***** ********* to *** ****** ********. ***** **** makes ** **** *** *** **** to *** ****** ****** ** ***** devices, ** **** ****** ********* / hackers ** ***** / ****** ***** devices. ** ***** *** *************** *** the ****** (*.*.,*********'* ****** ********, *** **** ***** ** ******* passwords, ***., ******** *** ************* ** exposed ***** **** ****, **** ****, etc.), **** ********** ***** ** **** to ******* ****. ******, ********* ******* this,******* ************* ***** **** *********** **** **** *********** ******* ** port **********.

**** ********** ** * ******* / easier *********** ** ***** * *** (e.g., *** **** ** *** ** *** ***** Statistics) *** **** ********** ** *** a *** ** '******' * ****** or * *******. ** ** *** thing *** * ************ ** ******* how ** *** **** ********** *** another ** ********* ** ** ** a ******** ************* ** *********.

HikConnect ***?

*************, *********'* ********* ***** *** *** mention***-*******, ***** *** / ***** *******, ***** ********** *** **** *** port ********** *** ** * ******* they *** ********* ** * *********** to ***** **** ********.

*******, ***-******* ******** ****** ********* ****** to * ****'* ******** ******* / LAN, ***** ****** *** *** *** of **** ***** *********'* ************* ***** record *** ******* ********** *********.

Cisco *** ****** ****?

********* ********* ** **** ***** ************* seriousness, ********* ****** ****** *** ******** ****** *****. *******, ***** *** ****** *** surely *** ************ **** ********** ** a '******** *************' ** '*********'.

** *** ***** ****, ** ** hard ** ***** ***** *** ****** since **** ** *** ******* **** ever **** ***** **** **** *** providing ** ********* ****** ***** ********.

Featuring ******* *******?

*******, *** ****** ** ******* ******* as *********'* ********* ******* ** ********.

******* ******* ***, ** ***** *** design, ******** ** **** *** *** users. *** ******* *******, **** *********,**** *** ***** *** ******* ******** issues.

******* ** ***, ** ********* ** Hikvision ***** *** ******* ***** ********* their ******* / ********, **** ********** Linksys ******* ** *** * **** way ** ** ****.

Comments (18)
Avatar
Jon Dillabaugh
Jun 09, 2017
Pro Focus LLC

I must have missed the memo where Cisco sold Linksys to Belkin? I was going to comment that most Linksys gear was now labeled Cisco, hence the Hikvision connection (a reach, I know), but even that is now bunked. 

My only guess is the Linksys is sort of a de facto standard for SOHO routers, which if you need their advice for port forwarding, you likely aren't running a Sonicwall, pFsense, or anything corporate above these SMB routers. 

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways. 

(9)
(5)
JH
John Honovich
Jun 09, 2017
IPVM
In reply to Jon Dillabaugh

I must have missed the memo where Cisco sold Linksys to Belkin?

Note to others: Cisco sold Linksys to Belkin 4 years ago, March 2013.

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways.

That's funny because it's true but presumably Hikvision is releasing a network hardening guide because it wants to build trust with larger / enterprise buyers who care about cybersecurity. Featuring a Linksys router with port forwarding instructions is unlikely to do that.

(12)
(1)
(2)
Avatar
Luis Carmona
Jun 09, 2017
Geutebruck USA • IPVMU Certified
In reply to Jon Dillabaugh

I must have missed the memo where Cisco sold Linksys to Belkin?

Don't worry, Jon, I missed that one too. But maybe because I don't follow the soho market much anymore.

UI
Undisclosed Integrator #1
Jun 09, 2017

Installed my first Hikvision, I started getting random invalid login attempts at all hours of the day and night in the first week! Now half the cameras stopped working. Ugh, why did I bother. 

(2)
(4)
(3)
Avatar
Jon Dillabaugh
Jun 09, 2017
Pro Focus LLC
In reply to Undisclosed Integrator #1

That's strange, out of the hundreds of Hikvision products we have installed, none have been hacked to my knowledge and have only ever had a few RMAs. 

However, I have had quite a few Dahua devices get hacked, so I can sympathize somewhat.

But, neither brand has been unreliable. We've had maybe 20 RMAs in the history of using Dahua and Hikvision products since 2010.

To stay on topic though, if you followed this "hardening guide", you should expect a "knock at the door" very soon. 

(4)
(1)
(1)
(2)
JH
John Honovich
Jun 09, 2017
IPVM
In reply to Undisclosed Integrator #1

I started getting random invalid login attempts at all hours of the day and night in the first week

Did you port forward it or? Typically such invalid login attempts come from devices being exposed to the public Internet, which faces numerous bots and scripts continuously probing / attacking devices.

Related, a popular article from last year: "The Inevitability of Being Hacked. We built a fake web toaster, and it was compromised in an hour."

UI
Undisclosed Integrator #1
Jun 09, 2017
In reply to John Honovich

I have it straight facing on the WAN with a public IP. Probably not the best way, but it's the only device there and if I was going to open up all the ports needed anyway, I didn't see a need for a router. Guess I'll need to put it behind one and see if it helps. Not sure if I'm getting notification of false logins that their using some kind of backdoor being that the system is recognizing a failed login attempt.

Avatar
Luis Carmona
Jun 09, 2017
Geutebruck USA • IPVMU Certified
In reply to Undisclosed Integrator #1

A router may not mitigate the issue if the same port required for the stream is the same one that authentication requires, or if a hack can be made on the streaming port. Where a router might help is if the it has the capability of permitting incoming traffic only from a specified source IP, and whatever needs to connect to the camera (like an NVR) is from a known source IP.

UM
Undisclosed Manufacturer #2
Jun 09, 2017
In reply to Undisclosed Integrator #1

I was going to comment on the main article, that my guess is that Hik is recommending to use port forwarding vs. simply putting the device behind the modem with all ports open.  However, this is a very rare case, as usually there are other devices on the network requiring the use of a router.  In your case, yes I would recommend a router as standard business practice.  Most ISPs will provide a modem/router combo, which IMHO I hate and would rather use a belkin or linksys any day.

One benefit of using port forwarding vs. simply hanging the device off the modem is that any "undocumented" port, such as discovery, ONVIF, telnet, SSH, etc., is then not accessible if you didn't forward the port.  If it is on the modem, then everything is accessible from the Internet.

 

I typically recommend using port forwarding if VPN or other technologies can not be used, and then to forward only the minimum ports and devices.  Only forward the NVR and not each camera.  Ports you don't need for remote access, don't forward.

UD
Undisclosed Distributor #3
Jun 09, 2017

The biggest thing in this article that jumps out at me is that they are not recommending P2P.  P2P was going to be the end-all, be-all answer in the easy setup nirvana but now I guess they see the inevitable hacks and distrust for them as a reason to go away from it.  Anyway, that was my take on it.  And oh yeah, using an older SOHO router was just funny, like they told someone to make a hardening guide with the stuff he could find in the basement.

(1)
JH
John Honovich
Jun 09, 2017
IPVM
In reply to Undisclosed Distributor #3

now I guess they see the inevitable hacks and distrust for them as a reason to go away from it

I do not know if that was the case. We raised our concerns about the hardening guide to Hikvision prior to publication but no response.

Btw, Hikvision did update the guide yesterday, June 8th, after we contacted them but the port forwarding section still remains.

Here's the 1.1 April 2017 version and the 1.2 June 2017 version for those looking to compare.

One thing that clearly is new, post IPVM's notification to Hikvision, is a warning section about using port forwarding that follows the Linksys screencap / instructions that remains:

As the excerpt shows, they are still clearly recommending port forwarding for Internet access generally and in their 'hardening' guide.

Avatar
Sean Nelson
Jun 09, 2017
Nelly's Security

I took a brief look at their entire hardening guide and I think if you did every single step on their it would be pretty secure. I would have added that one should change port 80 to something else and should have put more of an emphasis of only opening the ports needed for the DVR (to avoid the risk of someone DMZ'ing)

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device? Or how/what else should have they mentioned instead. Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

U
Undisclosed #4
Jun 09, 2017
In reply to Sean Nelson

"I would think port forwarding is a more secure setup than any P2P setup?? Or nay?"

Why do you think port forwarding more secure?

 

JH
John Honovich
Jun 09, 2017
IPVM
In reply to Sean Nelson

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device?

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

That depends what you think of the security / precautions / readiness / proficiency of your P2P / cloud provider.

There is one clear benefit. When a vulnerability is found in a P2P or cloud service, it is fixed once and patched for all users. When a vulnerability is found in a remote unmanaged device that uses port forwarding, the vulnerability will, as a matter of practice exist for many years in most devices since firmware upgrades of individual users lag, to say the least.

(3)
U
Undisclosed #5
Jan 04, 2019
In reply to Sean Nelson

P2P is the worst protocol to have been introduced in IP camera systems, regarding security. It's purposefully designed to punch through safety/control measures. Some may say ONVIF is worse, but I digress. :D

NOTICE: This comment has been moved to its own discussion: P2P Is The Worst Protocol To Have Been Introduced In IP Camera Systems, Regarding Security

(1)
(1)
Avatar
Michael Gonzalez
Jun 09, 2017
Confidential

Trust us for all of your cyber security needs.

(1)
(3)
Avatar
Sean Nelson
Jun 09, 2017
Nelly's Security

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Understand, I just think you have to blend practicality in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical. I mean if you really want to truely harden your system you can include these instructions "You see that network cable that is connected to the back of your device, unplug it!"

I too am a little confused why they didn't mention P2P though. To me this would be the most practical situation. We still however do not get the full remote management features through P2P like we do with normal port forwarding. Its also "slower" than port forwarding. 

(1)
JH
John Honovich
Jun 09, 2017
IPVM
In reply to Sean Nelson

in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical.

Sure, so if someone does not care about cybersecurity and just wants to see video remotely, letting them know it's possible to use port forwarding is perfectly reasonable (with appropriate warning about risks).

But it's strange to put port forwarding as 'standard configuration' inside of a hardening guide. Many people who are serious about cyber security are going to see and conclude negatively about Hikvision (i.e., a company with that many past problems who then goes and recommends port forwarding Linksys routers in a hardening guide either lacks skill or seriousness in cyber security).

(5)