Hikvision Vulnerability
  • Been following this on IPCamTalk.com for the last couple weeks. It's worth a read. If you have gray market camera (Amazon.com) do some reading before you try to update your firmware. You will probably brick it. I did :(
    Do some reading before updating your firmware on your cam you bought at an authorized reseller. Most of the time it needs to be done incrementally. If you feel the need to do so.
    https://threatpost.com/hikvision-patches-backdoor-in-ip-cameras/125522/
  • Surely, there's got to be someone that specializes in unbricking cameras. I have two that'd I'd like to fix.
  • This is unfortunately a problem with grey-market products, particularly from Dahua and Hikvision: if you try to upgrade the firmware you run the risk of bricking the camera, probably permanently.

    Thanks for the tip about upgrading incrementally, I hadn't heard of that.

    To avoid any kind of camera security issues, the ultimate solution is to put cameras onto their own separate LAN without Internet access.
  • Ben...

    Thanks for the discussion! I was recently thinking about isolating my cameras from the internet.

    As an alternative to setting up a separate LAN for cameras, would creating a VLAN on a single network for my cameras be a reasonable alternative? Any drawbacks or downsides?

    Thanks!
  • Yes, a VLAN would work just as well. The only downsides (mostly minor) are:

    - You need switches that specifically support VLAN functionality, which are more expensive than standard unmanaged switches.

    - The setup is a little more complex, as it involves configuring the switches.

    - With multiple VLANS running through the same physical switch, traffic on one VLAN can negatively impact the speed on the other VLANs.
  • Thanks again, Ben…

    Yesterday, after weighing several configuration options, I ended up following your blog post up above about setting up two LANs on my Mac Mini, using a TB ethernet adapter for the 2nd LAN.

    I had to first set up all of my cams to state IP addresses, and I already had a TB to ethernet adapter. It all worked out great and am glad my cams are no longer potentially visible to the outside world. I should have done this years ago.

    One small “downside” is I can no longer view camera video on my laptop via WiFi using a view-only copy of SecuritySpy.

    Is there a way to do that, even remotely over the internet, similar to how I can view my cameras with iOS SecuritySpy? Thanks!
  • Great to hear the setup went well.

    Your laptop on WiFi is now on a different LAN to the cameras, so can't access them directly. Instead, SecuritySpy on your laptop can connect to SecuritySpy on your Mac mini in order to obtain the streams - please see SecuritySpy as Remote Viewing Software.

    Note that depending on the number of cameras and their resolutions and frame rates, this can significantly increase the processing load on the server. To minimise this, you may want to set reasonably low frame rates that the client will request (under Preferences > Cameras > Device).
  • Thanks again, Ben.

    To keep things simple, and because this how I'll likely use a 2nd instance of SecuritySpy on my laptop, I'm focusing on my local WiFi network.

    For background... my Mac Mini camera server is running well and works fine with iOS SecuritySpy (as it has for years). In the Web panel, the "Advertise this server via Bonjour" checkbox is checked.

    The SecuritySpy instance running on my laptop (which ran locally via WiFi when my cameras were previously on a single LAN) seems to have a problem finding the MacMini via Bonjour.

    If I go to the Cameras Panel and try to "Add All Cameras From SecuritySpy Server..." I get a dialog box where I can add the server, but clicking the dropdown to the right of the entry box reveals "No Servers Found via Bonjour." Any thoughts on what I might be doing wrong? Thanks!
  • Check the IP address that the MacBook has when connected to WiFi (under System Preferences > Network), and compare it to the Mac's Ethernet address on the main LAN (not the camera LAN). Are these on the same subnet (i.e. first three numbers the same)?

    If so, then it could simply be a Bonjour issue for some reason. In this case, make sure your Mac mini has a manual/static IP address on your main LAN, and give this address to SecuritySpy on your MacBook when setting up the cameras there. (This option seems the most likely, since you mention that the MacBook was able to connect to the cameras previously.)

    If not, then your WiFi access point is actually acting as a router, and your WiFi network is a separate network. The best solution in this case is to set your WiFi access point to "bridge mode", and then everything should work.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!