CBX 0 Posted April 15, 2014 Many of you will likely know of the current security issue involving openssl and an exploit that potentially permits hackers to sniff bits of memory from your server - or IP camera in this case. I did a test on my 5.10 cameras to see if they are vulnerable, and the version of openssl appears to be 1.0.0a which is so old it was before the vulnerability was accidentally introduced. Testing didn't show the exploit to work which is good news user@rl70:/tmp$ ./hb-test.py -p 443 -f dump 192.168.0.201 [+] Connecting... [+] Sending ClientHello for TLSv1.0 [+] Waiting for Server Hello... [+] Reveiced ServerHello for TLSv1.0 [+] Sending heartbeat request... [-] Unexpected EOF (header) Though of course if the openssl version is 1.0.0a that has other issues Share this post Link to post Share on other sites
Securame 0 Posted April 15, 2014 I did a test on my 5.10 cameras to see if they are vulnerable, and the version of openssl appears to be 1.0.0a which is so old it was before the vulnerability was accidentally introduced. LOL... You really do enjoy playing with the guts of your Hikvision products Share this post Link to post Share on other sites
CBX 0 Posted April 15, 2014 I did a test on my 5.10 cameras to see if they are vulnerable, and the version of openssl appears to be 1.0.0a which is so old it was before the vulnerability was accidentally introduced. LOL... You really do enjoy playing with the guts of your Hikvision products Well it could be quite serious if you are exposing your camera web interface to the Internet! Share this post Link to post Share on other sites
CBX 0 Posted April 15, 2014 I'm not sure how the private keys are generated, or if they are hardcoded anyway. Might look into this at some point. EDIT: Actually a quick look shows the server private key is the same for my 2 cameras (bad) # md5sum servkey.pem 49a000398957d3029ba1c15872c0eed5 servkey.pem This isn't very good practice. I suppose you could generate your own but most people aren't going to do that (nor be aware of the need). As to whether it's important depends on whether hackers can exploit it, and what the ramifications are if they do. Probably more risk to corperations (e.g. theft, corp espianage etc). Share this post Link to post Share on other sites
JoeyJoey 0 Posted April 15, 2014 The Hikvision NVR products have been known to have security issues long before this new issue. Share this post Link to post Share on other sites
buellwinkle 0 Posted April 15, 2014 Actually Hikvision USA recently admitted to this vulnerability in their cameras but said they fixed it in late 2013. They claim their exposure is limited to cameras exposed to the internet with default passwords. Even then, my guess is you would have to expose the telnet port, not just RTSP or HTTP ports. Share this post Link to post Share on other sites
qrcctv 0 Posted April 15, 2014 I do not think that Hikvision is any more vulnerable than most other guys out there. Specially all those cheap Chinese OEM brands. (Some of which probably don't use SSL at all!) Share this post Link to post Share on other sites
CBX 0 Posted April 15, 2014 If they can get into the web interface with admin rights, a hacker can do what they want, as a) the system software can be changed b) port numbers can be reconfigured. They can even brick the camera if they feel like it. But as I say, the SSL vulnerability (private server key in this case not Heartbleed) relies on sniffing data which is hard in most situations. Still doesn't mean server keys shouldn't be generated for each camera though (the public cert is!). Share this post Link to post Share on other sites
JoeyJoey 0 Posted April 16, 2014 This is the article I think is interesting. http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html Share this post Link to post Share on other sites
spork947 0 Posted April 20, 2014 Even after changing ports, admin, password etc wouldn't a cam be fairly easy to get into without ssl? Also is the video stream encrypted even if the cam has ssl? I sent a question to wrightwood about this and they had a response from buellwinkle and it seems that only a vpn is really secure. Actually pptp seems to be broken now as well and only open vpn is solid. While I realize no internet connected cam is completely secure without a hard shut off I want to minimize risks. Ipcam and tinycam viewer would not work with the ssl login on my hikvsion however my acti cams worked fine. Managing a vpn or having to log on manually from my mobile phone seems needlessly complicated. The dropcam has ssl all the way through. Why is there not more concern over security from the software and hardware makers for ip cams? I want to avoid something like this happening ... in my home CUx8_JNNKsM Share this post Link to post Share on other sites
