Jump to content

Recommended Posts

Many of you will likely know of the current security issue involving openssl and an exploit that potentially permits hackers to sniff bits of memory from your server - or IP camera in this case.

 

I did a test on my 5.10 cameras to see if they are vulnerable, and the version of openssl appears to be 1.0.0a which is so old it was before the vulnerability was accidentally introduced.

 

Testing didn't show the exploit to work which is good news

 

user@rl70:/tmp$ ./hb-test.py -p 443 -f dump 192.168.0.201
[+] Connecting...
[+] Sending ClientHello for TLSv1.0
[+] Waiting for Server Hello...
[+] Reveiced ServerHello for TLSv1.0
[+] Sending heartbeat request...
[-] Unexpected EOF (header)

 

Though of course if the openssl version is 1.0.0a that has other issues

Share this post


Link to post
Share on other sites

I did a test on my 5.10 cameras to see if they are vulnerable, and the version of openssl appears to be 1.0.0a which is so old it was before the vulnerability was accidentally introduced.

 

LOL... You really do enjoy playing with the guts of your Hikvision products

Share this post


Link to post
Share on other sites
I did a test on my 5.10 cameras to see if they are vulnerable, and the version of openssl appears to be 1.0.0a which is so old it was before the vulnerability was accidentally introduced.

 

LOL... You really do enjoy playing with the guts of your Hikvision products

 

Well it could be quite serious if you are exposing your camera web interface to the Internet!

Share this post


Link to post
Share on other sites

I'm not sure how the private keys are generated, or if they are hardcoded anyway. Might look into this at some point.

 

EDIT:

 

Actually a quick look shows the server private key is the same for my 2 cameras (bad)

 

# md5sum servkey.pem
49a000398957d3029ba1c15872c0eed5  servkey.pem

 

This isn't very good practice. I suppose you could generate your own but most people aren't going to do that (nor be aware of the need).

 

As to whether it's important depends on whether hackers can exploit it, and what the ramifications are if they do. Probably more risk to corperations (e.g. theft, corp espianage etc).

Share this post


Link to post
Share on other sites

Actually Hikvision USA recently admitted to this vulnerability in their cameras but said they fixed it in late 2013. They claim their exposure is limited to cameras exposed to the internet with default passwords. Even then, my guess is you would have to expose the telnet port, not just RTSP or HTTP ports.

Share this post


Link to post
Share on other sites

I do not think that Hikvision is any more vulnerable than most other guys out there.

 

Specially all those cheap Chinese OEM brands.

 

(Some of which probably don't use SSL at all!)

Share this post


Link to post
Share on other sites

If they can get into the web interface with admin rights, a hacker can do what they want, as a) the system software can be changed b) port numbers can be reconfigured. They can even brick the camera if they feel like it.

 

But as I say, the SSL vulnerability (private server key in this case not Heartbleed) relies on sniffing data which is hard in most situations. Still doesn't mean server keys shouldn't be generated for each camera though (the public cert is!).

Share this post


Link to post
Share on other sites

Even after changing ports, admin, password etc wouldn't a cam be fairly easy to get into without ssl? Also is the video stream encrypted even if the cam has ssl? I sent a question to wrightwood about this and they had a response from buellwinkle and it seems that only a vpn is really secure. Actually pptp seems to be broken now as well and only open vpn is solid. While I realize no internet connected cam is completely secure without a hard shut off I want to minimize risks. Ipcam and tinycam viewer would not work with the ssl login on my hikvsion however my acti cams worked fine. Managing a vpn or having to log on manually from my mobile phone seems needlessly complicated. The dropcam has ssl all the way through. Why is there not more concern over security from the software and hardware makers for ip cams?

 

I want to avoid something like this happening ... in my home

 

CUx8_JNNKsM

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×