Showing posts with label BAN Hikvision. Show all posts
Showing posts with label BAN Hikvision. Show all posts

Sunday, January 15, 2023

Network Video Recorder cum Network Switch

Network Video Recorder "Built-in" Network Switch 

The introduction of a Network Video Recorder (NVR) with a built in network switch confused a good portion of the professional market.  It very much seemed to be something that was geared towards catering to a side of the market that was completely unfamiliar with how an IP camera system is setup and installed.   Not a lot has changed since their original release dates.  Most installers still scratch their heads at the thought of using them, but the fact remains that there is an audience.  For those who aren't looking to educate/teach themselves the way of "proper IP installation," these simple to adapt to NVRs are very appealing.  Having said that, it's equally important to understand what you're getting yourself into with a built in switch.

Cost Comparison

There are two ways to look at cost, but we're going to start with your initial purchase for getting this system up and running.  There's no way to conceal the fact that purchasing an NVR with a built in switch is going to be cheaper.  A standard NVR purchased together with a dedicated PoE switch will probably cost you about 25% more than the alternative.  Because of the somewhat basic nature of network switches, you probably won't notice any difference in performance between the two options.  It really comes down to quality in this case, and you're just going to pay more money for the more proven brands; your built in switches are generally built by an unnamed Chinese manufacturer.

The other way to look at cost is to look towards the future.  Network switches are just as imperfect as everything else.  The most common occurrence is that a network port burns out and is no longer able to be used.  If your warranty has expired, you're now in a position where you're going to need to start spending money to get to a solution.  Depending on how much that damaged switch effects your system, you're left with a couple options.  In the case of a dedicated switch, you can replace the switch entirely or you can purchase another smaller switch as an add-on to make up for malfunctioning port(s).  These can be purchased for as little as $50.  An NVR with a built in switch is not going to have such an easy time.  You can try using a dedicated switch as an add-on, but you're now just setting up your system via the alternate method.  If you still have a demand for the same type of "camera hardwired to NVR" setup and your NVR is out of warranty, you'll now find yourself needing to replace the entire NVR instead of the much cheaper network switch.P

Cable Runs

A built in switch is going to require that you run your cable the same way you would with an analog system.  In this scenario, you're going to be running a cable for each camera all the way back to the NVR to create your hardwired connection. Your cable length is limited, in this case, to the standard 328 feet.

A dedicated switch can potentially have some major advantages here. Thinking that a dedicated switch needs to be placed anywhere near your NVR or router would be a mistake.  It makes the most sense to place your switch as close to the biggest cluster of cameras as possible.  This can make for a lot of short cable runs from IP cameras to switch.  From there, it's just a matter of running a single cable from that switch back to your router.  The end result is that you simultaneously put all of your IP cameras on your network by running that one cable.

This is a rough example of what an installation might look like with a dedicated switch.  Of course your own personal hardware situation might be different, but you should get the concept we're going for.  Installing your IP camera system like this will also double the potential distance you can run your cable.  In addition to your cable length being able to be run as far as 328 feet from cameras to switch, you can also run up to another 328 feet from switch to router.  You can revert back to cost as much as you want, but a dedicated switch is going to give you more capabilities and versatility for your money than a built in PoE switch will.

Reliability

This is mostly a matter of opinion and how much you trust individual manufacturers to begin with.  Dedicated switches are usually going to be found with a name brand printed on them.  You've heard of certain brands like Linksys, Netgear, and D-Link because they have an established reputation.  It's not hard to go online and find out how well these companies are performing.  The internet will contain a plethora of reviews and discussions related to these company's products.  This is all to say that transparency is much easier to find with big brands; the general public doesn't let them keep any secrets.  This makes selecting and purchasing a product a very straight forward and simple task; it just takes a bit of research.

There are those among us who are completely against the idea of owning anything that's "unbranded" under the pretense that they believe it's all junk and lacks in longevity.  The fact remains that a good number of the unbranded devices that people have come to feel uncomfortable with are actually performing, and in some cases outperforming, a lot of the big brand names.  If something like this bothers you, you're going to have a hard time feeling comfortable with an NVR that has a built in switch.  The lower costs of these switches makes them attractive but getting passed the uncertainty of knowing whether or not they're going to perform as needed is not as simple.  Researching an NVR with a built in switch can gain you a general public opinion, but those opinions don't usually cover things like speed tests or information regarding longevity of the product.  This is one of those things you'll likely just have to try for yourself in order to know for sure.

All in all, you have good options for both dedicated switches and built in switches. Doing a little bit of homework/research into the product you’re considering should shed enough light on the subject where you can feel confident with your decision either way.

Compatibility

A dedicated switch, no matter who it may be manufacturer by, is compatible with any IP camera from any manufacturer across the board; no questions about it.  A built in switch relies on information it receives from the NVR to determine compatibility.  This can quickly turn into a problem absent any solution.  If you hard wire your IP camera to your built in switch on your NVR and you find that the camera isn't being detected, you're almost guaranteed to be the owner of an NVR and IP cameras that are probably never going to play nicely with each other, and likely not at all.  There is seldom anything you can do to fix a problem like this. On rare occasions, there's a setting that needs to be toggled somewhere, but don't plan on being this lucky.

You can still have compatibility issues with a dedicated switch, but those problems are usually limited to specific features and not the complete inability to bring up the camera whatsoever.  For example, a HikVision IP camera cannot be accessed by a Dahua NVR if you attach that camera to a built in switch on the NVR.  However, if you connect that same camera to a dedicated switch, you'll very easily be able to add that camera to the NVRs device list, but you'll be missing the motion detection feature without a lot of tampering.  We should mention again that any compatibility issues you encounter with a dedicated switch aren't cause by the switch, but by the manufacturers of the cameras and recorders. We are not promote HikVision / Dahua as both “High" level vulnerabilities. No participation in ONVIF committees for both brands. No access to new ONVIF software. Below media statement.


Friday, October 1, 2021

MINIMIZE VULNERABILITIES IN YOUR IP SECURITY CAMERA

MINIMIZE VULNERABILITIES IN YOUR IP SECURITY CAMERA 

A security consultant can act as an adviser for a building owner, occupant or property developer in relation to the design and incorporation of the security solutions. Clients typically require security consultants to advice on potential security threats and potential breaches, and to create contingency protocols to safeguard their organisation or assets. Every security consultant should guide about Camera vulnerabilities to there customers.

Internet Protocol (IP) cameras are an important component of state-of-the-art video surveillance systems. Unlike analog closed-circuit cameras, IP security cameras, which send and receive data through a computer network and the Internet, offer businesses a number of benefits. These benefits include the ability to monitor and control their video surveillance system remotely and a significant cost savings by allowing cloud storage of video files. However, like any device that is plugged into the Internet, without proper attention to cybersecurity, the same IP security cameras you have installed to improve security in your business may, in fact, be making it more vulnerable to physical and network attacks.

What are Hackers Looking For?

Hackers look for vulnerabilities to exploit, usually for malicious purposes. There are plenty of reasons why hackers might want to break into your IP security camera surveillance system, including some that promise potentially huge rewards:

·        They may be planning a burglary or a physical attack on your building or its occupants. If they can break into your network cameras, they can observe your physical security practices, including when guards come and go and where there are opportunities to enter the building. Once they know where and when to break in, your entire facility and all of its occupants are at risk.

·        They may want to take advantage of your business computing resources, such as your network’s processing power, for the purpose of stealing large data sets or more recently, mining cryptocurrencies.

·        To steal high-value trade secrets to sell to your competitors on the black market.

·        To steal personal information for the purposes of conducting phishing attacks to obtain credit card and banking information from individuals.

·        To install malware, such as keyloggers, to capture passwords as they are entered or ransomware that takes your system hostage until you pay the hacker to release it.

Are Your IP Security Cameras Vulnerable?

The short answer is yes. All security cameras are vulnerable to hacking. The unfortunate reality is that in today’s cybersecurity environment, the question is not whether your system will be hacked but when, which makes ongoing and proactive cybersecurity measures a must.

Hackers can break into your video surveillance system in a variety of ways. In addition to hacking the cameras themselves, they can get into your network through:

·        The computer operating system you use (e.g. Microsoft Windows, Linux, etc.)

·        The software your system uses, including digital video recording (DVR), network video recording (NVR), or video management system (VMS) software

·        Any firewall ports you may be using to access the system controls

Given these additional entry points, the security of your IP cameras depends not only on the cameras you use but also on the network technology and configuration of your system. In general, the relative security the system provides depends on how access is configured:

Most Secure — The safest system uses the local network equipped with a network firewall and virtual private network (VPN) software for access. With this type of system, the only way to get through the firewall is through a secure, encrypted connection.

An alternative to this would be to use a cloud-managed IP security camera. With this type of system, rather than opening the firewall and relying on a password to gain access to the camera on a local network, cloud-managed IP cameras are configured to communicate with a secured server in the cloud over an encrypted connection, and users gain access by linking up their devices with those servers. Cloud-managed devices offer a good alternative to locally networked systems because most cloud services monitor their servers continuously.

Least Secure — The least secure type of IP security camera is used in conjunction with a system that relies on port forwarding (China based OEM propose) for access, which allows users to access the camera through a network firewall with nothing other than a password. With this type of system, the only thing keeping a hacker out is the strength of the password used.

How to Protect Your IP Security Cameras

One of the most important things you can do to protect your IP security cameras is to know what you have and whether there are any known vulnerabilities. The CVE Security Vulnerabilities Database is a great place to start. This site tracks the vulnerabilities of all kinds of Internet of Things (IoT) devices and is searchable by the vendor (manufacturer), product and version, specific vulnerabilities and their severity. When checked regularly, this information can help you identify and address new issues with your IP security cameras so that you can address them more quickly.

A comprehensive set of cybersecurity best practices can go a long way to improving the security of your IP security cameras and your video surveillance system as a whole:

·        Contain and compartmentalize your internal networks. Creating separate networks for your video surveillance system and your information systems not only saves on bandwidth, but also minimizes risk should any part of your system be compromised.

·        If you are not already using a firewall, implement one as soon as possible.

·        Use a unique, long, and non-obvious password for each camera. This is critical if you are allowing access with a port forwarding system. If your system employs a VPN, however, having a single strong password for all cameras will suffice.

·        Change all passwords every 90 days at a minimum.

·        Enable two- or multi-factor authentication for your system, which requires the user to provide another piece(s) of information unique to the user, such as a code sent via text or phone, secret questions, etc. This is critically important if you are using a port forwarding system.

·        Develop and document cybersecurity guidelines and provide cybersecurity training to all employees who will have access to your video surveillance system.

·        Establish a cybersecurity incident response team so that you can swiftly and effectively respond to any breaches.

·        Stay on top of the operating system and software updates and apply them promptly when they come out.

·        If you use a cloud-based system, make sure you use a trusted provider.

·        Stay up-to-date with the latest cybersecurity standards.

 

Cybersecurity concerns are a long-standing issue for Hikvision, e.g., it was US government federally banned by the 2019 NDAA and the US government is planning to ban FCC authorizations for Hikvision, so this admission comes at a critical time for the company.

Researcher describes only access to the http(s) server port (typically 80/443) is needed. No username or password needed nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself. This is the worst Hikvision vulnerability since Hikvision's backdoor was discovered in 2017 where Hikvision included a magic (ostensibly secret) string that allowed anyone with that string to perform admin operations, without having the device's admin credentials.

The attack can be executed via HTTP (port 80) or HTTPS (port 443). Once a camera has been compromised, the attacker can use it as a starting point to explore the rest of a victim’s network. Past attacks on connected cameras have also sought to enlist the devices into botnet armies capable of launching massive DDoS (distributed denial of service) attacks or spam campaigns.

This vulnerability is about as serious as they come, rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).

IPVM estimate 100+ million devices globally are impacted by this vulnerability making it, by far, the biggest vulnerability to ever hit video surveillance. The combination of its critical nature (9.8 / "zero-click unauthenticated remote code execution") and Hikvision's massive market size make this risk unprecedented.

For background, back in 2016, Hikvision said they manufactured "more than 55M cameras" and the annual output has grown substantially since. Hikvision has therefore shipped a few hundred million cameras and tens of millions of recorders during the time frame the vulnerability covers.

The end-users who buy these cameras are responsible for the data/video footage they generate. They are, in other words, the data custodians who process the data and are in control of the video footage, which is required to be kept private by law (under the GDPR). Secret access to video footage on these devices is impossible without the consent of the end-user.

Dahua is another in Ban list. Watch above video. https://youtu.be/MtkeaoS3jBc

Keeping Up with Cybersecurity Threats Can be Daunting

Hackers are relentless in their attacks and there is not a single industry today that is immune to them. Almost half of all cybercrimes are committed against small businesses, and it has been predicted that a business will fall victim to a ransomware attack every 14 seconds by 2019.

If you need help with your video surveillance system, SSA Integrate can help. Our security experts stay on top of the technology and all the best practices in cybersecurity so you don’t have to. We give importance of our customer data security.

If you are installing a new video surveillance system, we can help you select the right technology to meet your needs and ensure it is properly configured to provide the top level security you expect. We can also look at your current system to identify and eliminate any vulnerabilities and provide the monitoring and updates you need to keep your system secure. Whether you need five cameras or 500, SSA Integrate can help. Contact us today to learn more.

Ref:

https://www.forbes.com/sites/leemathews/2021/09/22/widely-used-hikvision-security-cameras-vulnerable-to-remote-hijacking/?sh=138e83062f31

https://ipvm.com/reports/hikvision-36260

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260

https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html