The popularity of Hikvision IP cameras is due to the feature set they offer at the price you can get them. Hackers love to attack popular devices.
For many reasons, you should not expose your IP camera to the internet using port forwarding or allow it to access the internet at all. It should only be allowed to be accessed on your local network and only expose your NVR to the internet. Make sure you have a good NVR that will protect you against attacks.
- Over the past few years, there have been a few documented security flaws in the cameras. Not sure if they have been fixed. There could also be undocumented security flaws.
- Hikvision cameras are known to “phone-home” to China, probably just for DDNS purposes, but it has that capability.
- By isolating your IP camera, you don’t need to worry about firmware updates for security purposes.
- You block access to NTP servers (time servers) and the camera will drift out of time. You will have to login to each camera monthly to reset the time clock.
- Cameras will not be able to send you emails
- You won’t be able to access cameras remotely
Each disadvantage can be worked around, but the complexity starts to rise.
- Setup a Raspberry Pi as a NTP server (http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html) or setup NTP server on your PC using NetTime (http://www.timesynctool.com/). Also, some ASUS routers running merlin firmware can be configured to also be a NTP server (https://github.com/RMerl/asuswrt-merlin/wiki/Setting-up-an-NTP-Server-for-your-local-lan)
- Allow access only to an email server
- Setup a VPN to gain access remotely
There are many methods for isolating the devices. The simplest one I found is to use my router’s parental control to filter out the MAC address for each camera and deny it internet access 24/7.
This is for an Asus RT-AC66U router running Merlin 378.54_2 firmware. Make sure to confirm it is set to DENY at all times. Check this table for each camera.
As always, test your router’s incoming port blocking using GRC Shields Up https://www.grc.com/default.htm
Be sure to scan the following incoming ports as a minimum
- 80 (HTTP port)
- 554 (RTSP port)
- 443 (HTTPS port)
- 8000 (server port)
To confirm the camera can’t access the internet, try to do a time sync with a NTP server you know that works. It should fail.
If you pass these tests, then your cameras should be isolated.