At my work we use a security system that I put together myself, from the NVR to the wiring for the cameras. I installed everything in the beginning of 2020 and used HIKVISION DS-2CD2185FWD-I 4K Cameras. At the time they were really well priced, really well built and just had great image quality. I installed about 30 of them and called it a day. Unfortunately now I want to expand and add another 20 cameras but it seems HIKVISION has garnered a pretty crappy reputation for security.
I don’t really feel comfortable installing these cameras anymore in my workplace and alongside buying 20 news cameras, would like to replace the 30 i already have. Has anyone else been through this? It’s really hard to find an alternative for anything under $400 a camera, which is ridiculous, and I don’t really know the reputation of the other brands.
I already read through Wendell’s writeup on these cameras and how to mitigate their security issues but i still don’t feel comfortable having them up as I am not confident in my ability to secure them properly. My NVR has internet access so i can connect to it remotely when i am away from work, and that alone makes me nervous about these cameras.
I’ll take any help and insight i can get, thank you.
So while I personally wouldn’t place a Hikvision camera on my trusted LAN it doesn’t mean they don’t have a use, especially at their price point. If you looking at replacing 20 4k cameras you’re talking $3000 ballpark(?). Rather than replacing the cameras have you considered VLANing them off on their subnet without internet access (or a dedicated unmanaged switch)? If the cameras don’t have internet access and your NVR isn’t forwarding traffic, then there really isn’t any means for exploitation. Might require a new switch and NVR but cant imagine it costing more than replacing all the cameras.
You really cant beat the Hikvision’s price to image quality ratio. That’s their entire point. You are likely to pick them because they are cheap and they are cheap because they are subsidized by the communist party’s surveillance ambitions.
The alternative is paying for more. Ubiquity used to sell good CCTV cameras but there has been shenanigans previously and you may be locked in. I’ve heard people recommend CCTVs from Axis Communication, but I haven’t tried them.
Right now my NVR and my Cameras are on a completely different LAN than all my other traffic, They exist behind my SonicWall in a different IP-Space. The Cameras are all connected via Dumb POE switches to my NVR directly, I suppose I can cordon off the entire section that my cameras are on and isolate them completely. My NVR has 2 ethernet ports, one can be cameras with no internet access, and the other can be the NVR’s access to my already completely isolated LAN and WAN connections, Would that be sufficient?
Kind of crazy that we can live in a world where that’s just something we have to accept. I remember Wendell saying something about how the Government is doing a buyback program on blacklisted Chinese hardware, but there’s nothing i can find online about it. I would be tempted to take part in that if i could find a suitable replacement camera for $250-350 a camera. But for now i cant find the buyback program, or a replacement camera system.
You can try Dahua they are also Chinesse and OEM/ODM cameras just like Hikvision. I have a mix of Hikvision, Dahua, and Reolink on my NVR I like the Dahua the most although its the most expensive one.
Yup. As long as the cameras can’t phone home there is almost no risk. I’d go one step further and say make sure there is no internet gateway IP on the camera’s subnet. And if your NVR is PC based, configure the firewall to only allow incoming traffic for required ports on the camera NIC.
Alright, sounds good. I will probably end up buying more Hikvision cameras and just do that. I guess Security doesn’t matter as long as they’re completely isolated, and they’re so darn cheap for the quality. Less than 50% of the competition, it’s insane.
I have hikvisions and dahua… i have them blocked for dns requests and blocked external access for them. Thats about the best i cou’d do until i set up a cctv vlan
I have the same attitude of President Reagan for everything on my network; trust, but verify.
My Hikvisions are on their own separate VLAN, isolated from the Internet. They can’t talk to anything except the surveillance NAS and if they try to, it gets logged for future analysis. You’ll go mad trying to follow everyone’s advice on what is good or bad, because often those opinions conflict. Listen to everyone, assess the risk and then make appropriate restrictions.