Subscriber Discussion

Do You Honestly Think Hikvision And Dahua Is A Threat To National Security?

Avatar
Sean Nelson
Aug 22, 2018
Nelly's Security

one question:

Do you honestly think Hikvision and Dahua is a threat to national security?

NOTICE: This comment was moved from an existing discussion: Opposing The Hikvision / Dahua Ban

(1)
JH
John Honovich
Aug 22, 2018
IPVM

It is a good question so I made it its own topic.

Yes, they are a threat to US national security.

Think of it this way: The People's Republic of China (PRC aka 'China', aka the China Communist Party) is the new Soviet Union and Xi Jinping is new Stalin. I don't like arguing by analogy but I am making an exception here to paint a picture of the overall risk and the developing situation.

The PRC is an authoritarian, repressive government committed to stopping democracy. They are exporting that anti-democratic model, both to enhance their influence and to 

Combine that with their mercantilist trade policies, state-sanctioned IP theft and cyberespionage, it makes for an enemy of the USA.

The conception of China as a developing country that is simply happy to sell things cheap used to be true (Deng Xiaoping "hide our capacities and bide our time", etc.) but no longer.

The second part is where video surveillance is going. The cloud is inevitable (whether it is things like HikConnect or Hikvision AI cloud), like the rest of the industry, cloud is becoming more and more central (even if not for storage that for remote access, management, analytics, etc). The old conception of simply locking your video surveillance behind a brick wall is becoming obsolete.

Net/net, both the political environment and the technological state of the art is changing, in ways that make the PRC more dangerous to the United States and video surveillance more of a risk.

(15)
(2)
(1)
UM
Undisclosed Manufacturer #2
Aug 22, 2018

Genuine questions, John, not leading or promoting an agenda - do you believe Hikvision surveillance /hardware/ is specifically a "threat to [U.S.] national security"?

Or is it more that /any/ product from comes from China by a corporation primarily or significantly under the influence of the Chinese government is a threat? Or that the current hardware perhaps isn't a threat, but future software / cloud initiatives that could provide access to sensitive data is?

Are U.S. companies that source a significant percentage of their hardware components from Chinese companies also a threat to national security? Are Foxconn manufacturing plants in the U.S. a threat to national security, for example? (Foxconn may not be reported as owned directly by the Chinese government, but unquestionably they have a direct relationship.)

Let's pretend Foxconn purchased Hikvision outright. Would they still be the same level of threat? What if, say, Amazon did?

Would you say that private entities purchasing Hikvision or Dahua hardware are in effect harming U.S. national security? 

Would you feel the same if a surveillance company was based in Saudi Arabia, also, like China, criticized by some for anti-democratic practices?

(1)
(1)
JH
John Honovich
Aug 23, 2018
IPVM

#2, thanks for the thoughtful questions. Responses:

Or is it more that /any/ product from comes from China by a corporation primarily or significantly under the influence of the Chinese government is a threat?

Anything that China can control is a risk. Given Hikvision's massive scale and direct control by the Chinese government, it is the highest risk.

Or that the current hardware perhaps isn't a threat, but future software / cloud initiatives that could provide access to sensitive data is?

Both, but the risk clearly increases as cloud becomes more central to video surveillance hardware. Once you let third parties have internal access into your network (e.g., HikConnect) you better trust them.

Are U.S. companies that source a significant percentage of their hardware components from Chinese companies also a threat to national security?

Yes, depends on the component, but Huawei Hisilicon is a good example given that it provides core networking software for many cameras and other IoT devices.

(Foxconn may not be reported as owned directly by the Chinese government, but unquestionably they have a direct relationship.)

Foxconn is a Taiwanese company. You may be familiar with Taiwan as the democratic country China periodically muses about invading.

Let's pretend Foxconn purchased Hikvision outright.

While we are at, let's pretend I become VP of marketing for Hikvision. Both are never happening.

(5)
(1)
(1)
Avatar
Sean Nelson
Aug 23, 2018
Nelly's Security

All good points but mostly irrelevant to the question. If the question was "what are some of the worst thing about chinese politics?" Then i think your answer would be a good one. 

(1)
(6)
(1)
(1)
Avatar
Ross Vander Klok
Aug 27, 2018
IPVMU Certified

All the points were very relevant to the question.  Not one of them discussed or mentioned Chinese politics.  Trying to ignore the points by misstating that they aren't relevant and then trying to imply they are an attack on Chinese politics is again ignoring the valid points that have been laid out numerous times.

(2)
(1)
(1)
UI
Undisclosed Integrator #1
Aug 22, 2018

Yes. Both HikVision and Dahua are potential threats to national security.  That being said most IoT Devices could also be consider threats to national security and many other CCTV manufactures do not have secure code either. HikVision/Dauha/Uniview/ect are under more scrutiny considering their country of origin. 

(6)
Avatar
David Delepine
Aug 22, 2018
Brivo • IPVMU Certified

I believe they could be, and if they are not already they could be leveraged by foreign entities and other bad actors to some nefarious end. Whether it be espionage, botnet, hack, ransomware, etc.

When lives could be at stake, or for entities that could lose millions of dollars or more in a cyber attack... saving 20% or so on your camera system just doesn’t seem worth it.

(4)
U
Undisclosed #3
Aug 23, 2018

No, i dont see them as a threat. If they are a threat, then all products coming from china are a threat. 

If you think that products coming from authoritarian repressive governments are a threat to national security you should also ban companies with links to Russia - why not ban ISS  and Axxon soft if we are at it?

this can go on and on, finding reasons to disqualify foreign manufacturers is easy, but it does not mean that a hikvision camera is more of a threat than any other connected device.

 

(2)
(5)
(1)
U
Undisclosed #4
Aug 23, 2018

this was my reply to Sean's question (directed at me) that generated this string:

"personally, I do not.

instead, I think the move has more to do with posturing and positioning by the US in an over-arching effort to level the playing field vis-à-vis tariffs on internationally traded products."

I've stated my opinion on why this is happening, but you have not.  Rather, you have just given a pretty well-reasoned position on why the ban on hikua devices is dumb.

If you think it is dumb - then why did it happen?

Sean's position in the previous string that it was a lobbying effort by other camera manufacturers in the industry has been soundly debunked by John here (from the original string):

"check the US House lobbying disclosure database (where the amendment was added). 5 records for Hikvision lobbying, none for Axis Communications nor Avigilon, for example." 

 

 

U
Undisclosed #3
Aug 23, 2018

in reply to:

instead, I think the move has more to do with posturing and positioning by the US in an over-arching effort to level the playing field vis-à-vis tariffs on internationally traded products."

I agree, but I believe there are tariffs also in Japan, very few outside manufacturers succeed there and the market is dominated by Panasonic - why not ban Japanese cameras? and while we are at it, lets also ban Axis Briefcam and Milestone (Owned by the Japanese)

If it is an effort to level the playing field, why were Uniview, Tiandy, Kedacom and other manufacturers mentioned?

crying over security threat while allowing other Chinese manufacturers to be imported and installed doesnt make sense. In my eyes, it also doesnt make sense to cry over Taiwanese / Korean prices being too high (e.g. today's report about Synology), if you dont want Chinese products and Chinese quality - > pay-up. 

 

There are plenty of options out there, don't want  china, buy Korean or Taiwanese or Swedish or American, but don't wave the security issue flag only for 2 manufacturers. 

(2)
Avatar
Sean Nelson
Aug 23, 2018
Nelly's Security

I've stated my opinion on why this is happening, but you have not. Rather, you have just given a pretty well-reasoned position on why the ban on hikua devices is dumb.

If you think it is dumb - then why did it happen?

Are you saying I havent given my opinion on why this hasnt happened? Because its pretty clear that I did in the previous post with clearly laid out bullet points as to why, please see my Godlike Knowledge here

Matter of fact you alluded to it here:

Sean's position in the previous string that it was a lobbying effort by other camera manufacturers in the industry has been soundly debunked by John here (from the original string):

I will admit that my theory may be wrong but given my previous bullet points, I dont see any other theory making sense. I dont see a way that 2 manufacturers get named out of nowhere into a bill such as this while other Chinese manufactures that are far worse cyber security offenders get off the hook. Some biaesed entity had to have informed congress to get these 2 particular names on the bill, correct?? As far as lobbying, I wont admit that I am a lobbying expert, but I think we can both agree there are far more ways to lobby than leaving a money trail. Also, it would be unlikely that a specific manufacturer would leave a money trail in a direct action against another manufacturer. More than likely they would have done it thru a 3rd party group of some sort. This was a well orchestrated team effort. 

I will also admit that if the competing manufacturers did lobby for this bill because they are disallowed from selling to Chinese Govt jobs, then I dont blame them honestly. It is unfair that China is doing that.  

(3)
(1)
(1)
JH
John Honovich
Aug 23, 2018
IPVM

I dont see a way that 2 manufacturers get named out of nowhere into a bill such as this while other Chinese manufactures that are far worse cyber security offenders get off the hook.

Sean, it is pretty simple. Those 2 companies are massive, have major international marketing and direct presence in the US. All the other Chinese manufacturers are literally a fraction of the size / impact. Ergo, the US government would be aware and focused on those two.

More than likely they would have done it thru a 3rd party group of some sort. This was a well orchestrated team effort.

Lol, are you not the guy who complains about conspiracy theories on IPVM? ;)

(4)
(1)
BP
Bas Poiesz
Aug 23, 2018

Ok, they're massive and make up most of the Chinese market.

What sense is it making a bill against two names?
Even if this crushes both brands, don't you think UNV Tiandy and who knows what Chinese brand will fill the space?

Apparently there is a market for a quality camera at this pricepoint.

At best, in a few years a new bill will me needed. We could create a poll to vote who we suspect it will be.

Or the logical thing could be done: create parameters that can be measured against any company. If they meet the requirement: let them sell. If not, let them work on meeting the requirements.

 

(4)
Avatar
Sean Nelson
Aug 23, 2018
Nelly's Security

Lol, are you not the guy who complains about conspiracy theories on IPVM? ;)

That their are only a handful of IPVM members and all the undisclosed posters are IPVM employees to give the impression that there are thousands of members? 

It has not been proven otherwise! I do appreciate the efforts that you guys give us handful of members though. Its quite flattering.

(1)
(1)
(7)
Avatar
Hal Bennick
Aug 23, 2018
Trafficware, a CUBIC Company

That their are only a handful of IPVM members and all the undisclosed posters are IPVM employees to give the impression that there are thousands of members?

 

So, then how is IPVM paying the bills?  FYI, I've been posting undisclosed for the past two year due to an outside obligation, and I'm not an IPVM employee.

(1)
Avatar
Sean Nelson
Aug 23, 2018
Nelly's Security

Welll i guess we can start counting on 2 hands.

BTW, i hope you know im kidding.

(1)
(1)
(1)
(2)
U
Undisclosed #4
Aug 23, 2018

"Also, it would be unlikely that a specific manufacturer would leave a money trail in a direct action against another manufacturer. More than likely they would have done it thru a 3rd party group of some sort. This was a well orchestrated team effort."

yeah - it's the hikhaters that are conspiracy nuts.

"All seem infected that the infected spy - as all seems yellow to the jaundiced eye." - Alexander Pope (not an IPVM member)

(2)
(2)
Avatar
Hal Bennick
Aug 23, 2018
Trafficware, a CUBIC Company

Yes, I do.  Hikvision to a greater degree than Dahua.

(2)
(1)
MM
Michael Miller
Aug 23, 2018

How many unpatched Hikivision and Dahua devices are still out in the wild?   Once that is dealt with then can we talk about the Chinese Government owning Hikvision? I think the answer is 100% yes they are a threat to national security. 

(6)
(1)
BP
Bas Poiesz
Aug 23, 2018

How many of these devices would not be harmed had the network met higher standards?

Put the horse in front or the wagon, not behind it.

(1)
(2)
MM
Michael Miller
Aug 23, 2018

So you think uncle Jimmy who ordered his cameras from (insert name of 100+ online stores selling Hikvision/OEM/gray market version) knows how to secure a network? 

(1)
BP
Bas Poiesz
Aug 23, 2018

Nope I don't.

That's my biggest complaint with Hik and many other manufacturers, their product is too readily available (I can buy Axis online with just typing Axis and hitting google shopping).

While Hik created Ezviz and HiLook, their market seperation is pretty bad.
Then again, that's what you get in the modern day free trade economy.

The only way to cure it is not aiming at the producer of the product. Once you beat them out of the way the next company in line will take over.

 

 

(1)
UM
Undisclosed Manufacturer #22
Nov 23, 2018

Sure there will be other Chinese manufacturers trying to step in but without the support, or in the Hik scenario ownership, by the Chinese government their impact would not be anywhere near as substantial as they simply could not afford it. Hik is heavily if not completely relying on Government money and that in itself is wrong as it creates an unequal playing field. What other company would see their Government buy shares to prop up the dwindling share price...

This also brings us back to the question why Hik is doing so little to secure their firmware and address all their leaks. Going back to blaming the network side is sticking your head in the sand and pretending everything is OK. If you target markets where people have zero understanding of network security (Uncle Jimmy) you should at least make an effort to produce and supply 'safe' devices. Fighting the symptoms is one thing but would it not be better to find a cure for the source of the 'infection'?

Sure I understand that you are relying heavily on Hik for your turnover and are therefore fighting their corner but it is very hard to come up with valid arguments after all that has been discussed, disclosed and reported here on IPVM.

 

 

 

(1)
U
Undisclosed #5
Aug 23, 2018

What about tech companies serving the security space taking large investments from Chinese Companies... Does anyone feel those companies are a threat to national security?

(1)
UI
Undisclosed Integrator #6
Aug 23, 2018

I don’t think they are a specific threat, but I think we should use the same caution they do.

Sometimes I wonder if we should be so trusting of our allies!  It’s far more difficult to predict how technology can be weaponized.

 

U
Undisclosed #7
Aug 23, 2018

Yes, 100%.  If Xi Jinping walked through the front door of his company, Hikvision, and demanded they weaponize a firmware release for their products they would have no choice to comply or face imprisonment. The same is probably still true if Chen Xongnian demanded the same thing.  Could they really tell a member of the PRC no?

(2)
JH
John Honovich
Aug 23, 2018
IPVM

The same is probably still true if Chen Xongnian demanded the same thing. Could they really tell a member of the PRC no?

Chen Xongnian, Hikvision's Chairman and Communist Party Secretary, is a member of the PRC government.

That is a key part of the Hikvision problem - the direct connection / control from the Chinese government.

(1)
BP
Bas Poiesz
Aug 23, 2018

Let me surprise you and just for this thread agree that Hik's ownership is enough of an issue to make it a national security threat. Let's close the book in Hik right there.

Why is Dahua a security risk if ownership is what makes the Hik problem?
For all you know they have zero government influence and just suck at cybersecurity.

How does that make them different from other Chinese companies?

If cybersecurity is the main issue: more companies should be banned and more ways of measuring should be set in place, otherwise it's just a which hunt of the biggest players. Once their gone, you hunt the new biggest. Hunt sleap eat repeat.

If ownership is the main issue: Dahua has been gutted due to Hiks reputation

(1)
JH
John Honovich
Aug 23, 2018
IPVM

For all you know they have zero government influence and just suck at cybersecurity.

I think we both know Dahua 'sucks' at cybersecurity...

As for government influence, they won $700+ million in Chinese government contracts last year in just one province - the one with the concentration camps of a reported million prisoners. To that end, and in an authoritarian country like China, Dahua has government influence.

(3)
BP
Bas Poiesz
Aug 23, 2018

Influance and ownership are not the same, not at all.

So back to my question:
What is the reason of the ban, is it security or ownership?

(1)
(3)
UI
Undisclosed Integrator #16
Aug 27, 2018

Embrace the power of "either, and."

I for one avoid whenever possible web-enabled 'smart' products where engineering control resides in the PRC, and advise my company to do the same.

It's not merely a matter of ownership, or even security per se, it is a matter of a completely different conceptualization of what constitutes ethicality, privacy, and propriety.

Government reflects culture, not the other way around.

There is much to be admired in Chinese culture, and quite a lot to be concerned about as well. Their positions on rights and freedoms drive their decisions on ethics, and in many cases are at odds with American values.

(2)
BP
Bas Poiesz
Aug 27, 2018

So how does banning a few brands that generate sales today, solve the problems you mention long term?

Or do we just revisited it in a few years and vote which big names to kill now?

U
Undisclosed #7
Aug 30, 2018

Influance and ownership are not the same, not at all.

I disagree. When the communist government provides Dahua with Billions, with a big fat B, in contracts, the amount of influence they have over the company is significant. If the communist government would threaten to pull those contracts and never provide them again what would Dahua do to get them back?

(1)
Avatar
Thomas Lienhard
Aug 23, 2018

An installer I know installed a DVR in a Restaurant / Bar north of Boston.  Several months later the restaurant received a notice form Comcast "Notice of Action under the Digital Millennium Copyright Act" claiming copyright violation, from the "device" at the IP address referenced in the letter...He was shocked to learn, on further inspection, the IP address referenced was the HikVision DVR!  It was being used to BITTORRENT stream "Rick and Morty Season 3" episodes illegally back to an unknown number of viewers..  While this is somewhat entertaining, and arguably season 2 is way better, the password was new, and secure, but the DVR was exploited easily by some (kid?) to watch cartoons...  In a more sophisticated attack, the same breach could be used to shut a critical system down or otherwise infiltrate the network for other surreptitious activity. So, yes, until they permanently deal with this issue, it will continue to pose a risk.  I actually hung that letter in my office to show clients that we will never install it.

(8)
(2)
BP
Bas Poiesz
Aug 23, 2018

Hi Thomas

Can you talk me through the measures that were taken to ensure network intergrity and safety?

Or was the device just connected to the internet to the point where the customer could see images on his smartphone.....

(1)
Avatar
Thomas Lienhard
Aug 23, 2018

Jonathan, I cannot.  I wasn't involved in the sale or install of this product. They are not a client of mine.  I do know that the installer has networking knowledge but what steps he took to segregate the DVR from the network or other network devices is unknown.

BP
Bas Poiesz
Aug 23, 2018

Fair enough. But it's not fair to put all blame on the installed product without full knowledge. For all you know port 80 was used for the web login.

For some installers network knowledge is knowing a UTP connector from coax and being able to log in the a modem and set the portforwarding.

You may feel I am biased, but blaiming a brand in this way is no different from blaming an intruder system for being crap when the installer projected badly and left the security code on 1234.

Avatar
Thomas Lienhard
Aug 23, 2018

I see two issues here:  1. The changed password was not effective and 2, the breach was easily gained with relatively simple methods.  I totally agree with you with regards to using a common port for this type of traffic.  So now, curious i took another look at the letter.. the iP address begins with 24.147.XXX.XX   hardly a 192.168.XXX schema, so maybe the attempt was made?  I cannot say. 

 

 

 

(1)
BP
Bas Poiesz
Aug 23, 2018

To put this into perspective, have a look at a video like this one:
Printer Hack

There are dozens of hacks like this, for printers, lamps, any connected device alsmost.
I simply chose this one as I have a HP laptop with docking and screen.

The network of the building I am in ensures it's safe, like the printer from the video would be safe in our building.

Ergo, it's not about the brand, it's about how you use it.

MM
Michael Miller
Aug 23, 2018

So just so we are clear.  Is this the manufactures responsibility to fix the back door access, installer or DIY user? 

(1)
BP
Bas Poiesz
Aug 23, 2018

Fair question. When we are all connecting just about everything we have to internet, how we do so should be re-evaluated.

When it comes to connecting a security device, like an intruder alarm or video surveillance, demanding a skill set from the installer would make sense.

 

When we talk about a printer we feel the risk is low, even though what can be done is quite harmfull. It can be installed by any end user.

When we talk about a security product, I feel installing by a professional should be mandatory.

It's a strech but I can buy virtually any part for my car online. In order to drive it on public roads it needs to be checked and approved.

For products that pertain to improve security, a ruleset like this would greatly improve the industry and it's quality.

UM
Undisclosed Manufacturer #22
Nov 23, 2018

Jonathan have you been to China?

U
Undisclosed #8
Aug 23, 2018

Nope, they are not a threat.

It's like the argument against guns. Guns don't kill people, people using guns kill people, the gun is just a passive object.

Hikvision and Dahua cameras are not a threat to national security. The national security threat is those who are promoting, selling and installing them. Anyone who sells or installs Hikvision cameras to government-related sites should face treason charges.

(5)
(1)
(5)
UI
Undisclosed Integrator #16
Aug 27, 2018

"It's like the argument against guns. Guns don't kill people, people using guns kill people, the gun is just a passive object."

False equivalency.

Web-enabled and connected "smart" devices are orders of magnitude different in character from "passive" objects.

IP devices are active devices which can be made to perform tasks without their putative owners' permission or knowledge, even when supposedly secured to current best practices.

 

U
Undisclosed #8
Aug 27, 2018

IP devices are active devices which can be made to perform tasks without their putative owners' permission or knowledge, even when supposedly secured to current best practices.

Yes, but they don't install themselves, and they don't just jump into the hands of users. In the security industry these devices primarily flow through the hands of integrators and distributors. Those integrators and distributors are guilty (and perhaps ignorant) of the risks they are enabling by offering these devices.

 

(1)
MM
Michael Miller
Aug 27, 2018

Yes, but they don't install themselves, and they don't just jump into the hands of users. In the security industry these devices primarily flow through the hands of integrators and distributors. Those integrators and distributors are guilty (and perhaps ignorant) of the risks they are enabling by offering these devices.

ANYONE can purchase Hikvision or Dahua they do not limit there official product let alone gray market products.  OEMs also sell directly to end users.  Amazon link

(2)
Avatar
Sean Nelson
Aug 23, 2018
Nelly's Security

No they are not threats.

The 2 companys main objective are to sell cameras, the end. These companies were not built with the purposes of spying on americans or to initiate an all out cyberwar. They were built to sell quality cameras at a decent price. 

Could they be used to spy on Americans or Initiate all out Cyberwar? I acknowledge that they can. But lets address this. It is often spoken how authoritative the Chinese govt is. Given this fact,  ANY chinese company can be summoned by the Chinese govt to be used as acts of war. Do you think that any one is going to say NO to the Chinese govt when asked to do a duty for their country? With this idea, any Chinese company is just as much a threat as Hikvision and Dahua.

Dahua and Hikvision are diving into AI, Facial Recognition, etc. And unfortunately, the Chinese Govt is using this in an improper way. So should they completely stop developing this type of product just because its being perverted? Just because it is being misused in China, what if it can be used to deter a crime in the USA? Anyone or anything can be perverted beyond reasonable use. Not to get too political but this reminds me of the Gun debate and extremists wanting to ban guns. Guns can be used for good and bad, but just because they can be used for bad does not mean we should completely ban them so they cant be used for good. Same idea here. Its unfortunate that Dahua and Hikvision are being criticized for this as it compares to gun manufacturers being criticized as well.


 

(2)
(9)
(1)
TM
Thomas Marino
Aug 27, 2018

Hi Sean,

I have personally been lectured in various assocation meeting and university classrooms, including the FBI's Infraguard association...................that China's global objective is to stregthen it's military by building its economy......... and one of China's primary tactics in building it's economy is through the use of "economic espoioage".  China has a proven track record of this.  Therefore, I find it prudent to assume that there is a reasonable risk to US businesses and government agencies in deploying IP security and surveillance devices manufactured by a Chinese government owned entitity.      

(4)
QD
Quan DANG
Aug 27, 2018

YES! Definitely!

backdoor chip was found on McDouglas  rocket control board OEM by Chinese company.

phone made by Chinese have chip and software to report on users activities and can turn on the phone camera and microphone any time

intentional backdoor holes were found in Huawei core networks router and switches

... and thousand more cases

 are you still waiting for incidents to happened to believe in the threats?

come to Asian countries to hear more horrible real stories, should you need more evidences to convince yourselves!

 

(3)
U
Undisclosed #9
Aug 27, 2018
(1)
RH
Roni Herzel
Aug 27, 2018

They are a threat to the usa economy. With cyber threats the agencies can deal, with loss of jobs, they can’t.

U
Undisclosed #10
Aug 27, 2018

Well there is still un-patched Cisco eq. Out there. Are cameras a bigger threat? embracing the "cloud" with little regard for security is a much bigger problem.   

UM
Undisclosed Manufacturer #11
Aug 27, 2018

The companies may not be a threat but their products provide a vector that is a serious threat to national security if China's spooks and spies choose to take advantage of those vectors. Hard to believe they wouldn't.

The difficult question to answer with certainty is whether their product vulnerabilities are intentional. If they are intentional then yes, the companies are also a threat to national security. If the company's operations office reveals information about locations of installed devices, the targeting of high value intelligence/infrastructure assets is made magnitudes easier. 

In the interest of national security, one has to assume the worst case scenario until proven otherwise. Every government in the world has been nefariously seeking intelligence about other countries for centuries. That's not going to change. 

(4)
U
Undisclosed #12
Aug 27, 2018

This is one of the most cogent remarks on this thread. Taking out my personal beliefs of cyber issues with Hik/Dahua I would highly encourage both sides of this argument to take a couple of the Threat Intelligence seminars available on both the East and West cost. Infiltrating Manufacturer’s is directly out of the playbook for the top 15 threat actors of the world. 

If you don’t think this is happening on a regular basis then you are seriously uninformed I am sorry. And no, lol. I am not a conspiracy nut. I used to think the same way until I got introduced to some individuals in the intel community. Then I realized that in the physical security world, where most of us operate in- we are operating on the very very bottom of a threat pyramid with no clue what’s going on above us. It’s very eye opening. 

 

NOTICE: This comment has been moved to its own discussion: Infiltrating Manufacturer’S Is Directly Out Of The Playbook For The Top 15 Threat Actors Of The World.

(2)
UI
Undisclosed Integrator #16
Aug 27, 2018

Well said!

UM
Undisclosed Manufacturer #13
Aug 27, 2018

Backdoors hidden in Chinese made equipment - nothing new.

https://www.bleepingcomputer.com/news/security/hidden-backdoor-found-in-chinese-made-equipment-nothing-new-move-along/

 

Discussion on backdoors found in chip hardware, even those used by military.  Many links to sources, etc.

https://www.schneier.com/blog/archives/2012/05/backdoor_found.html

(1)
(1)
U
Undisclosed #14
Aug 27, 2018

Yes.  In fact, China and Taiwan being the manufacturer of a very large percentage of our electronics market is a threat to national security.

(1)
JH
John Honovich
Aug 27, 2018
IPVM

Note: Taiwan is the democratic country China periodically muses about invading. Related, not impacted by the ban.

U
Undisclosed #14
Aug 27, 2018

Yes, independent for now.  But what is the US realistically going to do if mainland China decides to take Taiwan over?  My bet is nothing that would allow Taiwan to remain independent.  And that means Taiwan could become unavailable at some point in the future to manufacture certain items (chips mostly) essential for US defense systems.  It is a different sort of risk but it exists nonetheless.

UI
Undisclosed Integrator #16
Aug 27, 2018

At which point it'd be good to have helped seed the development of manufacturing and design resources in countries under less threat, so that in the event of a PRC takeover of Taiwan that door can be slammed with minimal impact.

If you want more of something, subsidize it. Or at least patronize it.

If you want less of something, stop sending it money.

RS
Robert Shih
Aug 27, 2018
Independent

Hikvision is most certainly a looming potential threat by virtue of their ownership alone.

Dahua, being a privately owned company, is merely a threat by incompetence and negligence. Something that can be cured with cybersecurity regulations they can be forced to abide by.

They two are not equal.

(1)
U
Undisclosed #15
Aug 27, 2018

Yes: I think Hikvision and Dahua are a threat to national security.

(1)
U
Undisclosed #9
Aug 27, 2018

Question 

Which one is bigger threat to national security

windows operating system or HIK/Dahua?

(1)
Avatar
Sean Nelson
Aug 27, 2018
Nelly's Security

Thats a tough one

(1)
(5)
UI
Undisclosed Integrator #16
Aug 27, 2018

Do You Honestly Think Hikvision And Dahua Is A Threat To National Security?

Without question. Same with Huawei, et al.

UM
Undisclosed Manufacturer #11
Aug 27, 2018

Diplomacy is about as sickening as marketing (in many cases, not all). When are you selling your soul to the devil? Where does one draw the line?

Then again, not sure on the content of the meetings related to that handshake so need to be careful about jumping to conclusions. 

The post in this thread implicitly suggests, "money is worth more than security." The visual is somewhat compelling to that point.

The reality of the content of that engagement is unlisted and the connotations may be quite different than what's inferred. 

Pictures are worth a lot but can be misconstrued to the nth degree. 

Ever hug a prisoner? Post it on social media? Why did that engagement happen? Lots of possibilities. 

UI
Undisclosed Integrator #16
Aug 27, 2018

Very relevant article, from Real Clear Defense:

The Problem With China's Powerful Air Force

It's a philosophical issue at it's base.

(1)
UI
Undisclosed Integrator #17
Aug 27, 2018

They are about as much of threat a us canadians.

(2)
(3)
UM
Undisclosed Manufacturer #18
Aug 27, 2018

I believe they certainly are a threat but have not yet been proven or caught red-handed yet. Still, if I wonder that I may be shot by a gangster if I visit the bad side of town at night, I probably avoid that neighborhood....I may get out alive, but...

Cyber Security is the most important concern that faces the US so it's certainly better to avoid those vulnerabilities if possible.

Something to ponder...Why has Hikvision (under Chinese Government control) been so aggressive about owning the CCTV market in the US?

I know every company wants more business but when you consign product and subsidize earnings through support of the Chinese government, it becomes an anti-trust issue along with the obvious security concerns.   

(3)
(1)
UI
Undisclosed Integrator #19
Aug 28, 2018

I'm curious to hear if people think Hikvision and Dahua pose threats to national security because of a perceived covert surveillance operation or simply as a generic electronic threat?

I find it amusing how folks will rail against Hik/Dahua while blithely posting from their ostensibly Chinese-manufactured computer/smartphone...

(2)
Avatar
Thomas Lienhard
Aug 28, 2018

#19 Well, i didn't have to boil my IC Mem with acid to get the contents out of my iPhone because there isn't 500 websites and 14 year olds on youtube describing how to do it like Hik. Do you have that little sliding camera cover on your laptop too?

Hik hacking is WAY TOO EASY and WAY TOO WELL DOCUMENTED for this to be 1. accidental or 2. unable to be simply rectified.

(2)
U
Undisclosed #20
Nov 20, 2018

Hikhua, a threat to national security? Is there any scenario in the Marvel Universe where you'd envision Hikhua ordering an attack on US infrastructure etc?

You all mean CHINA is the threat to national security and Hikhua can easily be used by CHINA to perform an attack, right?

Does China have the resources to hack Axis, Panasonic, XYZ? If you believe they do (as I do), then it should be assumed they can use those platforms to stage an attack as well, right?

Every IPVM article I've read about this omits the fact that Hikhua has about as much choice to snub Xi as BMW did when they were volun-told to support Hitler's war efforts using slave labor.

The US government is playing games with this Hikhua mess. If they are a threat to national security, they need to have sanctions, embargo's, force all Hikhua employees to register as foreign agents, and initiate a HUUUUGE buy-back for anyone using these systems- full stop. You can't say something can destroy our nation/economy and effectively do nothing about it. I just left a secure facility for lunch and went to a taco joint across the street. Guess what system they are using? How many of these systems are deployed outside of secure facilities across the globe that can track and identify US assets and employees? If Hikhua is a threat to national security, we need to start acting like it and stop using ill-though excuses like "cyber security" when China clearly doesn't need Hikhua's help to hack anyone.

The US government uses TEMPEST certified equipment for processing information that is "critical to national security". It is assumed that any other system is or will be compromised.

Also, poor security in Hikhua cameras help our security services as well. Our teams could just as easily compromise Hikhua gear. All security services love IP cams and IOT.

(1)
(3)
U
Undisclosed #4
Nov 20, 2018

"The US government uses TEMPEST certified equipment for processing information that is 'critical to national security'. It is assumed that any other system is or will be compromised."

Does that assumption contain the presumption that TEMPEST certified equipment can not be hacked by foreign actors?

UI
Undisclosed Integrator #21
Nov 20, 2018

There's a lot to digest here.

Hikhua, a threat to national security?

Yes, that is the topic.

Is there any scenario in the Marvel Universe where you'd envision Hikhua ordering an attack on US infrastructure etc?

No.  I can envision Hik's grandparent ordering the CETC/CETHIK parent to order Hik to do it.  See your "volun-told" statement.

You all mean CHINA is the threat to national security and Hikhua can easily be used by CHINA to perform an attack, right?

Bingo.  Now you're getting it.

Does China have the resources to hack Axis, Panasonic, XYZ?

Undoubtedly.  So does North Korea.  I don't buy cameras from them either.

If you believe they do (as I do), then it should be assumed they can use those platforms to stage an attack as well, right?

I'm seeing where you're going with this.  Mind blown.  Do you believe those brands are likely to volunteer the capability because their grandparent (China) said so?

Every IPVM article I've read about this omits the fact that Hikhua has about as much choice to snub Xi as BMW did when they were volun-told to support Hitler's war efforts using slave labor.

Actually, no.  This is exactly the point IPVM has been trying to make.  The PRC has tremendous influence over Hikvision in particular.  The PRC is the source of financial subsidization, executive management, and steers Hikvision.  If someone asked me if a spaceship could land on my house I would ask what the pilot is doing not the spaceship.

The US government is playing games with this Hikhua mess. If they are a threat to national security, they need to have sanctions, embargo's, force all Hikhua employees to register as foreign agents, and initiate a HUUUUGE buy-back for anyone using these systems- full stop. 

Agreed.  Would you be interested in signing my petition?

You can't say something can destroy our nation/economy and effectively do nothing about it.

Tariffs + export control + ban from government property + US Commerce Dept debating sanctions = doing nothing.  Got it.  Just sign the petition already.

I just left a secure facility for lunch and went to a taco joint across the street.

Tell me more...  Was it beef, pork or chicken?  Soft taco or hard?  Inquiring minds want to know.

Guess what system they are using?

Don't spoil the surprise!

How many of these systems are deployed outside of secure facilities across the globe that can track and identify US assets and employees?

X=systems deployed outside secure facilities across globe

If X=>0, execute RIPOUT, else "Congratulations"

No, I don't code.

If Hikhua is a threat to national security, we need to start acting like it and stop using ill-though excuses like "cyber security" when China clearly doesn't need Hikhua's help to hack anyone.

Please, just sign the petition.  I have other things to do.

The US government uses TEMPEST certified equipment for processing information that is "critical to national security".

Cool name.  Is this the Marvel Universe character you mentioned in the beginning?  Not sure where this is going but I've read this far...

It is assumed that any other system is or will be compromised.

So TEMPEST is impossible to compromise.  Are you sure this is not the DC comics character?

Also, poor security in Hikhua cameras help our security services as well.

You've really got to get this train going in one direction here.

Our teams could just as easily compromise Hikhua gear.

Welcome to the club.  There are a lot of members.

All security services love IP cams and IOT.

Indeed.

(1)
U
Undisclosed #7
Nov 21, 2018

Hikhua has about as much choice to snub Xi as BMW did when they were volun-told to support Hitler's war efforts using slave labor.

That is EXACTLY WHY they are a threat to national security.

(2)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions