Subscriber Discussion

Hikvision - Is It True Hikvision Has A Backdoor To The Chinese Government?

BC
Bede Cammock-Elliott
Aug 11, 2016

Do Hikvision cameras communicate images or information to an outside source or is this an urban myth? Pretty sure this question will have been asked previously on here, so apologies in advance!

JH
John Honovich
Aug 11, 2016
IPVM

Backdoor and 'communicate images or information to an outside source' are different things.

The Chinese government absolutely has Hikvision's source code because Hikvision is the Chinese government, reporting into CETHIK, which reports into CETC, which is the Chinese's government information technology division.

Backdoor typically means a way to access a device without authentication. Given the Chinese government knows the source code, I would think it is reasonable that they know a away to access Hikvision devices without authentication.

As a point of comparison, there was a vulnerability impacting ~6 years of Axis cameras that some have debated was actually a backdoor. Either way, the point is if you know a device's source code (and its closed), the chances are high that you know a way to backdoor in.

As for communicating images or information to an outside source, typically Hikvision cameras come preloaded with Ezviz / HikConnect software which is designed as a home / SMB cloud offering, not for government access. Could it be accessed by the government if they so wanted? I assume so.

Overall, though, I see Hikvision's focus as primarily economic expansion, not cyberwar.

(1)
U
Undisclosed #1
Aug 12, 2016
IPVMU Certified

I would think it is reasonable that they know a away to access Hikvision devices without authentication.

Do you think it reasonable that every manufacturer knows a way to access their own devices without authentication?

(1)
(1)
JH
John Honovich
Aug 12, 2016
IPVM

I don't know about every, but I think in general yes. They either have one that they officially put in but is not publicly disclosed (e.g., the Pelco one that was recently closed) or they know the code well enough to know how to get in.

(3)
(2)
UM
Undisclosed Manufacturer #2
Aug 12, 2016

I've been working as a software developer in this industry for 20 years and never been asked to add a backdoor into any product. I find it very unlikely that a reputable western camera, VMS, or access control manufacturer these days would deliberately add a secret back door into a product. No advantage in doing so whatsoever, and once discovered it would be indistinguishable from a security flaw as far as customers are concerned.

Having said that, unintentional back doors are not uncommon. Universal username/passwords have been discovered hard coded into some cameras, but I suspect this was caused by the software developers being sloppy, rather than by a management decision to put them there. And I recently encountered a camera where the username and password literally did nothing and anyone could gain access to the rtsp stream - couldn't believe it.

(1)
(1)
JH
John Honovich
Aug 12, 2016
IPVM

I find it very unlikely that a reputable western camera, VMS, or access control manufacturer these days would deliberately add a secret back door into a product. [Emphasis IPVM]

To be clear, these backdoors were generally added years ago. For example, the Pelco one recently removed was ~10 year old.

Yes, I don't think many are being added today, but many exist from years ago.

UM
Undisclosed Manufacturer #2
Aug 12, 2016

20 years ago when I just started, I recall having a discussion about the possibility of adding a back door account, but it never happened. But I did get the impression from the conversation that it was not an uncommon practice at the time. No one cared about security back then and developers weren't really trained to deal with it.

5 years later all that changed. I am surprised that even 10 years ago a company would do something like this.

(1)
Avatar
Brian Karas
Aug 12, 2016
IPVM

I don't think the conversations usually go along the lines of "Let's discuss adding a backdoor at the next engineering meeting", I think it is often more like "The software is not stable yet, we need to make sure we can still get under the hood in case something goes wrong", or "we'll enable SSH for now during development". And then those backdoors never get removed in the production code.

(2)
MC
Marty Calhoun
Aug 12, 2016
IPVMU Certified

Of course manufacturers have legit ways to get into devices other than the advertised means.

NEWSFLASH: Access Control manufacturers and many others have "back door" code built in as well

BUT this is often misconstrued as meaning that HIKVISION (and others) are accessing cameras across the globe to "peek" on activities.

(3)
U
Undisclosed #1
Aug 12, 2016
IPVMU Certified

"Of course manufacturers have legit ways to get into devices other than the advertised means."

(1)
JH
John Honovich
Aug 12, 2016
IPVM

misconstrued as meaning that HIKVISION (and others) are accessing cameras across the globe to "peek" on activities.

I agree with this. I don't think Hikvision is 'peeking' in on cameras.

Of course manufacturers have legit ways to get into devices other than the advertised means.

I don't agree with this. This certainly used to be accepted thinking but as information security risks have increased and understanding has improved, this is now more generally seen as a danger.

If the manufacturer has 'unadvertised' means to access their products in production, it means that those means could (and likely would) be leaked, creating a security risk.

I started a new discussion: Should Manufacturers Be Able To Access Your Products Without Your Credentials?

DW
David Westberry
Aug 12, 2016
IPVMU Certified

With Hik's connection it would not be shocking to a lot of people. As far as I know there isn't any proof that there is any malicious code in their equipment.

Somewhat related though, I recently watched a great series on the Viceland channel called Cyberwar. The particular episode is called Hacked by China. I highly recommend anyone interested in cyber security check it out. If you do get to watch it, keep Hikvision and the surveillance market in mind. What an easy market to distribute and deploy hundreds of thousands/millions of network devices and get them in your enemies infrastructure and networks. Great conspiracy theory fuel.

https://www.viceland.com/en_us/show/cyberwar

(2)
UD
Undisclosed Distributor #4
Aug 15, 2016

They're at power plants, military installations, water filtration facilities, court houses, everywhere... They're a very insecure node into your network, it's amazing what American laziness and "frugal mindedness" can achieve...

(2)
UI
Undisclosed Integrator #3
Aug 19, 2016

Realistically the same could be said about Microsoft, Apple or Facebook they all have the ability. We just have to believe who we think will and won't do it. But then again who thought the NSA were doing what they did. Probably the best is to trust no one.

UI
Undisclosed Integrator #3
Aug 15, 2016

There goes the old Reds Under the Bed paranoia again.

I don't know what Americans are worried about. When Mr Trump gets in he'll fix all that.

(1)
(1)
(2)
BK
Birger Kollstrand
Aug 15, 2016

THe only case that I know of where a government has tampered with code is this:

http://www.infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html

:-)

I'm pretty sure any agency that can willl try to do soemthing similar if they can target interesting "customers". No need to be naive about that.

(1)
(1)
UM
Undisclosed Manufacturer #2
Aug 15, 2016

I think that might be just the tip of the iceberg.

Bruce Schneier has been a respected and credible figure in encryption for decades. This is what he has to say:

Bruce Schneier: NSA Surveillance and What To Do About It

Here he talks a lot about the cooperation between the public and private sectors on surveillance. Watch at least the first 4 minutes, and then ask yourself - if this is what the US government is doing, what would the Chinese government be doing?

(1)
UD
Undisclosed Distributor #4
Aug 15, 2016

I do know for a fact the manufacturer can generate a master password for any device they've manufactured. You don't need a backdoor when you have the password. This is 100%, ask your manufacturer, if they're one of the big two, if they can generate the master password for your device. Just pretend you've locked yourself out...

(1)
(1)
Avatar
Ethan Ace
Aug 15, 2016
UM
Undisclosed Manufacturer #6
Aug 18, 2016

Moved my comment to the poll discussion, so removed it from here. Nothing to see .. move along ..

UM
Undisclosed Manufacturer #5
Aug 15, 2016

It would be naive to not consider the possibility that the Chinese Government has not put a backdoor in these cameras. Not to peek at the images, but to gain access to the network. Stealing, and reverse engineering, technology is something the Chinese do on a regular basis. There is no denying that fact.

U
Undisclosed #1
Aug 15, 2016
IPVMU Certified

Stealing, and reverse engineering, technology is something the Chinese do on a regular basis.

Though in this case no technology theft is required and all engineering is forward.

(1)
UM
Undisclosed Manufacturer #2
Aug 15, 2016

IMO:

1) Security manufactures do not add universal passwords to their products, not these days.

2) Yes, master passwords could be generated for devices if you supply the manufactures with a unique serial number/hardware ID. But this is not in the same category as (1), and I don't think it is a bad idea.

3) Yes, apparently governments have put pressure on private companies to place eavesdropping capabilities into their products. But I doubt governments would bother with camera/access/alarm manufactures - I think it would be too hard to keep it a secret.

Actually, to come to think of it, private companies "eavesdrop" on customers even without pressure from the government. They collect the data and sell it...

(2)
UD
Undisclosed Distributor #4
Aug 15, 2016

2) That information can be gleaned remotely and still used nefariously... I can't believe we're allowing insecure chinese electronics in our government facilities REGARDLESS. The Koreans don't allow this to happen...

UM
Undisclosed Manufacturer #2
Aug 15, 2016

You may be right, I haven't really thought about it. I have never worked for a company that has used this method. But in any case, it is nowhere near as bad as (1).

(1)
UD
Undisclosed Distributor #4
Aug 15, 2016

Agreed

BC
Bede Cammock-Elliott
Aug 15, 2016

Hikvision can not be compared to other camera manufacturers. Hikvision are owned by the Chinese Government with a less than stellar human rights record. Communist Governments as a general rule suppress opposition by means fair or foul.

While Hikvision gear potentially is or may be used to 'spy' within China, there is no reason why it isn't or couldn't be used for nefarious purposes against competitors of Chinese companies or Governments.

I would install it with extreme caution. May be inexpensive, but it carries a high degree of downstream risk. Buyer beware!

(4)
(2)
Avatar
Christopher Freeman
Nov 12, 2018
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions