Hikvision NA CEO Declares IPVM "The Most Outrageous Behavior I Have Seen In My 27 Years In The Global Security Industry."

IPVM

If you thought that the most outrageous behavior would be to ship tens of millions of cameras with a magic string backdoor so easy a 5 year old could exploit it, you would be wrong, according to Hikvision NA CEO Jeffrey He.

The truly most outrageous behavior, according to Hikvision, was IPVM releasing an 84 second video demonstrating how their backdoor worked, embedded below:

Jeffrey He declared:

I must point out that there are misperceptions about Hikvision. These misperceptions were intentionally spurred by a single source which misleads our community on the real risks we are all facing. That third party is here to distract from combatting criminal and terrorist activities which should be the main focus of the security industry. Even worse, that third party provided step-by-step video tutorials on how to hack vital security equipment on the end-user premises. This is the most outrageous behavior I have seen in my 27 years in the global security industry. [emphasis added]

Jeffrey is embarrassed, it is understandable. What can he say? Another 'coding error' by 1 'bad' engineer out of their claimed 10,000 'engineers'?

It is much easier to place blame on others than to fix their underlying engineering problems or, worse, their ownership and control by the Chinese government.

Why the video?

To show Hikvision backdoor's insertion was no 'coding error.'
To show how severe the risk was of the backdoor, given its ease of exploit.
To leverage the instructions that were already distributed globally to hackers and researchers.
To educate our industry about these problems in an extremely quick, visual manner.

The fact that the video was only 84 seconds shows how badly and simple to exploit the backdoor is.

If Hikvision wants to complain that they are the victims of outrageous behavior, fine by us. It will, though, keep it in public conscious and do nothing to solve Hikvision's actual problems.

Reactions:

(21)

(1)

Robert Shih

Independent

What Hikvision is really saying:

You MFers! If you kept quiet about this we coulda fixed everything at our own pace without anyone knowing or complaining about this! For all we know, it's YOUR fault people are exploiting this now!

Reactions:

(16)

(12)

Undisclosed #3

IPVMU Certified

In reply to Robert Shih

Shih said He said?

Reactions:

(4)

Undisclosed End User #1

This is the most outrageous behavior I have seen in my 27 years in the global security industry.

Mr. He has led a sheltered life and needs to stop engaging IPVM aka The Blogger.

Reactions:

(11)

Undisclosed End User #1

That third party is here to distract from combatting criminal and terrorist activities which should be the main focus of the security industry.

So tired of reading these type of statements from politicians, Hollywood and executives that are designed to get sheeple to nod their heads yes without thought. IPVM has taught me tons and has never distracted me.

Reactions:

(15)

(3)

Undisclosed #2

In reply to Undisclosed End User #1

agreed - this is one of the weakest and unsupported positions He puts forth in that article. Nobody is buying that straw man and He shouldn't be trying to sell it.

Though what choice does He have?

...and it looks like the new PRC puppet Davis was fed the party line right out of the gate - as he states the same basic content that He did.

Reactions:

(4)

John Honovich

In reply to Undisclosed End User #1

IPVM

With Hikvision's claims of combatting criminal and terrorist activities, it is surprising they have time for posts like:

Oct 27: Friday Fun Video: Mate From Down Under (Kangaroo on Camera)
Oct 20: Caught on Camera: Three Bears Break Into Colorado Pizza Shop
Oct 13: Adoption by Forever Family Caught on Hikvision Security Camera
Oct 5: Holmes Security and Hikvision Secure Southern Living Idea Home
Sep 5: Hikvision Pizza Cam Improves Restaurant Efficiency
Aug 31: More Than 4 Million Views of ‘Floating’ Bird, Caught on Hikvision Camera

Insecure products made by an authoritarian state present criminal and terrorist risks in their own right.

Reactions:

(5)

(3)

Kyle Folger

In reply to Undisclosed End User #1

IPVMU Certified

The main focus of the security industry is manufacturing and releasing devices that are actually secure. You take a risk putting any device on the network from any manufacturer, however, it's apparent over the past few years that some manufacturers are riskier than others. It becomes even more important to make sure those that are installing these devices are aware of the risks involved.

And there is really no distraction, cameras don't stop or prevent criminal and terrorist activity especially since many systems aren't monitored live. They are often used as tools to gather data after an incident or after an incident has started to take place. With that being said, if the "security devices" in place are hacked, there won't be data to retrieve when it's needed.

Reactions:

(8)

Joseph Marotta

IPVMU Certified

Well, good thing Jeffrey He isn't Japanese or else he might have to commit Seppuku (harakiri)!

Reactions:

(3)

(4)

Undisclosed #3

IPVMU Certified

That third party is here to distract from combatting criminal and terrorist activities which should be the main focus of the security industry.

Brian*: Bad news Sir, Interpol is getting ready to move in on another ISIS terrorist cell.
Head Honchovich: I see... What do we have left in the unreleased exploits vault?
Brian: We’re down to 5 Dahua hacks, a couple of Vivoteks and that last Hik hack... And bashis is taking a personal day today, so...
Head Honchovich: Again? Whatever... Prepare to release the Magic String Video! That’ll keep ‘em busy for a while, eh?

*Either

Reactions:

(2)

(30)

Undisclosed Integrator #4

Whose your daddy now, huh! That’s right, that’s Mr. Blogger to you.

Today it’s an 84 second clip, tomorrow it will be 83 seconds. Take that!

Reactions:

(1)

(4)

Jay Hobdy

IPVMU Certified

I am just glad we are a Dahua house...

Sh*$ never mind.....

Reactions:

(1)

(14)

Shannon Davis

IPVMU Certified

I would be interested in knowing exactly what his "27 Years" of experience in the Global Security industry really is. Or uh yeah maybe we don't want to know :)

Reactions:

(1)

(3)

Undisclosed #5

In reply to Shannon Davis

Let me guess: "management".

Reactions:

(2)

Greg Cortina

In reply to Shannon Davis

The HIKVISION CEO was the product manager for the Bosch D6600 receiver and associated products enabling the system to be UL2050 certified using AES encryption.

I believe he knows networks quite well from an engineering level.

Reactions:

(3)

Undisclosed #5

By being a product manager? Can you elaborate about his technical expertise? Just because I've seen quite enough of people claiming "expertise" on a subject and never having coded a single line in their entire life, or just generally being absolutely worthless in the implementation but taking all the credit for it because that's what suits generally do.

Google yields two github accounts of Jeffrey He and neither are him, I think, and quickly scouring I didn't see any concrete technical merits from this person. I tried to find references to "Bosch D6600 receiver" but didn't see his name mentioned anywhere regarding that thing. Even his LinkedIn profile has only endorsements about "Product Marketing", "Business Development" and "Product Management". If he had done anything technically significant, it would be listed also, unless everyone hates them. But maybe I'm just being unfair since it's a different part of Internet.

Can you elaborate, please? Where did you get that information? Because I would love to hear of an exec being actually competent.

Reactions:

(1)

Greg Cortina

In reply to Undisclosed #5

Well, when I worked with him at BOSCH he sure seemed like a smart dude but I didn’t check his credentials.

I currently work with several Executives with engineering degrees and multiple patents but instead of naming those, I’ll give you a couple of others.

Pierre Racz - Genetec, ask him who wrote the first code for their access control.

Elon Musk....need I say more?

Please, refute those.

Reactions:

(1)

John Honovich

IPVM

I deleted the whole sub-thread about Elon Musk.

Talking about Hikvision's execs credentials or IPVM credentials is fair game but the Elon Musk debate is sidetracking this topic. Feel free to start a new thread if anyone wants about Elon Musk and execs credentials in general.

Reactions:

(4)

Undisclosed #3

IPVMU Certified

I deleted the whole sub-thread about Elon Musk.

Great. Now he is going to think I’m full of it :)

Reactions:

Larry Tracy

Greg

You and I both know Jeffery designed the Radionics D 6600 receiver as well as the Surgard receivers designed prior to the Radionics unit. Jeffery started as a engineer in this industry with definite hands on experience and has worked his way up by sheer hard work and determination. But since the people on this blog loves to condemn people, I can attest to this as the former President of Radionics and Jeffery worked for me very successfully on this project and others.

Now I wouldn't expect him to be doing design work on NVR's at a company the size of Hikvision.

He also managed Interlogix in China along with numerous other companies.

Jeffery is a very honest smart humble CEO that has done a excellent job guiding Hikvision North America into one of the industry's largest players. Very few people could have done this.

Reactions:

(2)

John Honovich

IPVM

In reply to Larry Tracy

Larry, thanks for sharing!

excellent job guiding Hikvision North America into one of the industry's largest players

What do you think about Jeffrey's handling of cybersecurity and related criticisms? Why?

Is the Jeffrey who now engages in public ad hominem attacks the same as the one who worked for you?

Reactions:

(3)

Greg Cortina

In reply to Larry Tracy

Larry, what you missed was this section being derailed by a poster stating that Executives lack the technical coding knowledge to fully understand these issues. Because Jeffrey is a President, he lacked the skill set. I referenced Elon Musk and Pierre Racz as executives with engineering and it went way off track so John removed that section.

I didn't have Jeffrey's CV on hand. Since you have been an executive in the manufacturing side, your engineering background and patents for technology in use today would not qualify you according to the other poster. Ahhh...but I digress.

Reactions:

Undisclosed #5

•Oct 31, 2017

Cut the crap. It was derailed by you sidestepping my inquiry about Jeffrey's experience. While being a bit snarky, I said I know technically competent execs myself too.

Thanks, Larry, for actually answering my question.

It also matters a lot when and what one has been involved with: experience with hardware simply does not translate to cybersecurity, nor does 90s IT experience translate to useful in-depth knowledge of modern hardware nor software environments.

Reactions:

(2)

(1)

Undisclosed Manufacturer #6

Hikvision CEO believes people will think the back doors were a mistake in coding because he is the CEO.

Few points maybe worth consideration.

Call any major US facility in DC and ask them how many times per day they get hacked by China. 8 years ago, it was only at 30,000 attempts per month. Now it is estimated to be in 1000s per week or day per US building.

Ask top ranking people in DOD why they don't buy Chinese cameras. Why they have labs to look for backdoors and Trojans to separate networks.

How many times has China been caught with backdoors in hardware, SW, cameras??????

What would be an easy way for a country to see what goes on in other countries would be to have thousands and thousands of "EYES" everywhere.

NSA has known about Chinese backdoors for years, cameras, SW, hardware.

Well maybe most of the people in the US will be gullible and believe the Hikvision CEO

In regards to 27 years in security were they to protect security.

Reactions:

(1)

Marty Calhoun

IPVMU Certified

You guys are really cynical in putting Jeffery down and just slamming his credentials in general. Do you know the man? Have any of you (besides John) ever met him? Or spoken to him? I have had that opportunity and Jeffery is a kind, soft spoken, gentleman that does not deserve to be lambasted just because he has a differing opinion. If you have something negative to say about Jeffery he has a habit of making himself available at every Major trade show so show up there and say it to his face.

Reactions:

(3)

(1)

(6)

(3)

Greg Cortina

In reply to Marty Calhoun

You guys? Read it all Marty. I have worked with and spent plenty of time with Jeffrey. I said he’s a smart guy and that I know from personal experience.

Why do I have to argue with you even when I defend a HIK employee? ;)

Reactions:

(1)

(2)

Marty Calhoun

IPVMU Certified

I did not aim that at you personally, it is the habits of people that dont know the man that I have issues with, I appreciate you are honest and thank you for calling me out.

Reactions:

(1)

Undisclosed Manufacturer #10

Chinese billionaires and CEOs keep disappearing in ‘state-sanctioned abductions’

I said he’s a smart guy and that I know from personal experience.

I'm sure he's smart. Smart enough to know which side his freedom is buttered on.

Reactions:

(1)

(2)

Undisclosed Integrator #12

•Oct 31, 2017

In reply to Undisclosed Manufacturer #10

Wow, based on the linked article working as a CEO in China seems like working for the mafia. Things are good... until they’re very bad.

Reactions:

(4)

(1)

Undisclosed #5

In reply to Marty Calhoun

Let me just sum the above up:

A) "I believe he knows networks quite well"
B) "Can you elaborate?"
A) "He seemed smart, but tell me why Musk wouldn't be smart?"
B) "He is but couldn't do what he wants to get done"
A) "So you are saying everyone is a failure!"

Sorry, we lost Jeffrey a while ago already. I still crave to know if there's anything else to him than being a "nice guy" like people in his position usually are expected to be. But I don't expect an answer anymore.

Reactions:

(1)

John Honovich

In reply to Marty Calhoun

IPVM

Have any of you (besides John) ever met him? Or spoken to him? I have had that opportunity and Jeffery is a kind, soft spoken, gentleman

I agree with that assessment, at least historically and as a description of his fundamental personality.

That said, the last 2 years, as Hikvision has become the center of industry attention, he has changed (not just his attacks on IPVM, his screed against Genetec, etc.).

At some level, I genuinely feel bad for Jeffrey. He's caught between Hikvision management, who views him as weak, and criticisms for things he cannot control, e.g., Hikvision's Chinese government ownership. And his personality / background is poorly suited to public debate.

Marty, I am genuinely curious. Knowing Jeffrey, how do you think he should handle all this?

Reactions:

(3)

Larry Tracy

Who said Hikvision management views Jeffery as weak?

Reactions:

John Honovich

IPVM

In reply to Larry Tracy

Who said Hikvision management views Jeffery as weak?

Various IPVM sources over the years, common theme, even before the cybersecurity issue became so big.

To clarify, by weak, I mean 'soft', i.e., that Hikvision HQ does not like that Jeffrey is so 'soft spoken' as Marty put it or 'humble' as you put it.

It is pretty clear that Hikvision HQ is driving this 'get tough' approach to Hikvision critics. I am skeptical that it would work regardless of the messenger but Jeffery is especially the wrong personality for this tactic. For example, this 'most outrageous' quote. What does it accomplish? It lets us bring even more attention to the severity of the backdoor and increases the perception that Hikvision is trying to deflect blame by criticizing critics of their problems.

Reactions:

Undisclosed Manufacturer #7

Guys he is Chinese representing a Chinese State controlled manufacturer, what else was he going to say? No matter what his credentials are or even his actual thoughts on the matter. What He comes out with would be carefully orchestrated and most likely put upon the gentleman. One thing is sure, he will never speak his own mind in public, you don't do that in China. The newly permanently elected members of the Communist Party would get mighty upset if he did I suppose which would not be good for his career.

For anyone out there to think that any representative of Hik would ever openly admit to any wrong doing by Hik, causing millions of 'security' devices to be not fit for purpose, is simply outrageous...

Hik and it's employees will keep distracting from the real issue(s) by blaming others like He did at the top.

Reactions:

(5)

(1)

(2)

Undisclosed #8

•Oct 28, 2017

Thats awesome and hilarious... I'm biting my tongue right now!!

Reactions:

Undisclosed Integrator #9

IPVM, thank you for doing the world a service. This is the only way manufacturers will pick up their game.

Reactions:

(3)

(1)

Walter Holm

Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker

IPVMU Certified

FYI, Hikvision is not the only one that has or did have this problem:

I treat all cameras as hackable. I use specific network hardware for a reason.

Reactions:

Undisclosed Manufacturer #14

•Nov 01, 2017

In reply to Walter Holm

While that video was fun to watch, they used consumer cameras for their hacks. Really... Dlink cameras... Not the same class. Just like when we hear about another wifi camera oem with tons of vulnerabilities.

Reactions:

Undisclosed Manufacturer #10

•Nov 01, 2017

In reply to Undisclosed Manufacturer #14

Note that "professional level" camera IQInvision was also hacked in that video, and some notable big names like Axis and others have also been cited here for their own vulnerabilities. While at the very least you can say Dahua and Hikvision win the awards for most egregiously negligent makers concerning cyber security, consider some VMS makers took a long time to encrypt their logins and some major brands still don't store video in authenticated video files but instead as common video format clips like AVI, shows how still behind the times the security industry as a whole still is.

Reactions:

(2)

Undisclosed #5

•Nov 01, 2017

In reply to Undisclosed Manufacturer #10

Concerning VMSs, since there are diligent Manufacturers around, does Milestone encrypt logins in-transit? Some years ago (3-4 I think), I was Wiresharking and I think I noticed the password being sent in the clear when using simple authentication (not AD).

Reactions:

(2)

John Day

LMN Software Corp

Nice guy or not... shipping security devices with a hard coded back door is the outrageous part (and I suspect HIK is not alone in this).

And now we've found out that Mr. He is technically competent enough to KNOW that hard coded backdoors are a threat to a security installation.

Everything else he (and Marty?) says on this topic are simply an attempt to re-direct blame or obfuscate the issue.

Reactions:

(5)

David Coughlin

Protection One / ADT

I'm a huge fan of IPVM and, I think it's a great source for information.

That noted and in my humble opinion, IPVM has focused enough (if not too much) on Hikvision and it's faults, the influence of the Chinese government, and even the likelihood of intentional weaknesses of its security. There are many other topics that can be pursued. For example, information on network switches that are ideal for the security industry would be helpful. A study/comparison on high-end storage solutions would also be good.

At a certain point, bashing Hikvision (even for good reason) starts making IPVM look less independent than it claims. One thought is, take Hikvision out of IPVM completely including the Camera Finder and other tools.

Again, just my opinion.

Reactions:

(3)

(1)

John Honovich

In reply to David Coughlin

IPVM

One thought is, take Hikvision out of IPVM completely including the Camera Finder and other tools.

David, we strive to cover the market objectively. Removing any manufacturer, simply because they criticized us or we criticized them, would degrade IPVM's quality. It is not going to happen.

There are many other topics that can be pursued. For example, information on network switches that are ideal for the security industry would be helpful.

We just released - Favorite Network Switches 2017. As for storage, comparisons on that are really hard since the systems are so expensive and takes so much time to evaluate. I can guarantee that no amount of reduction of Hikvision or Axis or Avigilon coverage is going to result in us doing in-depth testing of storage.

That noted and in my humble opinion, IPVM has focused enough (if not too much) on Hikvision and it's faults

Reasonable people can certainly disagree on what to focus on. However, overall reader interest in Hikvision is still quite high. We are a publication, not a consulting service, so we aim to cover areas that the largest number of members care about.

If there are issues with accuracy, absolutely want to address them. If there are other topics you would like us to cover, happy to take suggestions. Let us know.

Reactions:

(1)

David Coughlin

Protection One / ADT

John,

Thanks for the quick reply...especially if you're at the IVPM HQ! :)

Regarding, removing a manufacturer "simply because they criticize us or we criticize them, would degrade IPVM's quality," I agree that this action shouldn't be taken lightly and not for the reason of a disagreement. However, if Hikvision is a danger to the security industry and end users in general (and I believe it is due to its security vulnerabilities and for its Communist government ownership structure), at some point, IPVM and others have to ask the question of whether it's right to continue promoting the brand by giving it attention and a platform.

Reactions:

John Honovich

In reply to David Coughlin

IPVM

IPVM and others have to ask the question of whether it's right to continue promoting the brand by giving it attention and a platform.

I think Hikvision would love it if we stopped saying anything about them and removed all references to them form IPVM. Seriously. That is what they want. With their money and overall media control, they do not need IPVM to validate them, they just want the criticism to stop (and they can't buy us out).

I also do not think removing them from IPVM is good for the industry nor for IPVM.

The best route is to continue to fairly cover them, to say positive things when there are positive things to say about Hikvision and to say negative things as appropriate. As an example, even Hikvision's management repeatedly and begrudgingly admits our tests are fair.

I appreciate the feedback and I do agree that, despite the ongoing Hikvision saga, IPVM definitely needs to ensure covering a variety of other items for the membership. Thanks!

Reactions:

David Coughlin

Protection One / ADT

Thanks again John. A related tangent is that I believe much of the social strife in the U.S. today results from people not being able to disagree with a person's opinion yet still respecting the individual. While I disagree, I certainly respect your views and support IPVM.

Reactions:

(1)

Edouard Sonnenschein

Apple, Microsoft, Google and others pay for this service. IPVM is providing it for free.

System hacks have been around since the inception of software. Every major manufacturer has had to deal with the fact that their software is a target. The major players all pay whitehats to identify these holes so they can be fixed.

The video and information IPVM posted online is similar to what the software giants had to deal with in the past. Since they did not want the bad press, it was initially easier to blame the whitehats identifying the issues then to admin the programming was flawed.

It seems that Hikvision has to learn this lesson.

Hack Apple, get paid -- by Apple
In a first for Apple, the company will pay up to $200,000 to researchers who find security problems in its systems.

Software giant Microsoft has revealed it is paying a hacker over $100,000 (£62,760) to find holes in its products.

Google will pay you $1,000 to hack some of Android’s most popular apps.

Hikvision need to take responsibility for its product. Since denial has been the normal response, publications such as IPVM, have taken on the issues and are notifying the end users of the flaws that they may encounter, and the security risks the product brings to their organizations.

Identify and posting the backdoor hack of the Hikvision product does increase the public's knowledge of the issues and will be used by blackhats to attack the existing systems. But its Hivision's responsibility to correct these issues. Blaming the end-users for lack of security and publications for posting flaws is counterproductive to all parties, including the manufacturer.

Here is the reality of capitalism a free market and freedom of speech. If the product is at a good price point, it works as advertised and fills a need it will likely succeed.

If the product has issues, consumer groups, consumers and competitors will take every opportunity to identify the flaws.

After so many years of denial and spin, Hikvision is feeling the market forces bearing down. Fixing the issues with the code is the easy part of the equation, fixing the market perception as a solid quality product is their long, very hard road.

Reactions:

(3)

(2)

David Coughlin

In reply to Edouard Sonnenschein

Protection One / ADT

Ed,

At first, I disagreed with your post. But, I changed it to agree. You present an idea of what "should be done."

My hesitation is that there are great differences between the companies (Apple, Google, and Microsoft). The most influential issue to your point that they should be taking responsibility for their product is, that Hikvision is owned by a totalitarian Communist government. They are far removed from the ideals of capitalism, free market, and free speech. It is also arguable that their product has any "flaws" that, by definition, are unintentional. The coded backdoors and other vulnerabilities should be viewed in light of the massive effort by the Chinese government in cyber-attacks against not only the United States but many other countries.

While I value IPVM, I don't agree that they are doing the service for "free" but, it would be nice if Hikvision saw value in identifying weaknesses as do the companies you mentioned...but they don't value this service and, they likely don't see the vulnerabilities as weaknesses. If you believe that Hik is owned by the Chineses government and, the Chinese government actively attacks the U.S. cyber defense structure (and there is ample evidence to support both beliefs), then you could conclude that the Chinese government is in a defacto state of war using these attacks and products such as Hik that it owns. Therefore, nothing that Hik executives say should be believed. It is nieve to think that any senior executives in Chinese companies understand or value the idea of free markets. As with any company, Hik's ultimate interests is to pursue and increase the interests of its owners, the Peoples Republic of China.

Reactions:

Edouard Sonnenschein

In reply to David Coughlin

David,

I agree with your statement.

The fact that the product is owned by a Communist government and its "ultimate interests is to pursue and increase the interests of its owners, the Peoples Republic of China"

The issue is this is more of a government, and less of a company. Its interest are not necessarily inline with a free market.

My point is for their product to survive long term the will need to adapt their mindset to the capitalist free market mentality or ultimately fail.

"they should be taking responsibility for their product is, that Hikvision is owned by a totalitarian Communist government. They are far removed from the ideals of capitalism, free market, and free speech."

The concern is the market share penetration before the free world realizes the vulnerability it leaves behind. Currently low cost and high margins are driving this product but its a classic case of penny wise, pound foolish.

Just as an FYI, I am responsible for a nationwide transportation system. Hikvision is not on my approved vendor list, nor do I see them being added anytime in the near future. Currently our network is part of the National Cybersecurity Protection System. (NCPS) is an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing. The NCPS capabilities, operationally known as the EINSTEIN program, are one of a number of tools and capabilities that assist in federal network defense. These capabilities provide a technological foundation that enables the Department of Homeland Security (DHS) to secure and defend the federal civilian government’s information technology infrastructure against advanced cyber threats. NCPS advances DHS’s responsibilities as delineated in the Comprehensive National Cybersecurity Initiative (CNCI).

Reactions:

(1)

Undisclosed Manufacturer #11