Hikvision Opens Security Industry First Source Code Transparency Center


#1, thanks for sharing. We are looking into the details of this. The idea sounds good, trying to understand how it is implemented and what restrictions or issues might exist. We will need at least a few days to research. Thanks again.

U1, I find this interesting and positive move by Hikvision.

Only one question, how can you know that the firmware binaries is actually built from the reviewed source code? Can that be verified somehow?

 

Bashis seriously?

You are famous "hacker" asking this?

I am not a programmer,so I do not know

I can only assume once you have source code you can compile binary

upload them back to the camera and see if it will take it

I am sure you have much better idea

I can get you in touch with HIK :) 

 

 

did you notice this in the URL you shared?

A staffer will then work with individuals to schedule an appointment to visit the center, located here at the company’s U.S.-based headquarters, as well as provide the required nondisclosure agreement for signature.

Don't think they will pass out all source code.

And you can go to their controlled test environment and look for yourself at the thousands upon thousands of lines of code for all of what, an hour?  Certainly more than enough time to evaluate some version of some code.  C'mon, they're just getting an early jump on April Fool's Day.

 

I was joking

Ahhh, the dilemma of being unable to read joking tones/sarcasm through electronic messaging strikes again!

Hikvision NA has now emailed this to dealers:

Jeffery’s letter today invites “government agencies in the United States and Canada to review the source code for a wide array of select IP cameras and NVRs sold by Hikvision.”

While I don’t personally know bashis, I think I’m secure in assuming he doesn’t work for any US or Canadian gov agencies. I could be wrong. 

JD, good point. That raises interesting questions. Can the government agency appoint an external expert like bashis as their representative? Does the representative have to physically go to California? How long does that reviewer get to spend?

For now, I would read it exactly as written. A member of a NA gov agency can visit in person. I don’t think that leaves much interpretation. 

If we do read it as written (which I think is fair), it is an extremely limited offer, to the point of not being very practical, agree/disagree?

I absolutely agree, and more to the point, it’s their intention to restrict who has access to their source code, IMO rightfully so. This isn’t “hey everyone come check out our source code so you can steal it”. It’s lets put these politicians and agencies at ease that we aren’t putting spyware in our cameras. 

 It’s lets put these politicians and agencies at ease that we aren’t putting spyware in our cameras.

So JD, you think this is mostly a real effort at cybersecurity or mostly a marketing move?

I would say it is a marketing move on the surface. Who knows though? Maybe some really insightful NSA/FBI/CIA savant takes them up on their offer and finds a hidden gem in there that leads to better security? Long shot, but that’s what it would take to make this anything but a shrewd marketing/political move. Remember, this is in response to the Congressional hearings from a few weeks ago, where the Hikvision name was drug thru mud. This is Jeffery calling their bluff. “Ok then, come take a look!”

JD, good analysis!

Question: How do you think this compares to the Chinese government's access to Hikvision's source code?

All I can do is guess that they have unfettered access to anything they want, regardless of ownership status, to anything inside China. 

I have felling that Canada and USA 

have a lot “hackers” on payroll to examine and change code:)

This is more hollow cyber security commitment from Hikvision, all appearance and no substance.

Hikvision, and their defendants, will point to this as "proof" that the company is secure and open, embraces cyber security, etc.

I see number of issues with this:

It is only available to governments? They do not even welcome or allow cyber security researchers?

The average government organization does not have any cyber security developers on staff that could properly audit source code for embedded devices (particularly at the level of smaller cities and similar entities that Hikvision has been able to attract).

You have to make a request and then spend money to go out to CA (though Hikvision would probably agree to pick up the tab for larger potential customers). This is disruptive and would put most researchers at a disadvantage, unless they are allowed to bring in multiple laptops, have unfettered internet access, etc.

No mention of what happens if when a vulnerability is found. Do people have to sign an NDA preventing them from any form of responsible disclosure of discovered vulnerabilities? Does Hikvision think they will be able to just silently patch things and not make customers aware of newly discovered vulnerabilities (and this WILL happen if they allow any competent people in to review the code).

What form of checksumming can be done by the customers to ensure the code they run in production is exactly the same as what was reviewed?

Who is really going to go for this anyway? Anyone who distrusts their code already is unlikely to go out to CA and spend several days doing Hikvision's QA work for them. 

I do give Hikvision credit, this is a clever way to continue to claim they take cyber security seriously without actually doing much heavy lifting.

Some of the Nay Sayers are funny. Hikvision is allowing the US govt to view their source code and you are "skeptical"? We keep hearing that Hikvision is so shady and they hide this and that and blah blah blah! Now here is Hikvision saying "Hey US govt, you think we are spying on you? Here is our dam source code, Have at it and show us where we are spying on you! Donald, Here look!!!"

At any rate, its been 12 days and I am awaiting the week long IPVM headline on this article. I find it funny that we have to wait several days for something like this to make a headline but the critical headlines are put up on a weekly basis in 0 seconds flat. IPVM could have even designed several hack maps within this time frame.

I do have to make a suggestion for the headline. "Hikvision openly invites the US Govt unadulterated access to their source code, proving they are the industry leader in cyber security"  I know its a long headline but it gets the point across..........

How could you even twist this story? This is 100% positive no doubt about it! Boom Shocka Locka!

With abated breath I will continue to wait.....

This is 100% positive no doubt about it! Boom Shocka Locka!

Sean, it's definitely pumped up the loyalists like yourself! It's clearly a good marketing move, everything else aside.

I do think there are a lot of open questions and reasons to be skeptical. The reason we have not published yet is that I am hoping to see what other details come out that either eliminate that skepticism or verify.

Sean, a number of them are posted immediately above, e.g., how can you be certain it is the same code that is used in production? how can you reasonably find a backdoor sitting in their office with them sitting next to you (finding a backdoor is not like inspecting a piece of fruit)? what can you do even if you given the NDA they require? etc. Serious question - that does not raise any legitimate concerns to you?

From my standpoint, it appears they are being as transparent as possible without being too open in giving away trade secrets. Seems like a typical move any silicon valley business would do when working with the govt. 

To solve the issue of skepticism, the USA govt's IT Guy that has this appt scheduled should go ahead buy a camera from the interweb and bring it to them at the appt. The IT guy should say "I want to take a look at the source code of this specific camera" and see how they handle their response.

The fact remains though, if Hikvision's business plan is to infiltrate america via Cyber warfare, then they sure did make themselves really vulnerable with this move. 

This is a humble and transparent move by Hikvision which is exactly what they needed to do. 

Honestly, this is the first day I heard about this. I cant believe I missed the discussion topic. 

The IT guy should say "I want to take a look at the source code of this specific camera" and see how they handle their response.

You are not going to send an 'IT guy' to do this. The type of work to find backdoors is highly specialized, like the IT equivalent of being a neurosurgeon. This is part of the problem of the approach of requiring a person to go there.

Also, even if you can find someone and you send them to California, it could take days if not weeks to find a backdoor. How practical is that?

it appears they are being as transparent as possible without being too open in giving away trade secrets

Ok, how about this. Make an exception to the NDA that any backdoors or vulnerabilities found are excluded from the NDA and will be publicly reported in 90 days. Would you agree that would make it a stronger, truer move by Hikvision?

This is part of the problem of the approach of requiring a person to go there.

Also, even if you can find someone and you send them to California, it could take days if not weeks to find a backdoor. How practical is that?

Heck, we could over analyze and nitpick every positive thing Hikvision does and try to find the slightest bit of negative and over emphasize it and turn it into a conspiracy theory or propoganda. But the fact remains, this is another positive move in the right direction. For gosh sakes they are allowing the US govt to view their source code. You obviously understand they aren't going to open up their source code to anyone setting in their living room. I don't know what else you want them to do.

Ok, how about this. Make an exception to the NDA that any backdoors or vulnerabilities found are excluded from the NDA and will be publicly reported in 90 days. Would you agree that would make it a stronger, truer move by Hikvision?

This is a weak question and I hope you don't build on it for assumptive purposes. Here is why: First, Im gonna assume the NDA is used for trade secret purposes, this is actually what they allude to in the article. Secondly, if the US Govt did find an intentional backdoor in Hikvision's products, I dont think they are going to keep their mouth shut just because they signed an NDA. Thirdly, if the US Govt did find an unintentional vulnerability, and Hivision did not follow up with a firmware fix, dont you think that will put Hikvision on the US Govt's radar even more?

if the US Govt did find an intentional backdoor in Hikvision's products, I dont think they are going to keep their mouth shut just because they signed an NDA. 

The person signing the NDA is likely to be personally liable. If Hikvision wants to be 'transparent' and that's literally in the title of their announcement, be transparent about what the NDA includes or does not.

Thirdly, if the US Govt did find an unintentional vulnerability, and Hivision did not follow up with a firmware fix, dont you think that will put Hikvision on the US Govt's radar even more?

How will they know? It's one person, under an NDA. Does the NDA allow US government divisions to share such information.

If this is obvious that Hikvision is going to allow the US government to talk publicly and to share intel across organizations, they might as well tout it publicly. Marketing win, no?

To the extent they are not, and they are not, these are reasonable concerns.

The person signing the NDA is likely to be personally liable

Im not an expert on Law but I'm gonna assume NDA's get thrown out the window if their is a risk to the public.

If Hikvision wants to be 'transparent' and that's literally in the title of their announcement, be transparent about what the NDA includes or does not.

I dont think they are trying to prove anything to people like you. i think they are trying to prove something to the US govt, which is really the only people who need to see the NDA.

How will they know? It's one person, under an NDA. Does the NDA allow US government divisions to share such information.

It doesnt say one person, it says "enables government agencies"  You didnt really answer my logical question. 

Im not an expert on Law but I'm gonna assume NDA's get thrown out the window if their is a risk to the public.

Never heard of that. Also, even if this theoretically existed, the NDA holder would have to prove 'risk to the public' and to do that, one needs to go to court.

The reasons why NDAs and non-competes work so well is that large companies like Hikvision have deep pockets to fund litigation and individual people, like 'IT guys' do not.

John you are smarter than this. The US Govt could care less about the legal ramifications about reporting a cyber risk.

Sean, you should read more about NDA.

https://en.wikipedia.org/wiki/Non-disclosure_agreement

NDA is simply: Keep your mouth shut and no writing, regardless what you see or learn, or we sue you and you will be in 'big' trouble.

 

 

So you are saying that if the US Govt finds a backdoor in Hikvisions code that could be harmful to the public, that they have to keep their mouth shut because they may be sued?

Can you link the wikipedia article to this law please?

Sean, the 'US Govt' does not operate like a monolith. The US government consists of myriad departments, divisions and entities across the federal, state and local level. So the NDA is not going to be with the 'US Govt', it's going to be with the specific person who is involved (who could be one guy at one agency). That's just how NDAs work, it's not unique to Hikvision.

That person would be party to the NDA, not the 'US Govt'.

NDA is the abbreviation for: Non Disclosure Agreement

 

Sean, your are amazing dude, you don't know what NDA is and you think you can sign a contract and simply break that w/o any consequences?

 

If so, why even sign NDA in that case?

 

Bashis, i respect and concur to all your knowledge on coding but please dont try to sound smart on a subject of which u have no knowledge, which is American Law.

I know what an NDA is. Here an america, contracts are not always legally binding, especially when their is potential harm to individuals. 

I admit to not being an expert either but this stuff is taught in entry level college courses. 

If we can allow common sense to prevail in this situation, then one can see that the us govt has the upper hand. If hik did say they were going to sue someone or some dept for disclosing an intentional backdoor, then the us govt can simply say "you are banned from the usa"

U guys are missing the fact that hik made themselves vulnerable here on purpose.

Sean,

I have all respect to your opinions.

I'm not trying to be 'smart', and I'm fully aware that contracts have clauses that allowing to break them in certain conditions (at least should have).

However, NDA isn't something you play around with in any easy way, and you can be in deep sh1t if you break this, in one way or another.

Moreover, if the NDA have no meaning in US, why insist to sign that piece of toiletpaper then?

As I have previously said, I find Hik's initiative positive, but I sure do have my doubts how it would work in practise, and if that would apply to Hik (even if they offer this by theit own free will to continue US business), same should apply for other manufactures as well.

I'm pretty sure that Hik isn't the only one who is controlled/own by a government.

My humble opinions.

 

I know what an NDA is. Here an america, contracts are not always legally binding, especially when their is potential harm to individuals.

Whether or not a contract is legally binding is a matter for a court to decide. And that means you need to be willing to pay $50,000 to $100,000 or so to find that out. This is why, 'here in America', NDAs are such useful tools for corporations to use against individuals.

U guys are missing the fact that hik made themselves vulnerable here on purpose.

Hikvision gets to choose who can come, when they can come, how long they can stay, what they get to see and what they can say about it publicly - that's still very protected. I absolutely concur with you that it's a good marketing move but that it makes them 'vulnerable' is far more debatable.

Sean,

I also like the move that Hik trying to be more 'open', but how can you be sure that the source code (several hundreds of thousand lines) you have just (been trying to) reviewed inside their premises is the actual code you have loaded into your IPC/DVR/NVR/Whatever?

 

 

I don't see the reality here...

 

What would be your suggestion?

Pretty not the best ones, but instantly thinking of;

In Hik office: Try to verify source code, compile source code on spot, do MD5 checksum on all binaries, take this out and publish the results openly.

In Hik Cam/DVR/NVR/Whatever: Do MD5 checksum of all binaries, export all results, verify against openly published MD5.

 

However, to be fair, this should then apply to all manufactures and not only to Hik, no?

 

Would this be realistic?

Yes,

also can you please explain this to IPVM team:)

I have a felling they do not understand 

 

I don't the realistic here, to be extremely honest.

Why?

1) To many different products and FW versions, it would be full time assignment

2) It should apply to all manufactures, not only Hik.

 

Bashis,

Here we do not talk about all manufactures

We talk about HIK:)

HIK is Center of the World

U1,

All manufactures are in the center for me. You need to treat all same attention (maybe in different timings), big/small/CN/US/TW/SE... whatever.

If not, you are stuck... at one spot, and you will miss the points/goals/whatever.

 

Bashis I have idea,

need your opinion

Lets say HIK publish MD5 inside Camera GUI

Let say HIK then have 5-10 different firmware with MD5

USA government reserve rights to check at any time

so Hik provide binary and they check against MD5

Will it work?

Bashis I have idea,

EHLO

need your opinion

200 OK

Lets say HIK publish MD5 inside Camera GUI

No publish, needs to be generated on the fly

Let say HIK then have 5-10 different firmware with MD5

Please check again: http://www.hikvision.com/en/download_89.html

USA government reserve rights to check at any time

Why only US? Is US their only customers?

so Hik provide binary and they check against MD5

Let's ask Hik to provide the FW encryption to Montecrypto, your task, ok?

Will it work?

What do you think?

Ok

What if government supply few lines of encrypted code to generate 

MD5 on the fly? ( to be added to cam binary)

What would be your suggestion?

Put it out on the internet for all to review. Open Source - hey It worked for Linux.

There's nothing special that any other manufacturer is going to learn, other than paying workers $1 an hour to manufacture cameras is a solid business plan 

"Put it out on the internet for all to review"

I hope you are joking

Windows has lot more problem then HIK

Can I get source to analyse? :)

 

"Put it out on the internet for all to review"

I hope you are joking

Windows has lot more problem then HIK

I think you must be joking if you think Windows is open source...

Here is what it boils down to:

Hikvision just openly invited the US govt to come in their facility and view their source code.

The US Govt is not stupid

Hikvision knows this.

If Hikvision tried to pull a "fast one" on the US Govt when this "testing" is going on, this will just make the US govt even more suspicious.

Hikvision had humility and made themselves vulnerable for a reason. Great move by Hikvision

Sean is not interested in genuinely discussing the issues involved, he's focused on justifying his Hikvision money train.

If Hikvision is genuine about this, they can incorporate feedback to make the program stronger.

John is not interested in posting this article because it affects his financial obligation to negatively report on Hikvision and ultimately negates his business plan.

"If Hikvision is genuine about this, they can incorporate feedback to make the program stronger."

Feedback to Who?

Hikvision just openly invited the US govt to come in their facility and view their source code.

The US Govt is not stupid

I choose my rights to keep silent...

I also like the move that Hik trying to be more 'open', but how can you be sure that the source code (several hundreds of thousand lines) you have just (been trying to) reviewed inside their premises is the actual code you have loaded into your IPC/DVR/NVR/Whatever?

Curious, even if you had the authentic production code in front of you, on premises, do you think you could really suss out a subtle backdoor?

I’m thinking of the string format Axis hack, if it was intentional, could you easily see it?

I think it may give a false sense of security.

For instance, imagine you are given 10,000 lines of code  could you really predict the ouput from the input in any reasonable amount of time?

Simple answer is: No

My observation - To understand the issues with this source code statements by this company you would better understand if are a software developer and or a digital electronics designer . Disclosing the source code is interesting, but code could have deliberate software/hardware security vulnerabilities for example that would allow injecting updated code to already deployed systems . This is only one example. Another example - you also need to examine the microcode in the silicon. Te source code is NOWHERE NEAR enough. The list goes on.

So the answer is "no they are not happy now."

 

Are you happy, that should be your main concern right?

From David Fitches:

Looks like HikVision are taking BIG steps to try and recover the reputational damage done by their recent spate of security flaws/"back doors" which have been aired on MANY sites (this one included).

For those who don't want to click the link:

HikVision are opening a Source Code Transparency Centre where, with an appointment and signature on an NDA, Government agencies and interested parties can review the source code for HikVision products.

The model they're using seems aimed at providing access to their NVR and Camera source code, whilst still protecting their Intellectual Property - and I personally think it's a bold move which should be applauded.

As anyone who knows anything about Open Source will tell you, one of it's strengths has been the fact that anyone can review the source code to a project and thus it is almost impossible to have hidden back doors in open source software. It also means that anyone can examine the code for flaws and vulnerabilities. End result - you get code which is as safe and secure as the community can collectively make it.

So while not making their source code 'open source' - by opening this centre, and thus their code, to review by others, HikVision obviously hope to prove that their code is as safe and secure as they can make it, and thus their PRODUCTS are safe and secure for use by others, and NOT open to state paid actors to penetrate at will.

I think HikVision deserve credit for this. Time will tell if the reputation payoff is what they hope it will be!

David had posted this in a new thread. I've copied it here so all discussion is in one place.

David, thanks for the feedback! Very interesting comparison to open source. On your point here:

As anyone who knows anything about Open Source will tell you, one of it's strengths has been the fact that anyone can review the source code to a project and thus it is almost impossible to have hidden back doors in open source software....

So while not making their source code 'open source' - by opening this centre, and thus their code, to review by others,

What Hikvision is doing is only superficially similar to open source. The keys of open source is that anyone can see it, anyone can examine it at great length, anyone can publicly call out problems. With Hikvision's approach, only people who are approved by Hikvision's sale team, who physically go to their office, who dedicate days or weeks to being in their office and who promise to never publicly disclose any problems, gets to go. It's a great marketing move but it's nothing like real open source and the benefits you get of true transparency and openness.

Agreed - There is little substitute for real Open Source - but to protect their IP, there is only so far they can go.

It would be interesting to learn the actual TERMS of the NDA. If it's that they can't disclose the CODE, or they can't comment - even generally - on their findings...

Update: Hikvision corporate has provided IPVM a response to questions raised in this thread. I am doing a final follow up to verify some information and I expect a post by early next week at the latest.

Even if you examine the source code . It does not mean their are not deliberate back doors in camera. For example their are multiple levels of source code in a camera. Are they including the source code for the SOC (microcode)? Would also need to include code for the design of the (all) silicon chips too. And my 1st question , would be, does camera use a OS (Operating System ) and what is it? To make sure no backdoors in camera - the task is too complex. I have all ready shown their are several levels that would need validation. The above, does not include code ( at any level ) that creates deliberate security vulnerability. It would be foolish to think that source code disclosure is of much value.