How And When We Sell And Don't Sell Hikvision

[IPVM note: This comment originally came from the Hikvision hacking legal disclaimer article and is being re-posted here to highlight and encourage more discussion.]

As a business, we survive on cash flow. Many of our SMB customers are in the same position as we are. They need to optimize cash flow. Last week we finished a $20,000 project. Our competitor who was selling Axis cameras and Exacq came in at $36,000. We used Hikvision NVRs and Cameras on their small business campus. This customer needed a cost effect solution that worked to monitor potential workers compensation problems. They did not have the money to spend on a higher end solution. They understood the potential issues with installing hikvision and accepted the risk. Their IT team put in a sonic wall in front of each recorder at each building. They are not concerned about cyber security as they feel they have nothing of value to protect on their network. To customers with this attidude, I have no problem selling hikvision. They sign our agreement and assume the risk. To them, mitigating a potential lawsuit from a fake workers compensation request is more important than protecting their data. Does this attitude make me a non-professional for installing this equipment? No, we sold the customers what they wanted/could afford and covered ourselves the best we could by securing their network with their IT team and our contract. We installed the system with the same care and professionalism we would at the State Department, DOD or any of the power plants of nuclear facilities provide service for. With licenses in 13 states, we are far from truck slammers looking to sell cheap cameras.

On the other end of the spectrum, when we have a customer who has PCI compliance at stake, we will not connect the hikvision cameras to the internet or install something else.

There's a huge market that can not afford Milestone, Axis, Avigilon...etc. They also can not afford not to have video surveillance. Who am I to deny these small businesses access to surveillance systems. If I sell it to them, I can make sure it's installed properly and cameras are posistioned properly.

Would I recommend a high-security facility install Hikvision cameras? No. Would I install Hikvision if they paid me? Yes. In situations where cyber security is critical, we provide multiple quotes. We let the customers know the advantages and disadvantages of each system and let them choose if they decide to have us install hikvision than that is what we will install. Part of our agreement states that we recommended a more advanced security system and the subscriber reject it. If they contract us to install hikvision and they want the system on their network, it's up to them to provide that network security. We are not a network security firm and do not advertise ourselves as such.

All of that being said, as a company we have made the decision to reduce our Hikvision offerings and move in a different direction. When we first started selling hikvision there weren't many alternatives to hikvision in the US through legitimate distributors. We will continue to sell their cameras, but not their recorders. We will reevaluate this decision as more information comes to us. We need more quality lower cost offerings like Dahua, Hikvision and Digital Watchdog.


Undisclosed, thanks for sharing. I think that is a pragmatic approach. Certainly being clear about the upsides and downsides / risks is important.

There are definitely a lot of dealers who either do not or simply do not share such risks with their customers. That is what I think is particularly inappropriate and dangerous for both integrator and customer.

What were the differences in features and image quality between your solution and your competitor's.

We offered better image quality 4MP with true WDR, better camera positioning (thanks to the camera calculator), more storage 12TB vs 3TB, and better redundancy. We installed 3 NVRs one at each building rather than using their unreliable VPN (3 different wans) to stream cameras back to server. My competitors system would not have met this customers expectations. 1MP cameras from axis with no IR and no WDR.

They recieved 4 bids, we were not the lowest, one of the bids was half of what ours was and one was slightly less. One was for the 36k

They told me what sold them was my professionalism/industry knowledge (thanks IPVM) and the awesome looking quote that included IPVM camera calculations. I did those calculations on my iPad (day of new website update) as I walked around the property and showed them what I came up with when we got back to the main office. Buying an iPad Pro and the pencil has been a great investment. The other guys put their hands in the air and told them to close one eye and that would show them what they could expect to see.

They told me what sold them was my professionalism/industry knowledge (thanks IPVM) and the awesome looking quote that included IPVM camera calculations.

See, IPVM is helping Hikvision :)

Seriously though, 1, glad to hear it helped you!

The other guys put their hands in the air and told them to close one eye and that would show them what they could expect to see.

And for night views just close the other one.

"one of the bids was half of what ours was...."

Must have been Longse......?

It was TVI equipment from an independent electrical contractor who works for them regularly.

Meant more as a joke, but thanks. :)

Sorry, but I'm calling bullshit.

This integrator is not warning people about the potential risks of using Hikvision in a competitive bid situation like the one described. "Hey, this system might hurt you" is not part of their sales pitch.

And "they have nothing of value on their network"? They said that? They're not storing employee records? No accounting? Let me guess - you didn't ask these follow-up questions.

Bullshit. Just admit that you sell a product that you're not proud of - whether because it's somewhat vulnerable or because its purpose is to unbalance the market - but let's be honest with each other and move on.

I was thinking the same thing. I call BS too. You must be wording it in a much less explanative way to your customer than how you described to us.

Also if you are telling them Hik has a high security risk while the others dont, you sure are putting alot of risk on yourself in my opinion.

BTW, im a believer that the other manufacturers can be hacked just as easily as Hikvision. I think your foolish if you think otherwise.

As a person who does penetration testing regularly on cameras you are incorrect sir.

but is more of scale from 1-10 with 10 being the most secure with Hik being a 3-5, and their clones being 1 to 2 points under that. there are few that are way more secure but cost 2-3 times more

Eddie, do you think that it's mainly the effort and money that vendor has spent on their security implementation that makes it more secure; or could some part it be the fact that systems that are more readily available, (due to their lower price), are targeted proportionally more, and therefore more exploits have been shared/discovered than others?

Dallmeier, for instance, is seemingly a very responsible vendor, and I don't see any current exploits for them; therefore I expect they might score high on the Perry Security Scale :)

But how many people are trying to hack Dallmeier?

I dont want to go into "hacking" techniques here as it would cause more of a stir than needed. plus i dont deal with EU only cams, i just deal with ones in the USA.

but they would get a 2 as their firmware/updates files are executable .sh files with the image/.bin file copy and pasted into it.

executable bash files are a big no-no not only do I get a copy of your camera OS/firm ware now i know where to look as the executable tells me where changes are made and how and whats used to do so. So much free information cuts down on the time to break into it.

Not to mention that Linux is a hackers choice tool and a .sh file is just going make it that much easier ( after they stop laughing of course) to do what the please.

it would be a disservice to go into any more detail against a manufacturer software without their permission or give away free trade secrets on how to crack Network cameras. here in this thread.

I dont want to go into "hacking" techniques...

Nor do you need to.

What I was wondering was,

do you think that it's mainly the effort and money that vendor has spent on their security implementation that makes it more secure; or could some part it be the fact that systems that are more readily available, (due to their lower price), are targeted proportionally more, and therefore more exploits have been shared/discovered than others?

I asked the question here a little over a year ago about something like this- how much effort do manufacturers put in securing their software. Only one person replied and pretty much confirm what I suspect, the more "budget" the camera is, the less money spent on development all the way around. Just like other posts and comments here about quality control and reliability of hardware components in cheaper cameras versus those in more expensive cameras, I'm of believe it's no different for the other major component of the camera... the software.

Thats a hard question to answer. some times its about what some one can afford to poke around in at home, so the cheaper ones get exploited. other times its a pride thing and when someone puts out " we have the most secure devices out there, you are not going to crack them" its like covering your self in bacon and running though dog park at the busiest hour trying to avoid not getting caught. some is going to do it just to prove they can and then post it on youtube to rub in in your face.

it really comes down to support. if you have active support updating and patching your software then its "less likely" that you are going to crack it.

the general rule is the more convenient something is the less secure it tends to be. the main issues I see with security cameras today in the security area are P2P, moblie apps/3rd party servers, and piss poor software management/development.

I agree, there are more Hik products out there by far than anything else, installed in both low security networks and high security networks which just means their are a number of more oppurtunities for hackers to get in, but I dont necessarily think its a more hackable product than others.

I would argue this: "Sure Hikvision has been hacked, but let me tell you this, that windows server that you are putting that so called "more secure" software on, I can promise you windows PC's/Servers are hacked a whole heck of alot more than Hikvision recorders, in that case, it may make better sense to use a standalone Hikvision recorder"

Im too lazy to look but Im sure Windows has a clause of some sort that says the are not responsible for being hacked either. Should we stop using windows? When you get as Giant as Hik and Windows, you have to come up with every conceivable way of not getting sued.

Im too lazy to look but Im sure Windows has a clause of some sort that says the are not responsible for being hacked either. Should we stop using windows?

Here is the Windows 10 EULA. Check it, there's no exceptions or warning about not taking responsibility about hacks or cyber security risks.

Indeed, the EULA includes this positive affirmation from Milestone:

Malware protection. Microsoft cares about protecting your device from malware. The software will turn on malware protection if other protection is not installed or has expired. To do so, other antimalware software will be disabled or may have to be removed.

That's quite different than Hikvision. Also, recall, no other video surveillance manufacturer has been found to have any clause like Hikvision's.

Check it, there's no exceptions or warning about not taking responsibility about hacks or cyber security risks.

This only means Microsoft judges there to be zero liability from not including the clause.

Using its absence as an indication that MS crap is less hackable or that its masters are more ethical than Hik is unfounded.

I submit that there have been more exploits uncovered in MS products than all others in the world COMBINED. Some of them existing for YEARS before be remediated.

Where are all the awards?

Using its absence as an indication that MS crap is less hackable

That's a strawman argument. I've never stated nor implied that MS was more or less hackable.

A member claimed this:

Im too lazy to look but Im sure Windows has a clause of some sort that says the are not responsible for being hacked either.

And I was able to refute that specific claim.

This only means Microsoft judges there to be zero liability from not including the clause

If you have facts to support that, show it. But you can't make such a specific assertion about an entity you know so little about the internals with such a strong statement.

That's a strawman argument. I've never stated nor implied that MS was more or less hackable.

Then on that point we agree.

If you have facts to support that, show it. But you can't make such a specific assertion about an entity you know so little about the internals with such a strong statement.

My strong statement was:

This only means Microsoft judges there to be zero liability from not including the clause

I make this statement based on the absence of them ever being found liable. Surely, if anyone could be sued for loss of data, privacy etc. for hacking, it would be Microsoft, no? Yet, I don't see a case. Maybe I'm missing it.

I do see them being sued, in 2003 for instance, a well-filed claim, seeking class action status, was heralded as a the beginning of the end for Microsoft's free pass on security, from the NY Times:

Trial lawyers have watched with increasing interest in recent months as malicious computer viruses and worms — all exploiting security flaws in Microsoft software — have crashed computers and networks around the world. It is only a matter of time, they said, before the class-action suits against Microsoft start dropping.

Yet, I don't see the class actions suits dropping in the 13 years since, let alone a successful judgement.

Its hard to prove a negative here, maybe there are some cases that shows that Microsoft has good reason to be concerned.

Finally, their public statement on the lawsuit was this:

"This complaint misses the point," the Microsoft statement added. "The problems caused by viruses and other security attacks are the result of criminal acts by the people who write viruses."

Does that sound like someone taking responsibility?

Well as much as I despise bill gates and MS they do r as telease security updates as fast as they can find and fix them. and as lone as they make an effort it comes down to intent. they dont intend to be negligent, plus if you down load and install any extra software( like firefox) and your system becomes vulnerable its not their problem. because you are licensed to use their software and modify it.

this is entirely different from network cam OS/firmware where you are not allowed to modify the code other than the manufacturer allows ( updates, upgrades)

you are for the most part locked out of the camera other than what you are allowed to use. if the vulnerabilities come from the parts you cant change then it could be argued in court that it is on the manufacturer. but if they make an effort to try and stay on top of vulnerabilities and patch them then it becomes harder to win that case.

I agree, I guess your choice system will never be on the customers network and the Hikvision would?

How is it that just because its HikVision the chances of successful attack increase? Would that not be your networking abilities instead of the camera manufacturer?

Would that not be your networking abilities instead of the camera manufacturer?

With any computer, it is certainly a combination of a two.

How is it that just because its HikVision the chances of successful attack increase?

Even if the chance of a successful attack is exactly the same, the consequences for the integrator and user are worse with Hikvision because not only will you suffer the harm of the attack itself, you will take the blame much harder (e.g., "So you deployed cameras with a poor cyber track record, an explicit disclaimer of responsibility, made by the Chinese government?").

That's why I think #1's approach is sensible to at least make risks clear up front. If the buyer knows that and you've documented it, it's on them if they want to do it.

Knowing U1, I think the person is being honest here. Whether you agree with his approach or not is certainly a fair question but I do not think he is doing this as a marketing trick or BS.

We sell primarily Hik and Dahua. We try our best to get either a secure VLAN or a seperate network entirely. Sometimes, clients, for what ever reason, don't take network security as seriously as we do. They have their own IT depts that decide where the cameras land on the network and the restrictions to access them. We don't always get to call the shots.

When possible, we like to control the entire camera network from WAN to Cam. (That's my new slogan! /kidding) That way, we can ensure (to the best of our abilities) that the network is secure.

This is a bit of a side note, I was in Mexico recently, and there is a boom of Hikvision cameras there. Places I have gone to for years that didn't have any camera systems now have Hikvision cameras. I saw no less than 10 new systems in place that were Hikvision and were between 4-16 camera systems where there hadn't been a camera system before. Also I think they are doing some private label for Steren, which is an electronics store. Anyone else seen this?

Aaron, from talking with dealers recently, it feels like the majority of them sell Hikvision at least some of the time.

That's not totally shocking considering they have been the fasting rising brand for the past two years (e.g., Top Manufacturers Gaining 2015, Top Manufacturers Gaining 2014) and they have probably equal or more salespeople in North America than any other video surveillance manufacturer now.