Subscriber Discussion

Replace All Hikvision Products: How We Choose To Handle The Hikvision Backdoor

Avatar
Mark Jones
Jan 17, 2018

Here is how we just (today) chose to handle it.

Replace all Hikvision products.  

Fortunately, we don't have that many in the field.  

NOTICE: This comment was moved from an existing discussion: Hikvision Backdoor Confirmed

(1)
(1)
JH
John Honovich
Jan 17, 2018
IPVM

Mark, did your company eat the cost then or?

Avatar
Mark Jones
Jan 17, 2018
In reply to John Honovich

We did.  These situations were costing us money; truck rolls and tech time.  

At the end of the day, it is about value.  

(4)
(3)
UM
Undisclosed Manufacturer #1
Jan 17, 2018
In reply to Mark Jones

Fair play to you sir!

(2)
Avatar
Mark Jones
Jan 17, 2018

I will continue to use their Turbo Cad products, but I cannot use the IP.  There are too many holes.

U
Undisclosed #2
Jan 17, 2018
IPVMU Certified

Here is how we just (today) chose to handle it.

Replace all Hikvision products.

Can I have them?  (for research)

(2)
Avatar
Mark Jones
Jan 17, 2018
In reply to Undisclosed #2

I will find some use for them.  Sorry,

U
Undisclosed #2
Jan 17, 2018
IPVMU Certified
In reply to Mark Jones

There’s always: Dump Axis and Hikvision, Arecont Will Pay You

(1)
(3)
UI
Undisclosed Integrator #3
Jan 24, 2018
In reply to Mark Jones
What will you do about the HIK/DMP cameras?
Avatar
Mark Jones
Jan 24, 2018
In reply to Undisclosed Integrator #3

I have not given that a lot of thought yet, but it is a fair question.  We only very recently decided we would no longer install their IP cameras. One option is to convert the analog to IP using a more secure device.  

Oddly enough, we have one that asked for it today, so it is timely. They really like the integrated platform approach. 

We are DMP through and through.  It is our lead horse.  We have a 25-year relationship with them so it is not going anywhere.

The first order of business will be to speak to them and ask them their intentions given that we don't use Hikvision IP cameras.  I do know they have their own software in their DMP routers (it is proprietary) and I think they have it in their rebranded cameras but I am not sure about that.  I also know DMP provides the server to route the signals to customers devices.  There are several questions to be answered. 

The smaller businesses and residential work is what is at stake.  The larger corporations we simply won't recommend HKV and we will tell them why provided they don't already know. The smalls don't have an IT department.  Most don't even remember the password on their router.  They don't know how much bandwidth they have or many other details.  They just know what they want.  

We will have to work out the details with DMP for the smaller installs.  That is the best answer I have today, but if we are not comfortable that there is adequate security, it will not be supported here.  

It is not like we don't know how, we do.  My point earlier was and is that our larger corp clients don't give us a voice, and they are the majority of our work.

Personally, I would prefer a cellular option. That would eliminate a ton of issues. 

Sorry, I didn't mean to write a novel.

(1)
Avatar
Mark Jones
Jan 25, 2018
In reply to Mark Jones

A followup from DMP:

The HIK cameras are running a proprietary firmware built just for us (DMP) that VPN’s directly back to our video servers. So they are secure and they can’t go anywhere else. We have done a lot of testing and pen testing on the SecureCom Video... we have the ability to push additional firmware to the cameras and plug any holes if we ever need to. 

At this time we feel pretty good about where we are... but we remain vigilant and ever watchful. 

Another followup conversation with Tech Support is as follows:

Mark Jones thanks for the question. Mark Hillenburg is spot on. The difference in traditional Hikvision cameras and ours is that our cameras have custom firmware that doesn't require punching holes in a customers firewall (UPnP). Not only do we not require it, we've explicitly disabled it in our firmware. Since our cameras create an encrypted VPN tunnel back to our servers the camera is never exposed to the Internet directly.

I hope this answers some of the questions in the room.  Thanks,

(1)
DJ
Damith Jayasinghe
Jan 24, 2018

yeah best answer i have heard

DR
Dennis Ruban
Jan 24, 2018

Proper network design would protect your customer. Instead of replacing the equipment I'd better invest in some network training for technicians.

We discussed it here so many times: Router, dedicated network for IoT devices, VPN for the remote users, firewall rules to prevent IoT from communicating to Internet.

I assume that you replaced Hik with something in the same price category and this decision is not a risk mitigation at all.

(5)
(1)
Avatar
Ben Lucier
Jan 24, 2018
pofp.com
In reply to Dennis Ruban

Proper network design would protect your customer. Instead of replacing the equipment I'd better invest in some network training for technicians.

I was saying the same thing yesterday in a different thread (the Axis trust post) and I agree. There's lots of talk about Hik being insecure, but I can't find any example where our customers are exposed to Hik's flaws with a proper design. I think a lot of security pros find this challenging though since they're not network designers.

(3)
Avatar
Mark Jones
Jan 24, 2018

Network design will only take you so far.  

Some customers just do not want you to alter their networks.  It is their property at the end of the day.  The responsibility to mitigate the risk is mine.

(4)
DR
Dennis Ruban
Jan 24, 2018
In reply to Mark Jones

Go to a car mechanic and tell him how to do his job. It's your car, not his. Same thing with a builder: you pay for the house, who cares about all the codes and his experience, it's your property at the end of the day.

Oh, don't forget your family doctor. He's waiting for an advice. It's your body

(1)
(1)
(2)
Avatar
Mark Jones
Jan 24, 2018
In reply to Dennis Ruban

Respectfully, your point is lost in hyperbole.  

We work in a large number of Financial Institutions.  They have rigid rules about their networks. In most cases, they are written around Federal guidelines.  The security vendor is the very last person that will have a voice in their network.  In some cases, we are not even allowed to connect our pc's to a networked device.  We must program it, then connect it.  If we go back for service, we have to disconnect it from their network, service it, then reconnect.  

Some may see it as arrogance on their part, but at the end of the day, it is their network.  I can make all of the suggestions I want. 

And yes, it is my body. 

(7)
DR
Dennis Ruban
Jan 24, 2018
In reply to Mark Jones

If we're talking about such strict policies, those organizations definitely have network security specialists (full-time or contractors, doesn't matter) and IDS/IPS devices, firewall policies, firmware update policies, periodical Pentests from outside and inside the network, etc.

So, even if you wanted to mess with Hikvision, you wouldn't be able to. It's all about network management, not particular IoT vulnerabilities.

DR
Dennis Ruban
Jan 24, 2018
In reply to Mark Jones

And yes, I understand that we have to blame Hik here (IPVM) and I'm playing a role of devil's advocate.

(1)
Avatar
Campbell Chang
Jan 25, 2018
In reply to Mark Jones

To be fair, if a large financial institution has a policy that would enable access to the vulnerabilities on the cameras, then they've probably got some much larger issues in their IT department.

(1)
JH
John Honovich
Jan 25, 2018
IPVM
In reply to Campbell Chang

To be fair, if a large financial institution has a policy that would enable access to the vulnerabilities on the cameras, then they've probably got some much larger issues in their IT department.

The 'just do it right' and then you don't need to worry about anything else tactic is quite risky. The reality is lots of things can go wrong, especially in complex, ever expanding and changing systems. So you want to minimize the risks that you add to the system. If an element has a bad track record (let's leave Hikvision out here and pick Foscam, e.g.), the right choice is to eliminate such risks. Agree/disagree?

Avatar
Campbell Chang
Jan 29, 2018
In reply to John Honovich

If an element has a bad track record (let's leave Hikvision out here and pick Foscam, e.g.), the right choice is to eliminate such risks. Agree/disagree?

Depends on the SA in this regard.  I know plenty who are confident enough in their own abilities and their own infrastructure that they're not super concerned about it.

I also know a few who won't go anywhere near them.

Horses for courses I guess.

Avatar
Will Van Wickler
Jan 24, 2018

 If you are trying to get rid of some hik cameras I would love to play with them!

(1)
U
Undisclosed #2
Jan 24, 2018
IPVMU Certified
In reply to Will Van Wickler

Dibs ;)

Avatar
Luis Carmona
Jan 28, 2018
Geutebruck USA • IPVMU Certified

I wonder if there might be a market for 3rd party firmware on Hik or other cameras. I have heard of a market for "white boxed" network switches and your choice of 3rd party firmware you could put on them. Think to the popular Tomato firmware developed for Linksys 54G routers that added all kinds of features to it than factory firmware. It might be a way to "salvage" the situation.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions