Subscriber Discussion

Request For IPVM To Create A Hikvision Honeypot...

U
Undisclosed #1
Sep 16, 2016
IPVMU Certified

Would it be possible for IPVM to create a quarantined network, consisting of a typical mix of Hikvision equipment; a couple cameras, a recorder, maybe a PC running iVMS, and let them do their thing for a couple of weeks?

All the while logging all outbound network requests outside of the subdomain.

Or has someone already done this?

MM
Michael Miller
Sep 16, 2016

We just partnered with a cyber security expert and will be doing this in house. Looking forward to see the results.

(1)
(5)
UM
Undisclosed Manufacturer #2
Sep 16, 2016

I don't think it is so simple. If the camera doesn't detect DNS, gateway, and other indicators of Internet access, it could stay a sleeper. Or maybe only wakes up when using their DDNS or cloud service...

Best bet would be to run on an actual camera that is connect to the internet, but on a DMZ and then log traffic and analyze.

(1)
U
Undisclosed #1
Sep 16, 2016
IPVMU Certified

"Best bet would be to run on an actual camera that is connect to the internet, but on a DMZ and then log traffic and analyze."

Why connect it to the internet?

It can't tell whether it is connected to the internet or not without trying to connect, and if it can't connect it may repeatedly try a variety of IPs

And the tries are easily detected. Once you determine the outbound ports, you would open them one at a time to observe the activity.

MC
Marty Calhoun
Sep 16, 2016
IPVMU Certified

I say go for it and only use the best cyber security firm you can find. Use two different companies even, one east coast one in south america.

Spend unlimited amounts of cash and hours and hours of productive time.

A report that reflects HIKVISION in a positive manner would never be published.

The witch hunt continues.....

(2)
(1)
(1)
(3)
U
Undisclosed #1
Sep 16, 2016
IPVMU Certified

Actually Marty, I think its unlikely one would be found. But at least we should do a simple test like this, no? Do it on other brands as well.

You're right, only if something was found would it be newsworthy. That's because there are many ways to beat a simple trap like this, so it doesn't mean the device is clean, necessarily.

UI
Undisclosed Integrator #3
Sep 17, 2016

There have been many positive articles about Hikvision here over the past couple years.

(3)
U
Undisclosed #1
Sep 17, 2016
IPVMU Certified

There have been many positive articles about Hikvision here over the past couple years.

Yes, maybe even more than Avigilon. ;)

(1)
UM
Undisclosed Manufacturer #5
Sep 18, 2016

More than Arecont Vision even? :)

(1)
MC
Marty Calhoun
Sep 17, 2016
IPVMU Certified

I agree there have been several indeed, I was referring to information developed from the hiring of a 'cyber-security' firm. Sorry I was not more specific.

UI
Undisclosed Integrator #4
Sep 17, 2016

Laptop with i7, 4k Screen, 4gb of vram and 16gb ram.

When at the office use laptop screen and 3 external monitors with a docking hub. I would never switch back to a tower at this point as I like to bring my files with me without working through the cloud but obviously it is nice to have extra monitors for power usage.

U
Undisclosed #1
Sep 17, 2016
IPVMU Certified
JH
John Honovich
Sep 17, 2016
IPVM

I am not opposed to doing something like this. And, more generally, I think it would be useful for IPVM to fund penetration testing of major brands, not just Hikvision, but Dahua, Axis, Avigilon, etc., etc.

That said, while many members emphasize the cyber security side heavily with Hikvision, I want to reiterate that my belief continues to be the biggest threat from Hikvision is economic, i.e., how it uses its government funding for international sales and expansion.

(7)
Avatar
Jon Dillabaugh
Sep 19, 2016
Pro Focus LLC

While I see value in the testing, I think a "no-harm-found" result could lead to integrators letting down their guard.

My point is this; as a security professional, you should NEVER let your guard down. You shouldn't trust Hikvision, Dahua, Axis, or any other brand to wander your networks. They should ALL be kept at bay.

If we all took this approach, these results wouldn't really matter much, other than to confirm my approach, if a fault was found. Otherwise, they would tend to allow less professional installers some slack in their slacking.

(3)
(1)
UE
Undisclosed End User #6
Sep 28, 2016

I've been asked to put hikvision through a similar battery of tests, before deploying a bunch of them.

We've got sniffers and anue's and stealth watch and this and that and other things.

So I'll do it in the next year.

However, like John said, I don't think we'll find anything.

You can bet your britches that Axis, Sony, et al, already have labs set up trying as hard as they can to pin some tinfoil on hikvision.

JH
John Honovich
Sep 28, 2016
IPVM

You can bet your britches that Axis, Sony, et al, already have labs set up trying as hard as they can to pin some tinfoil on hikvision.

I can see why you would think that but I don't think that's the case. On the one hand, I think many (but certainly not all manufacturers and less than most believe) do extensive testing on their competitors but it is super rare to find a manufacturer who uses that for competitive purposes. For example, we would likely hear directly (as it is in the interest of rivals to promote it) or indirectly as manufacturers communicate it to their dealers, some who would share with us. However, we rarely hear about anything like that.

(2)
(1)
U
Undisclosed #1
Sep 28, 2016
IPVMU Certified
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions