Interesting read. Do the Hikvision supporters still think the Chinese government wouldn't use Hikvision as a attack vector?
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Subscriber Discussion
The Big Hack: How China Used A Tiny Chip To Infiltrate U.S. Companies
BP
Bas Poiesz
Oct 04, 2018Interesting read Michael, and I am still reading!
Some would consider me a Hik supporter so let me offer my view.
If 'China' wants to infiltrate in countries worldwide, I am sure they can. If the US wants to do so, I am sure they can.
There are numerous stories about the likes of NSA listening in, not just inside the USA borders. Please don't get me wrong, I am not trying to deflect.
It's real on both sides of the line that cyber warfare is happening.
To think that they need a camera/NVR from Hikvision (Or Dahua for that matter) to reach that goal is silly in my opinion, and the article you supplied proves the point:
there are far better ways to get into interesting networks and locations.
JH
John Honovich
Oct 04, 2018Some would consider me a Hik supporter so let me offer my view....
there are far better ways to get into interesting networks and locations.
They inserted a backdoor chip into a video compression server. And your response is that it would be 'silly' to use camera/NVR from Hikvision?
BP
Bas Poiesz
Oct 04, 2018Yep, that's my answer.
Hik and Dahua have a significant foot print, but in most government use (also before the ban) Genetec Milestone Bosch Axis Avigilon etc have the real big footprint.
If you want mass access, waiting for someone to buy a cctv product from your brand is not the quickest way.
In the Bloomberg article at the explanation of how it was done, at point 2:
The microchips were inserted at Chinese factories that supplied Supermicro, one of the world’s biggest sellers of server motherboards.
Every single business needs servers of some sort. Get into these and you get a lot further a lot quicker than waiting for them to upgrade their camera system.
Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places.
This article is not proving Hikvision or Dahua are the trojan horses China puts it's money on. For all you know the debatable Prism runs on hardware with this chip. No camera needed.
U
Undisclosed #1
Oct 04, 2018If you want mass access, waiting for someone to buy a cctv product from your brand is not the quickest way.
Why do you assume that they would only target servers or only target Supermicro? Why do you assume they want mass access instead of all access?
The chips outlined in the article are tiny, and presumably so cheap as to be almost free. Once you are at that point, putting them in as many devices as possible would be one logical approach. For a government-controlled manufacturer like Hikvision, I would be very worried something like this being present in the camera.
It is also possible that this chip, or the same effective components of it, exists in SoCs from companies like HiSilicon, also a Chinese government favorite. Hikvision, Dahua, and many other companies use HiSilicon chips in their cameras and other devices.
Every single business needs servers of some sort. Get into these and you get a lot further a lot quicker than waiting for them to upgrade their camera system.
I disagree strongly with this. I know of many businesses, even larger ones, that have the vast majority of their servers "in the cloud". Or, they have the servers in remote data centers. That makes it much harder for a malicious server to access data traversing the local LAN. However, all of these businesses have lots of surveillance cameras installed. The cameras are at each building, much closer to local networks and other data that remote servers, or servers hosted and controlled by 3rd parties, would not have access to.
BP
Bas Poiesz
Oct 04, 2018Why do you assume that they would only target servers or only target Supermicro?
I don't assume that they want mass acces or all acces. Just stating a camera to get in there is not the fastet route.
I disagree strongly with this. I know of many businesses, even larger ones, that have the vast majority of their servers "in the cloud".
That may be true, not not all businesses are in the Cloud. And what hardware is being run at this cloud?
I am not debating that this is happening. And no matter how you feel about Hik/Dahua, you can not debate that the USA is undertaking simular activities with the earlier mentioned Prism, building very debatable detention camps or suggestions to build walls. It's happening on both sides.
My point is that in order to get intel, there are better ways to do it.
UM
Undisclosed Manufacturer #3
Oct 04, 2018Geez, open the eyes. When you're a government seeking to control or bring down another government (or protect your own government from an antagonist government), there is no, "better way," there is only, "every way possible," and see what we can learn.
This is not a path of least resistance scenario. This is a scenario where they'll knock on every door in America until someone opens the door and lets them in for a cup of coffee. I mean tea. And then proceed to steal all their furniture while you answer the phone in the kitchen.
BP
Bas Poiesz
Oct 04, 2018My eyes are open, don't worry.
Please read the above links about Prism and the things happening at the south USA border.
Look at it objectively, because if the stars and striped would be replaced by any asian flag you would be fuming.
UM
Undisclosed Manufacturer #3
Oct 04, 2018I'm confused by the comment. Not sure what last sentence has to do with anything.
The premise of your comment is that "there are better ways" than camera vulnerabilities to get to inside data/information/intelligence.
My only point is they'll use any vector available to get to data/information/intelligence. That doesn't make a "less better way" to invade any less significant in the big picture. A vulnerability is a vulnerability when the threat is universal.
Prism (et al) are the US intelligence community doing the same in reverse. I would suggest that their fundamental purpose is to protect America rather than to bring down China (I can only hope that I'm right).
Alternately, I am disgusted with use and storage of my personal data and information. I have nothing to hide but I fundamentally believe its wrong. Likewise, if I had bad intentions against America, as an American, I'm happy someone is trying to stop it.
I guess the choice is, do nothing and hope you don't get nuked or do something nefarious to try to prevent it. It's the battle of risk versus tolerance. In this environment I believe the risk is very high and all vectors should be considered dangerous.
BP
Bas Poiesz
Oct 05, 2018I understand that’s how you feel about Prism. As a non American, it sends chills down my spine. It’s very intrusive and basically kills any form of privacy.
That’s what I meant with the last comment. I read some responses and just wonder if respondents would feel the same if their way of doing it was looked at through another set of eyes.
I very much dislike the re-education camps and the fact that there is no privacy in China. But I am equally disgusted at the way little children are kept from their parents and detained like criminals and with prism and programs like that.
Its ok to point it out when it’s happening far away but once it happens on USA soil it’s good and needed.
i just so see how that adds up
UM
Undisclosed Manufacturer #6
Oct 05, 2018Interesting story and another one that should should be food for thought for those that are assisting the Chinese Government with spreading potential 'hazardous' kit around the world at an alarming rate.
I bet we are only still scratching the surface here and many more similar cases will be discovered.
Hard to believe that there are still people here defending what the Chinese are doing.
If you sell Hik you support the Chinese Government, if you buy Hik you support the Chinese Government...and all their actions.
Based on the many past and current revelations I do not understand how western folk can get up in the morning and get to their jobs at this or any other Chinese state owned company.
U
Undisclosed #1
Oct 04, 2018The rough summary is that the Chinese government developed a tiny chip that acted as a hardware backdoor, then inserted this chip into Supermicro mother boards being manufactured at contract facilities in China.
Based on the way the chip worked, and where it was inserted into the signal paths on the motherboards, it could hack the OS from within and "phone home" for further instructions.
You would not find this chip, or code to control it in any source code review. You could even setup a special source code review center for government employees and let them look at ALL of your code, and even if the code was perfectly secure, this tiny hardware chip would still allow compromise of the system.
Software design and point of origin is an important part of making network devices as secure as possible. However, as always, physical access wins. If you can't trust the hardware, all the way back to the point of manufacture, you can't trust the device, no matter what firmware is on it.
This tiny chip would easily fit within the design of any IoT device, like surveillance or access control equipment. The designer of the hardware would not even know it was there, unless they did a total tear-down and analysis of the equipment built by the contract manufacturer (this is rarely done, if it performs to spec, there is no reason to do this). The hardware company could even claim "we put no backdoors in our products", and they would be right, since the back door was put there by the Chinese government without their awareness or participation.
"Made In China" is rapidly becoming synonymous with "Can't Be Trusted Under Any Circumstances".
U
Undisclosed #2
Oct 04, 2018There is no need to add any tiny stealth chip to the main board of any network camera already using a HiSilicon (or other Chinese SOC).
You just use the SOC. Its just a matter of microcode.
Discussed here...
UI
Undisclosed Integrator #4
Oct 04, 2018Hik, Avigilon, Axis, you name it, they all travel on network equipment that is assembled in China. I am not as worried about the cameras as I am the actual network equipment. Our company has always installed our customer cameras on completely isolated networks, even down to a completely unique ISP circuit. Hik today, Axis tomorrow, it is a network device traveling on a network switch and as long as that switch is on a sensitive network then I still believe that is the biggest threat.
We received a contract to do a small regional financial firm and their CIO was insistent on setting up their numerous branch offices with cameras but specifically did not want them connected to any WAN link. If they want to review video, they walk into the equipment room and check it and burn it to a DVD. After all is said and done, that is probably the safest thing you can do. If E.T. can't phone home then you are safer than any brand can claim to be.
MM
Michael Miller
Oct 04, 2018Curious do most of your customer not want any remote access to there systems?
UI
Undisclosed Integrator #4
Oct 04, 2018It depends on the client. We are honest to them and inform them regardless of which brand they want or the costs of the systems they are all currently insecure or will become at some point. Some don’t mind the risks, others can’t afford it.
U
Undisclosed #5
Oct 04, 2018this is 100% correct.
microchips on motherboards? yeah... right.
please.
this is misdirection.
In 1994 Kevin Mitnick broke into Tsutomo Shimomura's computer in San Diego from an apartment in Raleigh, NC. Something he had been doing to others for more than a decade.
Except this guy happened to be a research scientist - working with the NSA on computational physics at the kernel level.
2 months later, Mitnick was tracked down in NC and busted.
woops.
microchips.
lol.
UM
Undisclosed Manufacturer #3
Oct 05, 2018Just curious what you mean by:
"microchips on motherboards? yeah... right.
please.this is misdirection"
It seems you suggest everything is traceable if you know the (very few) right people. Is that what you're getting at?
U
Undisclosed #5
Oct 05, 2018no...
I am making fun of those that think:
1. that this even occurred (if you search, you will find that every principal party in this story denies it ever happened).
From the WSJ (linked in last sentence)
"Editor’s note: This story has been updated with additional reporting on the views of U.S. officials about the Bloomberg Businessweek report. One official who previously had conveyed confidence in the report later expressed uncertainty. The story also includes additional denials from Apple and Amazon."
2. that surreptitiously implanting microchips on motherboards is the pinnacle of spy craft in 2018.
U
Undisclosed #2
Oct 05, 2018
FJ
Fredrik Johansson
Oct 05, 2018Well sure, it's not good what they are doing.
But i wouldn't bash China too much, this is going on all over the world.
Especially from USA and NSA.
They have backdoors in RSA encryption, hacked television to spy, inserted backdoors in Microsoft installations, backdoors in Cisco routers. They even spied on Merkel and her private conversations.
I could continue in ages..
China does this, USA does this, Russia does this..
I'm not trying to defend anyone, just saying that this more common than you might think.
BP
Bas Poiesz
Oct 05, 2018A question to the IPVM team.
On the FAQ I read:
- We have over 10,000 PRO Members from 100+ countries.
For non US citizens this news about China is disturbing. But how about some investigative journalism on what is happening on US soil?
There is a lot that deserves attention in your own backyard.
Not trying to deflect or pull a straw man, more calling out the men in the glass house
U
Undisclosed #5
Oct 05, 2018"Not trying to deflect.."
closing statements that start with 'Not trying to deflect' are usually read by others as:
'my argument above is weak - and even I am aware of this."
BP
Bas Poiesz
Oct 05, 2018Well this is your chance to stand out and actually give an answer to my point. I’m all ears
U
Undisclosed #5
Oct 05, 2018your deflection point was not clear to me...
Are you asking why IPVM isn't more like The Guardian?
and to be clear, you asked your question of the IPVM team and I am not a member of that team.
I just dislike weak arguments.
U
Undisclosed #5
Oct 05, 2018BP
Bas Poiesz
Oct 05, 2018All I see is zero answers and more of what you complain others do. Answer the question or don’t reply. This is useless
U
Undisclosed #5
Oct 05, 2018BP
Bas Poiesz
Oct 05, 2018Good to see you are soo happy with yourself, must be great for you.
Great informative rebuttal
JH
John Honovich
Oct 05, 2018I / IPVM am happy to discuss. As I emailed your earlier, I recommend you comment on this on the main post so others can see and respond as well.
U
Undisclosed #2
Oct 05, 2018I / IPVM am happy to discuss.
Is IPVM actually an eponymous pronominal acronym?
U
Undisclosed #5
Oct 05, 2018an eponymous pronominal initialism you mean?
example: "HUD in the US"
HUD (Housing and Urban Development) is an acronym because its said like a word.
US is an initialism because it is not said as a word, but as a string of initials.
ASIS is actually an initialism as well - which is how people in that group say it. Everyone else on the planet uses ASIS as an acronym and say it as a spoken word (with varying short and long A sounds depending on who is speaking the name).
U
Undisclosed #2
Oct 06, 2018U
Undisclosed #5
Oct 07, 2018some dickhead pointed this out to me a few years ago when I made the same mistake.
I didn't believe him so I looked it up - and found out he was right.
I have been waiting years to be that same dickhead... so thanks! ;)
JH
John Honovich
Oct 05, 2018We have now published our post here: China Hacks Video Servers Causing Uproar.
This is a good discussion, so we will keep this and our post. Thanks.
New discussion
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
Newest discussions