Hikvision 'Privilege-Escalating' Security Vulnerability, Actually a Backdoor

Published Mar 13, 2017 18:00 PM

Hikvision has disclosed a new security vulnerability that affects 200+ of their IP cameras over the past few years.

In this note, we examine the vulnerability, share results of the new firmware's changes and its potential impact.

Update - this 'privilege-escalating' vulnerability has turned out to be Hikvision's IP camera backdoor.

Vulnerability ********

*********'* ***** *************-********** ************* **************:

**** * ******** ******* **** ** used ** ****** *** ** ******* with ********** ******** ******** ********, ** may ***** ********* ** ****** ** unauthorized ********* ********** **** ********* ** acquire ** ****** **** *** ****** information.

200+ ******** ********

**** *** ** ******* *** ********, most ******** **** *.* ******** ***** started ******** ** ****. ***** ** the **** **** *** ******:

IPVM Image

***** *** ****** ********, ** *** tens ** ********, ** ***** ******* deployed ****** *** ***** ** ** covers **** ** *********'* ** *******.

What **** '********* **********' ****?

**** ** ******* ** **** ***** of * '********* **********' ** *********. *** *******, ** a ****** ** ****'* '*********' ** 'escalated' ** *****, **** ** ********** harmless, ***** ** ***** ******* ******* having **** ***********. *******, ** ** anonymous *************** ****** ***** ** '*********' to *****, **** ***** ** ********* serious ** **** ****** *** ***** access *** ****** ***** **** ******* of **. ********* *** ******** ******* on *** '********* **********' *****.

Firmware ******* ******* - ****** *******

*** *** ******** (*.*.*) *** **** removes **** ************* *** ** **** entirely ******* ******, *********'* **** *******. The ********* ***** ***** *** ** upgraded ********* ****** ** ****** ****** for ******:

IPVM Image

** *** ***** ***** *** **** using ******, **** **** ** ****** between ********** ** ** ** *** patching **** *************.

Grey ****** ******* ******

* *********** ****** ** ********* ******* are ****** ** *** **** ******, and ****** ** ********, ****** *********** risk. **** ** *** ** *** fact *** ******* ** ***** ******* often ******* *** ******** ******* ******** in *** ******, ** ********* *** firmware ** ****** ** '*****' ****, or *********** ***** **** ** ****** to * ******* ******** **.

No ***** ** '********' *****

***** ** ** ***** ** *** 'backdoor' ***** **** *** ************* ** *********** ***** *** *** ************ ** ***** ** ********** ***** ****. *** ******** ** 'montecrypto', *** ********* ** ************ ******** *********. ******** ****"***** ** * ******** ** **** popular ********* ******** **** ***** ** possible ** **** **** ***** ****** to *** ******" *** **** "*** can ******** ******** ***** ********** **** anonymous *** ****** ** *****." ** claims **** *** ******** ** ******** to ********* *** ***** ** **** firmware *******. *******, ** *** ******** no ***** ** **** ********. ** or **** **** *******, ** **** update *** ******.

UPDATE: ***** ** ******** **** **********

********* ***************** ** ************ **** ********** ** ****** ****** via ********* ** ******* ** *** next *** *****:

IPVM Image

UPDATE: ******** *********

***:********* ******** *********

Comments (67)
UM
Undisclosed Manufacturer #1
Mar 15, 2017

Is this a "retread" of old news or does Hik have (almost) weekly exploits discovered?

Avatar
Brian Karas
Mar 15, 2017
IPVM

If you are referring to the Hikvision Defaulted Devices Getting Hacked report/news, this is very different.

Hikvision sent this notice out March 12th, as a separate notification from their March 2nd notice about the DVRs getting hacked.

This vulnerability is related to their IP cameras (there are no reports yet of this affecting DVR/NVR units, but without better details from Hikvision those units cannot be totally ruled out). Also, this could be more severe if the privilege escalation vulnerability is exploitable as an anonymous user.

In short, this is a new discovery.

 

(8)
U
Undisclosed #2
Mar 15, 2017

I am sure Genetec is skipping down the hallways of HQ while they read this.

(2)
(1)
(5)
UI
Undisclosed Integrator #3
Mar 15, 2017

Doubt it.  I have a feeling there are more than a few Hikvision cameras being recorded into Genetec equipment.  Genetec charging more to license in a Hikvision camera does not equal a complete disconnect of all Hikvision cameras.

Keep in mind, Hikvision and Genetec are not direct competitors.  Genetec is simply charging a fee to cover additional support costs pertaining to Hikvision cameras and splashing a warning for the uneducated on potential vulnerabilities.

(1)
(2)
(1)
U
Undisclosed #2
Mar 16, 2017

Why would I keep in mind your 'feeling' and 'doubt' regarding warnings splashing the potentially uneducated?

I eagerly await Genetec's disclosure(s) of what they may have found. Perhaps we can learn more.

(2)
U
Undisclosed #6
Mar 16, 2017

You'll be waiting for a long time. Genetec has nothing on Hikvision, its all speculation.

(2)
(2)
Avatar
Jon Dillabaugh
Mar 16, 2017
Pro Focus LLC

I think Genetec has their hands full with their own D.C. exploit scandal. 

(1)
(3)
(3)
(1)
Avatar
Brian Karas
Mar 16, 2017
IPVM

Jon -

Not sure if you saw our report on that: Genetec Comments on Washington DC MPD Hack ?

It looks like the Genetec VMS was not exploited, but the most likely cause was a Windows exploit. The MPD was using Genetec appliances, so maybe you could argue that Genetec should have enforced better security for the windows side, but their specific software does not appear to be the entry point.

This most recent Hikvision exploit, from the information they have chosen to provide, reads much more like a vulnerability issue that Hikvision is directly responsible for.

(3)
Avatar
Jon Dillabaugh
Mar 16, 2017
Pro Focus LLC

So Hikvision relies on Linux, Genetec relies on Windows. That is their respective choices. 

My point was that Genetec doesn't require new passwords, or any password, on major, admin level accounts, let alone strong, complex passwords. 

So forgive me if I find all of the Genetec fanboys calling out Hikvision security when their own product is quite possibly the worst out of box security one could imagine. 

(3)
(3)
(3)
Avatar
Sean Nelson
Mar 16, 2017
Nelly's Security
I agree. For them to allow entry without a password is bananas. I dont hate Genetec either, its a fine product, just still waiting on the base of their claim to denounce Hikvision. Hik has gotten hammered for weak security details and this isnt considered weak?
(2)
(2)
(1)
Avatar
Brian Karas
Mar 16, 2017
IPVM

Jon -

There is an important distinction between the two product types/approaches.

In the case of Genetec's NVR appliance, the unit is more like a pre-loaded server. Yes, Genetec sells it, and ships it with a certain default configuration, but the user/installer has full permissions and ability to correct issues like default passwords, updates that have not been installed, etc. 

In the case of Hikvision's cameras, the user/installer has no access to the underlying software or security settings. As you can see from my Hikvision Firmware Decrypted post, there is a root user hardcoded in at least some Hikvision firmware (it is probably in all firmware images, but we know for sure it is at least in this one). There are also services, like SSH, running that the user/installer has no control over. Hikvision ultimately gives you relatively limited control over what you can do to secure the device, and in this recent exploit example they are not even telling users what part of the product is vulnerable, which prevents users from assessing the situation and/or implementing other fixes if the cannot upgrade the firmware.

From an 'out of the box' perspective, Genetec has no or default passwords, Hikvision has an exploit that is most likely immune to strong passwords or unique passwords. 

Additionally, Genetec DID issue recommendations that if followed would have likely prevented the MPD incident. Hikvision forces you to set a strong password, but still leaves a hole open that attackers can use to exploit the device.

 

(3)
(3)
U
Undisclosed #7
Mar 19, 2017

Forget just Genetec - what VMS's ship with passwords already applied to the System Administrator account?

Though I certainly haven't installed them all, I have never encountered a VMS that doesn't have a blank PW for the admin account.

Ethan would know - he tests everything... :)

Avatar
Ethan Ace
Mar 19, 2017

Exacq and Avigilon, for two. Milestone uses Windows credentials by default. Genetec and FLIR are blank. I think NX/DW asks for a password during install, if I remember correctly.

For the record, though, I'd agree with Karas' assessment of why software passwords are less of a vulnerability than OS level issues.

(1)
(2)
U
Undisclosed #7
Mar 19, 2017

I voted his comment as Informative - so I agree as well.

But what about all the other VMS's on the market?

Do most have a password already associated with the System Administrator account?

...or do most, not?

MC
Marty Calhoun
Mar 17, 2017
IPVMU Certified

Brain-

You stated 'most recent exploit'...I missed which product was 100% definitively exploited?

(2)
Avatar
Jon Dillabaugh
Mar 17, 2017
Pro Focus LLC

He is speaking about the one they patched before it was publicly known about. 

(1)
(1)
Avatar
Brian Karas
Mar 17, 2017
IPVM

Marty -

It was not a single product, it was hundreds.  See the post above, the firmware updates Hikvision issued for the privilege escalation vulnerability they described in their own release notes affected a wide number of cameras.

 

(3)
MC
Marty Calhoun
Mar 17, 2017
IPVMU Certified

My point was 'could' and 'it's possible' seem to me to insinuate a warning of sorts and not some 'admission of guilt' to be prosecuted for. Have you ever seen documentation included with a product indicating a recall or change that was discovered after the product was released?

Are you offended by that or would it be considered 'honest business practice' to inform buyers there 'could' be an issue if proper security measures are not taken on the buyers part. At some point in the sale it becomes the buyers obligation to understand what 'liability' they may be facing if they do not exercise 'prudent and well known industry standard security practices' after the sale. Hikvision has no control over the Ethernet network you place a product on. I strongly doubt it is hundreds and think it would be closer to hundreds of thousands, that is why has taken the measure to PROACTIVELY announce a POSSIBLE problem.

Please let me know how this effort on HIKVISION'S part to inform of  a problem that "could happen" be considered anything other than an ordinary notice to its dealers. I find it impossible to consider that ALL other manufacturers at one point or another have not been down this same road.

(1)
(3)
U
Undisclosed #4
Mar 15, 2017

Does Hikvision know how to party, or what?

(1)
(8)
UM
Undisclosed Manufacturer #5
Mar 16, 2017

They (Hik) clearly have 'security' very low down the list of priorities. There is no excuse for this taking their massive R&D budget in to consideration. It's all about pumping out great amounts of product whether or not it comes with 'shaky' firmware. They simply don't care and why would they, most of the SI's installing their kit don't seem to care either...it's an endless cycle it seems

(9)
(2)
MC
Marty Calhoun
Mar 17, 2017
IPVMU Certified

UD #5   What CONCRETE information are you working with that would give you the assumption HIKVISION considers CYBER-SECURITY to be 'low on a list of priorities'? What makes you think any company would knowingly 'Pump out great amounts of product' that would be 'shaky'? 

"Simply dont care and why would they"? Are you kidding? My name an relationship is at the top of the page, I am not hiding behind undisclosed. I think who ever you work for better hope they are working half as hard as HIKVISION is to be the leader in the industry and deal with baseless negative comments with little or no merit and many technical assumptions that are incorrect. Who is letting politics get in the way of being rational?

Of course Politics aside because that has no bearing on anything, really.

(7)
(1)
UM
Undisclosed Manufacturer #5
Mar 17, 2017

Take off the blinkers please. Hik is drawing the attention to themselves, no matter how hard you defend them and or love them. If they work that hard than they better go back to the drawing board and start spending time there where it matters. It's great to see that between Jon and yourself they have loyal followers no matter what. Your arguments sound personal and nearly emotional, I'm not sure why. It's all about good housekeeping and getting your priorities right and imo Hik is lacking in those departments.

(4)
(1)
MC
Marty Calhoun
Mar 18, 2017
IPVMU Certified

Thank you for your consideration but I can assure you I am not a "follower" of anyone or one that makes decisions without considering the merits. My 'arguments' should not be considered personal as I and many others have a differing opinion on the Chinese in general. Perhaps you should consider taking a moment and remembering that everyone in the world does not operate on United States values and concerns. There are other cultures in the world that are respectful and hardworking and deserve compliment. As for their 'priorities', well I would bet a nickel that they do care and just may be following a path least understood by Americans. Dont be confused I am a US citizen and 100% believe in our county and its culture, but there are others, I have an open mind.

(2)
JH
John Honovich
Mar 18, 2017
IPVM

Dont be confused I am a US citizen and 100% believe in our county and its culture

And that's why you sell Hikvision China government manufactured cameras to the US military. Marty, how did your US military customers respond to you disclosing this most recent security vulnerability to them?

(3)
(2)
(1)
MC
Marty Calhoun
Mar 19, 2017
IPVMU Certified

Hard working, middle class Chinese HIKVISION employees manufacturer cameras. I would be surprised to see someone from Chinese government manufacturing cameras. I understand your concern but I believe you are singling out HIKVISION as a entity that is traded as a public company as being some sort of monster that it is not. Why are you not singling out the Germans? It is certainly possible that machinery and technology in those"factories" are made by them. That is what makes the cameras possible, we would have no discussion without it. HIKVISION products are made in world class electronic device manufacturing facilities, not some dark back room or warehouse. John- As I have requested on several occasions before Please provide the concrete proof- not innuendos- that HIKVISION has EVER put any software into any device that would be used for a purpose other than what the device is made for? Can you do that? Can the "wizard" that has found back doors and so forth do that? Where is the proof? You have stated in the past that IPVM gets much of its information from reputable, knowledgeable sources, produce that evidence? Anyone can make broad, unsubstantiated claims in cheap attempts to 'slay the dragon' but when the rubber hits the road what FACTUAL INFORMATION do you really have ?

As to what I sell and to who, that is done in an honest and professional way. I have never deceived or attempted to deceive anyone nor will I.I believe that all of my customers are buying on Quality, they have manufacturer # 2 and #3's equipment, they choose # 1, I make no apologies. I am concerned that we Americans cannot see that the world is truly a global economy and the way America does business or manufacturers devices is not the only way. There are other societies in this world that may have found a better way and can produce IP Video cameras in a way that allows them to sell on the US market at what we consider 'inexpensive'. Inexpensive to Americans is mostly confused with 'cheap', two completely different things. Race to the Bottom, NOT, also as I have stated before "someone is laughing all the way to the bank. One should stop and consider that the Germans, the French and the Chinese are of a culture different that ours, that in itself does not make them 'aliens' or un-trustworthy. Why are you attempting to confuse or insight public outrage against HIKVISION simply because that culture allows the government to own 'x' amount of every business. They also own the land and the buildings, so what? Their society is not our society, they are of a different culture. How does this in itself make them the bad guy? They make quality products, they sell them for a very reasonable price point.

John, IPVM is your forum, you have every right to announce as you may, you feelings and beliefs that are differing from my own but please for the sake of honesty and to clarify the claims, produce the absolute, concrete proof that HIKVISION rolled off the production line a camera, an NVR or a paper clip that is made for nefarious purposes and I will be the first one out.

(4)
(4)
(2)
(3)
U
Undisclosed #6
Mar 19, 2017

Nailed it.

(1)
RS
Robert Shih
Mar 19, 2017
Independent

Funny how you are so quick to give China a pass when you yourself are not Chinese and you know nothing of the culture and the government there from firsthand or familial account. I mean even MY agent in China acknowledges the totalitarian nature of China with her annoyance at the Chinese Firewall and how it complicates their general operations. Even our government gets constantly scrutinized around the world for spreading our influence when we don't even have state run businesses.

Let's be clear, John has backed up his claim thoroughly with sources for Hikvision's origin story, financial ownership shares, and LITERALLY THEIR LEADERSHIP SWEARING ALLEGIANCE AND LOYALTY TO THE PARTY AND ITS VALUES IN THEIR OWN WORDS! My mother LIVED through Mao's Cultural Revolution only to have the male figures in her family stripped from her! Let's not forget multiple verified incidents where we have caught them SPYING and hacking against us and our businesses like Google (and then pressuring them to cooperate in surveilling their own citizens). That and the blatant currency value manipulation.

There is NO shortage of evidence for dishonesty from the Chinese government and their officials, what makes you think that John Honovich can wring an admission of guilt from Hikvision? Hell, let's not forget how easily the Russians have been playing our administration. This isn't about whether or not there can ever be confirmed proof that people like you would be satisfied with. This is about the fact that if this is true despite your protestations and it is used against us, it'll be too late as is. In the global realm of national interests, you are helping the enemy win.

(1)
(2)
Avatar
Sean Nelson
Mar 19, 2017
Nelly's Security

Im confused by your statement. Im not sure if you condone the Chinese or not and/or condone Hikvision or whatever your motive was for that post. Im confused because i dont see how carrying Dahua would be any better or worse.

(2)
(1)
(1)
RS
Robert Shih
Mar 19, 2017
Independent

One is a state-owned company whose management subscribes to the party doctrine of a non-ally nation's single party dictatoryship whole-heartedly, the other is a private company. There is no equivalency between the two in these aspects, stop trying to create one by "failing to see" how one is better or worse than the other in the theater of a national security risks.

U
Undisclosed #6
Mar 19, 2017

You do know the Chinese govt owns Dahua as well dont you?

This brings me back to a point i have stated before. Dahua is also partly owned by the chinese government. Do you not think that the Chinese government has just as much control over Dahua as they do Hikvision. Isnt Dahua just as much as a cybersecurity "threat" as Hikvision. History shows maybe even more.

IMO, its silly to claim that Hik is an insecure product due to its Chinese govt ownership on one hand and on the other hand claim that Dahua is a much safer alternative just because they are only partly owned. Whats worse is Dahua does not have a great cybersecurity track record to strengthen this claim either.

 

(1)
(1)
(4)
JH
John Honovich
Mar 19, 2017
IPVM

You do know the Chinese govt owns Dahua as well dont you?

That's factually wrong. Share evidence to back your claim.

From our investigation of Dahua, here are the differences:

  • Hikvision was founded by the government, Dahua not.
  • Hikvision controlling shareholder is the government, Dahua not.
  • Hikvision Chairman is communist party secretary, Dahua not.

I am no 'fan' of Dahua but I think it is unfair to say that the Chinese govt owns Dahua. I do recognize you and JD have touted a China owned investment group with a meager 1.84% of Dahua but that's a nothing compared to the 3 bullet points above for Hikvision.

(1)
(1)
MC
Marty Calhoun
Mar 20, 2017
IPVMU Certified

He is spitting out whatever he can think of because he has no rational evidence that would convince a mouse of HIKVISION's complicity in intelligence gathering. I said HIKVISION not, who owns stock in the company, (even if that really mattered).

MC
Marty Calhoun
Mar 20, 2017
IPVMU Certified

Mr. Shih- Can you produce the concrete absolute evidence that HIKVISION has produced or directly been responsible for the production of any imaging device or recorder that has been used for a purpose un-intended? Do you hold that evidence? Show your hand while you have the stage. Spying, the government, human rights those are all valid concerns but have absolutely ZERO to do with Jeffery He or HIKVISION and the IP Video industry. Russians, the leadership, etc are feeble attempts to cloud the point of the discussion. The accusation has been made that HIKVISION has done a 'down and dirty' on the American public and quite simply that is "Un-proven" Un-substantiated" and they, like it or lump it are being un-fairly accused and associated with past grievances. Why are you not attacking BOSCH since they are held as a German corporation and the atrocities committed by HITLER? Hell that happened in our Lifetime instead of attempting to rope in the Mao revolution. What happened to the Kitchen sink, you have made those same tired and wild claims on anything  except definitive proof of HIKVISION's guilt. I will stand up for anyone that I feel is being treated in a manner I have the experience and knowledge to know otherwise. You and others are attempting to create scare tactics that are at the very least unfounded. "Helping the enemy win", that is a foolish, childish statement, there is no enemy, we owe these people 20 trillion dollars that we have "borrowed' on our good faith and you claim they are the enemy? Where would the United States be without their money? How about answering that if you want to avoid the subject of proving complicity of Hikvision. Every civilized country on the Planet has good and bad, I am not condoning the dark side of China but I will defend a company that has not knowingly committed these alleged acts of intelligence gathering. I am sure that Jeffery has concerns as he is a professional leading a large organization from barely nothing to where it is today, like it or hate it they are # 1. and I believe any person roping all of these sentiments together creates confusion, not solutions.

 

(1)
U
Undisclosed #7
Mar 20, 2017

Back before we could 'prove' the earth was round, it was still round.

Marty, your position is numbingly obtuse.  Your 'show me the historical evidence' is a strawman that you just can't see beyond.

You can continue to ignore any of the many concerns that others have with this particular manufacturer and feel as good as you want to about it... but stating that everyone else's concerns are idiotic because a potential 0 day has not arrived is purposefully turning a blind eye to at least the potential whether you admit this to yourself or not.

Note:  I am posting Undisclosed (I'm skerred) and I will ignore anything further you have to say on the subject of this manufacturer.

(1)
JH
John Honovich
Mar 19, 2017
IPVM

Marty, you avoided the question, so I will repeat:

Marty, how did your US military customers respond to you disclosing this most recent security vulnerability to them?

As for your Chinese government rebuttal:

Hard working, middle class Chinese HIKVISION employees manufacturer cameras. I would be surprised to see someone from Chinese government manufacturing cameras.

Hikvision is run by Chairman Chen Zongnian who is a Communist Party secretary and makes the decisions. The people who physically manufacturer or sell cameras are simply following orders from the Party (i.e. Government) leadership.

My point is simple, selling network products to the US government from a company owned by the Chinese government should be an absolute non-starter, since it is inherently risky since the geopolitical relations of the two and the Chinese government's overall track record of cyberattacks against the US government and US corporations.

(5)
(1)
Avatar
Sean Nelson
Mar 20, 2017
Nelly's Security

Disclaimer: I dont think Hikvision or Dahua for that matter has any ill will to harm the USA with cyber warfare either now or in the future, but this is aimed at the people who do think such. I personally think both companies are great.

Your question: 
"That's factually wrong. Share evidence to back your claim."

Your answer:
"I do recognize you and JD have touted a China owned investment group with a meager 1.84% of Dahua"

I also recognize your point, Hikvision is "WAY" more owned by China than Dahua is. But what you and some others are effectively doing is justifying that its okay to accept the "lesser evil". I think its cray cray to tout that your chinese products are any more secure than Hikvisions. If you truely wanted to "not support the enemy" then be a patriot and boycott all Chinese networkable products altogether

The easiest way for me to explain this is in analogies:

- if you make a deal with the mafia (China Govt), no matter how small the deal is, one day the Godfather will calleth to return the favor.
(this proves my point that if the Chinese govt wanted Dahua to initiate cyber warfare on anyone, they would HAVE to do it.)

2 guys. one guy tells a bunch of small little lies, does some small time robberies, doesnt ruin peoples lives but causes some major inconvenience. Never asks for forgiveness, never feels bad about it. The other guy commits several murders, never asks for forgiveness, never feels bad about it. They both die one day, arent they both going to hell? 
(Bad analogy I know, but it makes my case that if you truely believe that China is the enemy of any sort, how can you justify that your doing any less "bad" by doing business with a company that has a small percentage of ownership compared to a company that is owned by a larger percentage. China owned is china owned. P.S., this was just an analogy to prove a point, dont get all religous on me. P.S.S., Im also not saying anyone is going to hell for buying from any one company either!

Would you do business with any company that was 1.84% owned by a state ran North Korea investment group? Same question on Iran.

- Would you do business that you know for a fact has small ties with the mafia? Same question on Isis.

All Im saying is, I think its silly when someone touts how their Chinese made product they sell or represent is any safer than another Chinese made product. If we were in war with China, dont you think China could commission any of their companies to use their products against us, whether they were state owned or not. Its not like any Chinese company is going to say "No" to the Chinese Government.

Which brings me again to my point. If you truely think China is the enemy or significant threat or whatever, then why wouldnt you boycott all Chinese made network-able products? 

(1)
(1)
(2)
RS
Robert Shih
Mar 20, 2017
Independent

Again with the false equivalency. I'm an anti-theist, but I still don't go around saying that Christianity is, by its core definition, the philosophy of warmongers like Islam is since I know the difference in source material. Even though technically they all revere the same Abrahamic God, the message is different by nature of the prophet vs. the son of God. Islam charges its believers with spreading influence through claiming the lands they live in for Allah, Christianity is pacifist by nature due to one very important proverb as well as Jesus' overall nature.

There is a vast difference between being MADE by a what is in essence Chinese government entity as opposed to by a private business with less than 2% ownership by that government. This is in addition to the fact that Dahua does not implement a Hisilicon based chipset for the majority of its product line, unlike Hikvision. Hell, Dahua can't even give good pricing on its Hisilicon based NVR to the point where it's able to give better offers on its Intel based NVR.

(1)
(2)
JH
John Honovich
Mar 20, 2017
IPVM

I also recognize your point, Hikvision is "WAY" more owned by China than Dahua is.

Sean, you've significantly misinterpreted my point. It is not about the 'amount' of ownership at all.

It is about the type of ownership (Hikvision's controlling shareholder is the Chinese government, Dahua is not), the level of political controller (Hikvision's chairman is a Chinese government employee, Dahua not), and the origin of the company (Hikvision was founded directly from the government, Dahua was not).

We can certainly disagree on the significance or the meaning of things but please refrain from brushing aside the facts.

(1)
U
Undisclosed #6
Mar 20, 2017

"It is about the type of ownership"

I agree with your point about the "type" of ownership, your right, the facts are their, but your still "justifying the lesser evil". 

"There is a vast difference between being MADE by a what is in essence Chinese government entity as opposed to by a private business with less than 2% ownership by that government."

I agree, but you are also "justifying the lesser evil."

You are basically saying, "I am not okay with 100% ownership but Im perfectly fine with flirting around with 2%"

If you dont think so, then I guess thats where I respectfully wholeheartedly disagree.

JH
John Honovich
Mar 20, 2017
IPVM

You are basically saying, "I am not okay with 100% ownership but Im perfectly fine with flirting around with 2%"

2% 'ownership' is not ownership. It is a passive investment. A 2% owner has no input or control into a company.

If you cannot understand the difference between a 'controlling shareholder' and a 2% shareholder, than you fundamentally do not understand investing and corporate management.

Avatar
Sean Nelson
Mar 20, 2017
Nelly's Security

"2% 'ownership' is not ownership. It is a passive investment. A 2% owner has no input or control into a company."

Are you familiar enough with Chinese Securities and Exchange laws to back this statement up? Not saying you arent but just wondering out of curiosity.

All Im saying is, if the Chinese govt ordered Dahua to initiate a cyber warfare attack on the USA, do you really think they are going to say "No"

I dont think so. They cant get away with stuff like that like we can here in the USA.

Again, if you are so concerned about the Chinese warfare threat, then why not just boycott all Chinese made products so we can choke out their economy?

RS
Robert Shih
Mar 20, 2017
Independent

Okay, the ownership level determines the control threshold and how easily said devices can be made to have a backdoor on the hardware level. Dahua isn't obligated to put in a hardware level backdoor for the Chinese government and can deny them access or simply not have the option in the first place. This is opposed to what Hik could easily do with being controlled by Chinese governmental interests in the first place, allowing them to use all Hisilicon chips and quietly implement effective backdoors that are not reported to anyone else.

This isn't about financial repercussions of funding the Chinese government through an x% ownership, but the hacking and surveillance capabilities of a state owned technology company with international product dispersion. This isn't an equivalency or a scaled threat from option A to option B. Option B (Dahua) simply won't invest itself to allow the Chinese government the capability to access their devices at the drop of a dime for the sake of their loyalty to the government being that it's a private company.

Avatar
Sean Nelson
Mar 20, 2017
Nelly's Security

"Dahua isn't obligated to put in a hardware level backdoor for the Chinese government and can deny them access or simply not have the option in the first place"

Too easy: So your saying your customers should feel more comfortable selling Dahua products when it was recently discovered that Dahua did indeed have a blatant backdoor on the products. 

BTW, im not dissing on you or Dahua, I think your a great guy and I think Dahua is a great product. I just think its silly that you are touting that Dahua is a more secure option than Hikvision. No way man.

Also, you know more about China than I do obviously. But dont you think Dahua WOULD be obligated to put a backdoor on their products if the Chinese govt told them to. I mean can you really protest against the govt in China like you can in the USA?

RS
Robert Shih
Mar 20, 2017
Independent

Here's a clue as to my ethical standing: I STILL don't sell for the GSA and don't sell to military. Even though my product isn't AS bad, I'm not pushing for selling it to my government till I at least have it comply with significant transformation by being assembled in the USA first. I respect my laws and I desire that my government not be compromised by foreign product.

As far as whether or not Dahua can avoid complying with the Chinese government, I believe they can by taking it public and drawing scrutiny and international criticism. Google set a dangerous precedent for refusing to provide information on China's own citizens to the government. Basically it's hard to build something with that kind of scope when everyone knows you are. That's why it is harder to solicit or coerce Dahua into the course of action which Hikvision would take part in easily.

Avatar
Sean Nelson
Mar 20, 2017
Nelly's Security

"Even though my product isn't AS bad, I'm not pushing for selling it to my government till I at least have it comply with significant transformation by being assembled in the USA first. I respect my laws and I desire that my government not be compromised by foreign product."

By this statement I sense your a bit skeptical of the product that you sell and whether its a secure product or not. But your fine with selling it to American integrators who will be installing it for small businesses and end users, just not military? 

At any rate, I respect your opinion and Im not looking to go back and forth. You share similar thoughts with several other people on here as well. I just dont understand it is all. Which is fine, we agree to disagree.

U
Undisclosed #10
Apr 26, 2017
IPVMU Certified

As far as whether or not Dahua can avoid complying with the Chinese government, I believe they can by taking it public and drawing scrutiny and international criticism. 

Can you cite any instance of a Chinese national corporation standing up to the Communist party by refusing to provide information?

In any industry. Ever.

 

 

UM
Undisclosed Manufacturer #11
Apr 26, 2017

Worked out alright for this guy....

See, the kind and benevolent Chinese military stopped their country drive just to let him cross the street.

UE
Undisclosed End User #9
Apr 26, 2017

That guy, on the pic, was a guy walking home after been in shop for food (you see the bags), don't know why he staid in the front of tanks like that - but guess he got bit pissed, tanks tried to drive around him, but he resisted and blocked - until the tanks drove over him.

Quite big news around the world back then...

UM
Undisclosed Manufacturer #1
Mar 20, 2017

"I dont think Hikvision or Dahua for that matter has any ill will to harm the USA with cyber warfare either now or in the future"

http://www.dailystar.co.uk/news/latest-news/598422/china-war-warning-us-army-bases-missiles-taiwan

 

(2)
MC
Marty Calhoun
Mar 20, 2017
IPVMU Certified

John I have never 'avoided' your questions. I supply all customers, military and other wise with any and all information they request at any time before, during and after any bid or installation. My military customers have presented to me some of the questions you have raised as well. My explanation to them is the same as you, no difference. The problem here is this: Innuendos do not make fact, where is the factual information that absolutely proves without any question HIKVISION has manufacturer any device that is determinable to the US or any of our citizens? Making claims does not make facts. Your explanation of who 'runs' HIKVISION day to day is flimsy at best. Ownership of some stock does not mean design control or anything else. In the Chinese culture the government owns the land too, that is their way of life. I cannot believe that applying Western cultural values on a different country is proof of malfeasance in any way. We have NO PROOF they have done anything except make a product that you have admitted several times is a quality product, provide excellent service and sell to our market at a reasonable price point then you "Flip=Flop" and complain over who owns stock like that has a bearing on anything to do with manufacturing. Do you really think the guy at the top sends some 'subliminal message' down to workers to sneak in some faulty code? If you do think that is true then you believe in the tooth fairy as well. I am not agreeing that all Chinese is good, some Chinese manufacturers make some bullish quality merchandise same as other countries but HIKVISION is not one of those type manufacturers.

(1)
(1)
Avatar
Matthew Netardus
Mar 20, 2017
IPVMU Certified

There is a huge difference between the Chinese Government owning "some" stock, and the Chinese Government being the PRIMARY shareholder (and the CEO of HIKVision being a high ranking Party official)

MC
Marty Calhoun
Mar 20, 2017
IPVMU Certified

Please explain what exact role the "primary shareholder" you have mentioned has in the everyday operations of Hikvision, if any? Where do you get your information as to the operations of this company?Please do not apply Western conceptual thinking in the equation as this is a Chinese company.

 

Avatar
Matthew Netardus
Mar 21, 2017
IPVMU Certified

Not sure why the primary stakeholder is in quotations, the fact that the government is a primary shareholder isn't a point that is up for debate.

That is true this is a Chinese company that doesn't have Western conceptual thinking; that is actually the worrisome part for me. Based on current trends and pricing strategies it would seem as though HIKVision is being utilized as a policy entity rather than a purely profit based. 

However, that is of obvious concern coming from a nation that has a high rate of corporate and intellectual property espionage (https://www.theguardian.com/world/2016/oct/15/china-reputation-copycats-pelamis-intellectual-property   http://www.ipcommission.org/report/ip_commission_report_052213.pdf) and has a very thinly veiled cyber battle going on with the US as we speak. 

 

Big picture wise, the primary shareholder in this case has a huge say in the day to day operation of the company seeings as how a high ranking member in it is currently the CEO of the company...

To say that the Chinese government has little to do with the operation of the company when the communist party secretary is currently the CEO of HIKVision is not defendable 

(1)
UM
Undisclosed Manufacturer #5
Mar 18, 2017

'Perhaps you should consider taking a moment and remembering that everyone in the world does not operate on United States values and concerns.'

That doesn't apply to me in any shape or form. I'm not American. I'm actually from a background and country that is known to be the most liberal and open minded in the world. Don't jump to conclusions unless your facts are 100% correct or 'concrete'.

None of the products that I have represented or promoted have ever been involved in any kind of hacking or other breaches of security.

I can also guarantee you that the people I work with (I don't work for people) are more interested in producing and marketing quality products than Hik ever will, based on their current track record. I'm interested in your answer to the above question by John as well.

MC
Marty Calhoun
Mar 19, 2017
IPVMU Certified

When you say 'track record' do you mean ''ideas or possibilities of events that 'might' or 'could' happen.Are you speaking of events that "could" take place due to lack of proper network security measures due to the Integrator s lack of knowledge or misuse of the product? Or events that have happened and can proven to be administered by HIKVISION directly? Is is in the realm of possibilities that you are forming an opinion from mis-information due to what is written by manufacturers or representatives of competing companies that are 'grabbing for straws' due to loss of business? Do you have personal information that is relevant to HIKVISION acting in a manner that would bolster the claims of others as to circumstances that could prove determinant to the US or US citizens security? Please elaborate on your'proof'? I have not been made privy to enough information to form and honest opinion of the personal goals of the employees or administration staff of Hikvision to make any claims as to their effort to produce products that may be deemed 'inferior'. If so I would be amazed that so many MILLIONS of folks world-wide would be purchasing them and continuing to do so. I can only go on my experiences and exposure to the Manufacturer. I tend to make my own judgments instead of letting others who may have purposes unknown offer their opinions that may not have any merit whatsoever. I understand that there are folks in certain arenas that believe I am possibly easy to 'Hoodwink.' I can assure you that is far from the truth.

(1)
(4)
(1)
UM
Undisclosed Manufacturer #5
Mar 19, 2017

Oh please, once we start talking about realms I tend to wonder off and get slightly off topic. I've been in this industry for 27 years working for manufacturers and distributors and I have dealt with Koreans, Chinese and Taiwanese representatives of many brands. Your argument for selling Hikvision products are repetitive and I think you have your head firmly stuck in the sand. One of the key reasons for end users to buy Hikvision is cost, what else would it be. The good Chinese government, allies to North Korea, sure... I'll leave it at that as I have all your answers now albeit in different wording.

(1)
(2)
JH
John Honovich
Mar 19, 2017
IPVM

One of the key reasons for end users to buy Hikvision is cost, what else would it be

#5, I disagree with you. Sure, one of the key reasons is cost but cost is not the entire story for Hikvision.

The other part is the massive sales, support and field engineering resources that Hikvision is willing to give. This is the truly 'innovative' part of the Hikvison model. Marty gets treated like gold by Hikvision.

The issue is - how can Hikvision afford to (1) offer such low cost plus (2) such massive level of sales, marketing, support and field engineering that they give to Marty and the other dealers? That is the result of the Chinese government debt bubble, which is unsustainable, but I understand that Marty sees the benefits of riding it for long as it lasts.

 

(1)
UM
Undisclosed Manufacturer #5
Mar 19, 2017

I kind of agree with you on that although the support platform you speak about has only started to take shape recently in our market yet at that stage the products were already heavily pushed by SI's mostly on price. Many SI's I know would prefer not to sell Hikvision as they say so themselves and where they can they use Hikvision cameras with a third party front end. Hik clearly identified the US as a market with massive potential for their products and might therefore have given it preferential treatment. We all now how they can afford such rapid expansion as you have disclosed much of it on here. What other government commits 6 Billion USD in to a camera manufacturer.

In the UK they have now seen the first signs of stagnation as several of their sales team have left citing unattainable targets and inter-company competition. Maybe it's not all that rosy...

(1)
U
Undisclosed #8
Mar 19, 2017

"The issue is - how can Hikvision afford to (1) offer such low cost plus (2) such massive level of sales, marketing, support and field engineering that they give to Marty and the other dealers? "

How do you base/build your opinion

you have actual numbers?

real cost,profit and etc...

Thanks

(1)
JH
John Honovich
Mar 19, 2017
IPVM

you have actual numbers?

I do not have Hikvision USA's audited financial results. We both know this, so thank you for the rhetorical point.

We do have a deep understanding and knowledge of their cost structure since it is based on hiring US employees, spending on US events, US marketing, cutting in US distributors, that we know very well. Based on that, Hikvision USA is likely significantly unprofitable.

This should not even be surprising. Hikvision has clearly emphasized market share and top line growth over profitability (e.g., the repeated 10-20% across the board price cuts over the past year).

I am not saying you should not take advantage of it. I get it, in your position, it makes good sense. If Hikvision wants to sell dollars bills for 75 cents, why shouldn't you take it?

But that does not mean the approach is close to being sustainable.

 

(2)
JH
John Honovich
Mar 20, 2017
IPVM

UPDATE: Developer Montecrypto posted an update saying full disclosure is coming either via Hikvision or himself in the next few weeks:

(1)
UE
Undisclosed End User #9
Apr 26, 2017

Is the silence caused by

1. "Rewarded w/ NDA" to not disclose

2. "Chinese (jail) time"

3. "To big issue to let loose"

4. "False alarm"

you name it...

 

JH
John Honovich
Apr 26, 2017
IPVM

I spoke with the developer earlier this week who said he had spoke with ICS-CERT and is expecting a formal announcement soon; alternatively he says he will disclose. We will keep track of this.

UE
Undisclosed End User #9
Apr 26, 2017

What's really happening meanwhile they saying "soon", is that they trying to convince the developer to not disclose any details", think the developer would agree if you asked him. That's how it is.

Both is good and bad, always depends what angle you are looking from and it's quite easy to be confused.

Still, I strongly do believe in disclosure, since the good thing the security community will know how and what needs to protect them self and others, the drawback is of course that some also get know-how to utilise the things in less good purposes.

 

U
Undisclosed #10
Apr 26, 2017
IPVMU Certified

...is that they trying to convince the developer to not disclose any details.

Is the convincing typically done by

1. Promising $$

2. Promising gear

3. Threatening legal

4. Appealing to researcher's better nature

5. Offering to trade a similar undisclosed zero-day of competitor 

 

UE
Undisclosed End User #9
Apr 26, 2017

1 - 4, indeed, from the manufacture before disclosure.

5, comes afterwards from other actors about future zero-days.

UE
Undisclosed End User #9
Apr 26, 2017

1 - 2, If you are (and you should always be) under nickname while talking to manufacture about vulnerabilities, as this is their way to try find out who you are

3, is obvious if you don't use nickname (1 & 2 bypassed), and you will end up here if you disclose yourself in 1 or 2.

4, last desperate effort, if 1 - 3 didn't pay off.

5, no clarifications needed.