"Fear Mongering": Hikvision USA Cybersecurity Director Dismisses Chinese Government Ownership Concerns

By: John Honovich, Published on Feb 16, 2018

The facts are:

Despite that, in SP&T News, Hikvision USA Cybersecurity Director Chuck Davis simply dismisses concerns as fearmongering:

Unfortunately, for Davis and SP&T, Hikvision's own financials reveal the deception of that claim. It is not simply 'state-owned enterprises' owning stock, it is a CETHIK, a division created by the Chinese government to control Hikvision:

While Davis is an expert in cybersecurity, rather than politics and economics, he surely is smart enough to read through those primary documents to understand the truth about Hikvision's ownership and control.

Of course, he is in a difficult position. For him to continue being paid, he has to follow the party line (pun intended).

And cybersecurity is not simply about technical flaws, it is about countries adversarial to one's own exploiting systems (e.g., of companies they control) for geopolitical advantage. Just this week, The FBI, CIA and NSA say American citizens shouldn't use Huawei phones. And Huawei's Chinese government 'connections' are far less clear and definitive than Hikvision's.

Davis will continue his public relations tour and he should speak about and be questioned on Hikvision's Chinese government control. We encourage Davis to face these facts.

3 reports cite this report:

Huawei Sues US Government Over NDAA Ban on Mar 07, 2019
Chinese telecom giant Huawei is suing the US government over the NDAA ban, arguing that key provisions in it are unconstitutional.  NDAA Section...
Hikvision President Addresses AI and USA Challenges on Oct 31, 2018
In frank recent China interviews, Hikvision's President Hu Yangzhong has addressed challenges impacting the video surveillance industry and...
Hikvision Parent Conducts Communist Party Training, Urges Strengthened Party Leadership on Oct 30, 2018
Employees of Hikvision’s parent (CETHIK, for CETC HIKvision) underwent intensive Chinese Communist Party training last month where they came up...

Comments (25)

Only IPVM PRO Members may comment. Login or Join.

Actual snapshot of Hickvision making their PR plans to address their network security.

Image result for the matrix dodge

 

Last line from Chuck in that piece is illuminating RE: his understanding of priorities

subheader:  Never bite the hand that feeds you.

"I’m here to support the sales team, said Davis, but my goal here is to create good, secure products and make people aware."

 

 

 

Agreed, he is in a marketing role.

Guru Davis speciously says

Perhaps most importantly for installers, according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

But what about NVR’s?  Are they Ok? Are they really any different from a network perspective?

Hopefully he / they update their hardening guide which continues to recommend port forwarding to directly put devices on the Internet.

Also, it's funny, when our guys call Hikvision tech support to see what they will say about HikConnect speed / connectivity issues, each time they recommend port forwarding.

"each time they recommend port forwarding"

Where do I read your recommendation?

Thanks

Each time Hikvision's tech support recommends port forwarding. It's their recommendation, not ours.

What is your recommendation?

I don't recommend using port forwarding.

Don’t use hik-connect. I’m a Hik fan but I use vpn to access nvr or hikcentral. Cctv devices are blocked by FW, no cloud services enabled.

there are several rules which you have to follow if you want secure CCTV system. Any brand, not just Hik. And Hikvision becomes very interesting product in that case: secure as any else and best value for money 

It´s not Hikvision but the same issue according "security":

Don’t use Huawei phones, say heads of FBI, CIA, and NSA

 

Page 212

2018_IP_Networking Book by IPVM

"Because of these reasons, manual port forwarding has proven more
reliable in commercial surveillance, with UPnP typically left to consumer
use."

 

2018_IP_Networking Book by IPVM

 

More context shows this is a comparison of manual port mapping to UPnP, not a general endorsement of port forwarding:

However, in practice, UPnP is unreliable in many cases. In many business networks, large and small, UPnP functions are turned off, requiring manual port forwarding. In consumer use, port mappings may not function properly, may be added more than once, may conflict with other devices, or may simply not be added at all. Making things worse, error information is rarely available when UPnP port mapping fails, leaving the user without any means of troubleshooting.

Because of these reasons, manual port forwarding has proven more reliable in commercial surveillance, with UPnP typically left to consumer use.

So are you saying you think UPnP is more reliable than setting ports manually?

Of course not,

I ask JH?

and I put reference from his book

#3, thank you. I am going show you how much more responsible IPVM is than your partner Hikvision.

While you have taken that out of context, I recognize that the sentence could be misinterpreted as an endorsement. Moreover,  I also recognize the post that it comes from (Remote Network Access for Video Surveillance) needs to be more explicit in recommending against insecure practices. So I've immediately edited the report to do so, including these new sections:

Public Accessible Hacking Risk - UPnP, DDNS, and Port Forwarding

Using UPnP, DDNS and/or port forwarding exposes one's devices to the entire public Internet, meaning that anyone can attempt to connect and access one's device exposed (e.g., camera or recorder). Hackers can attack hundreds of millions of devices a day across the public Internet, either simply by randomly trying IP addresses or by finding lists of potentially vulnerable devices (e.g., Shodan list of Hikvision public accessible - typically port forwarded devices). For those unfamiliar with this risk, see The Atlantic's The Inevitability of Being Hacked: We built a fake web toaster, and it was compromised in an hour. More directly related to video surveillance, the massive Dahua hacking and the Hikvision IP camera hacking was driven by those devices being either port forwarded or UPnP enabled. We do not recommend making your devices publicly accessible.

And:

Recommended - VPNs

We recommend VPNs to properly secure your video surveillance devices. While port forwarding (or UPnP, DDNs, etc.) may be cheaper and simpler up front, they expose your devices to being attacked and hacked as new vulnerabilities are found. While cloud services are being improved, you run the risk of them being exploited and/or the cloud service provider accessing or abusing your system.

I am happy to update further if that helps. This will also be pushed out into an updated version of the 2018 book later today.

Now, let's compare IPVM's response to Hikvision's.

8 months ago, IPVM called out Hikvision for Hikvision's Hardening Guide Recommendation of Port Forwarding. Hikvision literally told people that the 'standard configuration' was to 'create a port forwarding rule':

5 months ago, they hired Chuck Davis. And, yet still, no change. It is still in their hardening guide and Hikvision continues to recommend port forwarding.

#3, do you think Hikvision is being responsible continuing to recommend port forwarding?

And the 2018 IP Networking Book is now updated with the above-referenced changes.

"#3, do you think Hikvision is being responsible continuing to recommend port forwarding?"

Yes

NOTICE: This comment has been moved to its own discussion: Hikvision Is Being Responsible Continuing To Recommend Port Forwarding

If government security agencies are advising citizens against using Huawei phones due to security concerns, should they also be looking into the fact that HiSilicon, the chip vendor that makes almost all of the processors in the current IP camera and NVR/DVR market from China, is also owned by Huawei?

 

Story on HikVision yesterday on Full Measure.

 

j

Interesting article.  I think that it gets lost or shuffled away as conspiracy theory when people think that these devices will be used to actively monitor what they are looking at.  After all, why does the local Mom-n-Pop convenient store guy think that the Chinese government is going to spy on him?

I find it much more troubling that these devices are not necessarily being used as active devices for spying, but that they are so dramatically insecure and are going to be more and more used as agents in botnet networks.

I know which PSA TEC session I will be attending.

psatec

Can we start a fund to pay Bashis' way to go to this so that he may offer a few pointers?

Thanks, but no thanks. I'll may do it anyhow, if I get the interest.

 

I feel this is a case of allowing your pay to determine your ethics.

Related Reports on China

US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...
Hikvision Lobbying Against And Preparing For Potential US Sanctions on Sep 09, 2019
Hikvision has been lobbying against and preparing for potential US sanctions, according to US government records, financial filings and partner...
Megvii Financials and Growth Examined on Aug 30, 2019
Megvii has already received more than a billion dollars in investment. Now, the company, a top China facial recognition provider, has filed for an...
In China, Foreign AI Companies Banned or Disadvantaged, Says Top China AI Company on Aug 28, 2019
Non-China (PRC) companies are prejudiced and unfairly targeted inside of the PRC's booming AI market, which not only denies them revenue inside of...
China Dahua To Replace Their Software With US Pepper on Aug 22, 2019
What does a US government banned company do to improve its security positioning in the US? Well, Dahua is unveiling a novel solution, partnering...
Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...
US Government Ban of Dahua, Hikvision, Huawei Takes Effect Now on Aug 13, 2019
The 'prohibition on use or procurement' of Dahua, Hikvision and Huawei products and 'essential components' take effect today, August 13, 2019, one...
Hikvision Global News Reports Directory on Aug 11, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Stanley Makes "Multi-Million Dollar Investment" Into Banned Hikvision Products on Aug 09, 2019
Just days from the US government ban going into effect, US mega-corporation Stanley has dramatically increased its imports of banned Hikvision...

Most Recent Industry Reports

ONVIF Suspends Huawei on Sep 20, 2019
Huawei has been 'suspended', and effectively expelled, from ONVIF so long as US sanctions remain on the mega Chinese manufacturer. Inside this...
Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Axis Perimeter Defender Improves, Yet Worse Than Dahua and Wyze on Sep 19, 2019
While Axis Perimeter Defender analytics improved from our 2018 testing, the market has improved much faster, with much less expensive offerings...
Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Uniview Prime Series 4K Camera Tested on Sep 18, 2019
Is the new Uniview 'Prime' better than the more expensive existing Uniview 'Pro'? In August, IPVM tested Uniview 4K 'Pro' but members advocated...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Vivotek "Neural Network-Powered Detection Engine" Analytics Tested on Sep 17, 2019
Vivotek has released "a neural network-powered detection engine", named Smart Motion Detection, claiming that "swaying vegetation, vehicles passing...
Schmode is Back, Aims To Turn Boulder AI Into Giant on Sep 16, 2019
One of the most influential and controversial executives in the past decade is back. Bryan Schmode ascended and drove the hypergrowth of Avigilon...
Manufacturers Unhappy With Weak ASIS GSX 2019 And 2020 Shift on Sep 16, 2019
Manufacturers were generally unhappy with ASIS GSX, both for weak 2019 booth traffic and a scheduling shift for the 2020 show, according to a new...