"Fear Mongering": Hikvision USA Cybersecurity Director Dismisses Chinese Government Ownership Concerns

By John Honovich, Published Feb 16, 2018, 08:28am EST

The facts are:

Despite that, in SP&T News, Hikvision USA Cybersecurity Director Chuck Davis simply dismisses concerns as fearmongering:

Unfortunately, for Davis and SP&T, Hikvision's own financials reveal the deception of that claim. It is not simply 'state-owned enterprises' owning stock, it is a CETHIK, a division created by the Chinese government to control Hikvision:

While Davis is an expert in cybersecurity, rather than politics and economics, he surely is smart enough to read through those primary documents to understand the truth about Hikvision's ownership and control.

Of course, he is in a difficult position. For him to continue being paid, he has to follow the party line (pun intended).

And cybersecurity is not simply about technical flaws, it is about countries adversarial to one's own exploiting systems (e.g., of companies they control) for geopolitical advantage. Just this week, The FBI, CIA and NSA say American citizens shouldn't use Huawei phones. And Huawei's Chinese government 'connections' are far less clear and definitive than Hikvision's.

Davis will continue his public relations tour and he should speak about and be questioned on Hikvision's Chinese government control. We encourage Davis to face these facts.

4 reports cite this report:

US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of...
Huawei Sues US Government Over NDAA Ban on Mar 07, 2019
Chinese telecom giant Huawei is suing the US government over the NDAA ban,...
Hikvision President Addresses AI and USA Challenges on Oct 31, 2018
In frank recent China interviews, Hikvision's President Hu Yangzhong has...
Hikvision Parent Conducts Communist Party Training, Urges Strengthened Party Leadership on Oct 30, 2018
Employees of Hikvision’s parent (CETHIK, for CETC HIKvision) underwent...

Comments (25)

Only IPVM Members may comment. Login or Join.

Actual snapshot of Hickvision making their PR plans to address their network security.

Image result for the matrix dodge

 

Last line from Chuck in that piece is illuminating RE: his understanding of priorities

subheader:  Never bite the hand that feeds you.

"I’m here to support the sales team, said Davis, but my goal here is to create good, secure products and make people aware."

 

 

 

Agreed, he is in a marketing role.

Guru Davis speciously says

Perhaps most importantly for installers, according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

But what about NVR’s?  Are they Ok? Are they really any different from a network perspective?

Hopefully he / they update their hardening guide which continues to recommend port forwarding to directly put devices on the Internet.

Also, it's funny, when our guys call Hikvision tech support to see what they will say about HikConnect speed / connectivity issues, each time they recommend port forwarding.

"each time they recommend port forwarding"

Where do I read your recommendation?

Thanks

Each time Hikvision's tech support recommends port forwarding. It's their recommendation, not ours.

What is your recommendation?

I don't recommend using port forwarding.

Don’t use hik-connect. I’m a Hik fan but I use vpn to access nvr or hikcentral. Cctv devices are blocked by FW, no cloud services enabled.

there are several rules which you have to follow if you want secure CCTV system. Any brand, not just Hik. And Hikvision becomes very interesting product in that case: secure as any else and best value for money 

It´s not Hikvision but the same issue according "security":

Don’t use Huawei phones, say heads of FBI, CIA, and NSA

 

Page 212

2018_IP_Networking Book by IPVM

"Because of these reasons, manual port forwarding has proven more
reliable in commercial surveillance, with UPnP typically left to consumer
use."

 

2018_IP_Networking Book by IPVM

 

More context shows this is a comparison of manual port mapping to UPnP, not a general endorsement of port forwarding:

However, in practice, UPnP is unreliable in many cases. In many business networks, large and small, UPnP functions are turned off, requiring manual port forwarding. In consumer use, port mappings may not function properly, may be added more than once, may conflict with other devices, or may simply not be added at all. Making things worse, error information is rarely available when UPnP port mapping fails, leaving the user without any means of troubleshooting.

Because of these reasons, manual port forwarding has proven more reliable in commercial surveillance, with UPnP typically left to consumer use.

So are you saying you think UPnP is more reliable than setting ports manually?

Of course not,

I ask JH?

and I put reference from his book

#3, thank you. I am going show you how much more responsible IPVM is than your partner Hikvision.

While you have taken that out of context, I recognize that the sentence could be misinterpreted as an endorsement. Moreover,  I also recognize the post that it comes from (Remote Network Access for Video Surveillance) needs to be more explicit in recommending against insecure practices. So I've immediately edited the report to do so, including these new sections:

Public Accessible Hacking Risk - UPnP, DDNS, and Port Forwarding

Using UPnP, DDNS and/or port forwarding exposes one's devices to the entire public Internet, meaning that anyone can attempt to connect and access one's device exposed (e.g., camera or recorder). Hackers can attack hundreds of millions of devices a day across the public Internet, either simply by randomly trying IP addresses or by finding lists of potentially vulnerable devices (e.g., Shodan list of Hikvision public accessible - typically port forwarded devices). For those unfamiliar with this risk, see The Atlantic's The Inevitability of Being Hacked: We built a fake web toaster, and it was compromised in an hour. More directly related to video surveillance, the massive Dahua hacking and the Hikvision IP camera hacking was driven by those devices being either port forwarded or UPnP enabled. We do not recommend making your devices publicly accessible.

And:

Recommended - VPNs

We recommend VPNs to properly secure your video surveillance devices. While port forwarding (or UPnP, DDNs, etc.) may be cheaper and simpler up front, they expose your devices to being attacked and hacked as new vulnerabilities are found. While cloud services are being improved, you run the risk of them being exploited and/or the cloud service provider accessing or abusing your system.

I am happy to update further if that helps. This will also be pushed out into an updated version of the 2018 book later today.

Now, let's compare IPVM's response to Hikvision's.

8 months ago, IPVM called out Hikvision for Hikvision's Hardening Guide Recommendation of Port Forwarding. Hikvision literally told people that the 'standard configuration' was to 'create a port forwarding rule':

5 months ago, they hired Chuck Davis. And, yet still, no change. It is still in their hardening guide and Hikvision continues to recommend port forwarding.

#3, do you think Hikvision is being responsible continuing to recommend port forwarding?

And the 2018 IP Networking Book is now updated with the above-referenced changes.

"#3, do you think Hikvision is being responsible continuing to recommend port forwarding?"

Yes

NOTICE: This comment has been moved to its own discussion: Hikvision Is Being Responsible Continuing To Recommend Port Forwarding

If government security agencies are advising citizens against using Huawei phones due to security concerns, should they also be looking into the fact that HiSilicon, the chip vendor that makes almost all of the processors in the current IP camera and NVR/DVR market from China, is also owned by Huawei?

 

Story on HikVision yesterday on Full Measure.

 

j

Interesting article.  I think that it gets lost or shuffled away as conspiracy theory when people think that these devices will be used to actively monitor what they are looking at.  After all, why does the local Mom-n-Pop convenient store guy think that the Chinese government is going to spy on him?

I find it much more troubling that these devices are not necessarily being used as active devices for spying, but that they are so dramatically insecure and are going to be more and more used as agents in botnet networks.

I know which PSA TEC session I will be attending.

psatec

Can we start a fund to pay Bashis' way to go to this so that he may offer a few pointers?

Thanks, but no thanks. I'll may do it anyhow, if I get the interest.

 

I feel this is a case of allowing your pay to determine your ethics.

Loading Related Reports