"Fear Mongering": Hikvision USA Cybersecurity Director Dismisses PRC Government Ownership Concerns

Published Feb 16, 2018 13:28 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

The facts are:

IPVM Image

Despite that, in SP&T News, Hikvision USA Cybersecurity Director Chuck Davis simply dismisses concerns as fearmongering:

IPVM Image

Unfortunately, for Davis and SP&T, Hikvision's own financials reveal the deception of that claim. It is not simply 'state-owned enterprises' owning stock, it is a CETHIK, a division created by the PRC government to control Hikvision:

IPVM Image

While Davis is an expert in cybersecurity, rather than politics and economics, he surely is smart enough to read through those primary documents to understand the truth about Hikvision's ownership and control.

Of course, he is in a difficult position. For him to continue being paid, he has to follow the party line (pun intended).

And cybersecurity is not simply about technical flaws, it is about countries adversarial to one's own exploiting systems (e.g., of companies they control) for geopolitical advantage. Just this week, The FBI, CIA and NSA say American citizens shouldn't use Huawei phones. And Huawei's PRC government 'connections' are far less clear and definitive than Hikvision's.

Davis will continue his public relations tour and he should speak about and be questioned on Hikvision's PRC government control. We encourage Davis to face these facts.

Comments (25)
Avatar
Michael Gonzalez
Feb 16, 2018
Confidential

Actual snapshot of Hickvision making their PR plans to address their network security.

Image result for the matrix dodge

 

(1)
(12)
U
Undisclosed #1
Feb 16, 2018

Last line from Chuck in that piece is illuminating RE: his understanding of priorities

subheader:  Never bite the hand that feeds you.

"I’m here to support the sales team, said Davis, but my goal here is to create good, secure products and make people aware."

 

 

 

(4)
(3)
(1)
JH
John Honovich
Feb 16, 2018
IPVM

Agreed, he is in a marketing role.

(6)
U
Undisclosed #2
Feb 17, 2018
IPVMU Certified

Guru Davis speciously says

Perhaps most importantly for installers, according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

But what about NVR’s?  Are they Ok? Are they really any different from a network perspective?

(3)
JH
John Honovich
Feb 17, 2018
IPVM

Hopefully he / they update their hardening guide which continues to recommend port forwarding to directly put devices on the Internet.

Also, it's funny, when our guys call Hikvision tech support to see what they will say about HikConnect speed / connectivity issues, each time they recommend port forwarding.

(2)
(3)
U
Undisclosed #3
Feb 17, 2018

"each time they recommend port forwarding"

Where do I read your recommendation?

Thanks

JH
John Honovich
Feb 17, 2018
IPVM

Each time Hikvision's tech support recommends port forwarding. It's their recommendation, not ours.

(2)
U
Undisclosed #3
Feb 17, 2018

What is your recommendation?

JH
John Honovich
Feb 17, 2018
IPVM

I don't recommend using port forwarding.

(5)
DR
Dennis Ruban
Feb 18, 2018

Don’t use hik-connect. I’m a Hik fan but I use vpn to access nvr or hikcentral. Cctv devices are blocked by FW, no cloud services enabled.

there are several rules which you have to follow if you want secure CCTV system. Any brand, not just Hik. And Hikvision becomes very interesting product in that case: secure as any else and best value for money 

(1)
(1)
UM
Undisclosed Manufacturer #4
Feb 17, 2018

It´s not Hikvision but the same issue according "security":

Don’t use Huawei phones, say heads of FBI, CIA, and NSA

 

(2)
U
Undisclosed #3
Feb 18, 2018

Page 212

2018_IP_Networking Book by IPVM

"Because of these reasons, manual port forwarding has proven more
reliable in commercial surveillance, with UPnP typically left to consumer
use."

 

(1)
(1)
U
Undisclosed #1
Feb 18, 2018

(1)
U
Undisclosed #2
Feb 18, 2018
IPVMU Certified

2018_IP_Networking Book by IPVM

 

More context shows this is a comparison of manual port mapping to UPnP, not a general endorsement of port forwarding:

However, in practice, UPnP is unreliable in many cases. In many business networks, large and small, UPnP functions are turned off, requiring manual port forwarding. In consumer use, port mappings may not function properly, may be added more than once, may conflict with other devices, or may simply not be added at all. Making things worse, error information is rarely available when UPnP port mapping fails, leaving the user without any means of troubleshooting.

Because of these reasons, manual port forwarding has proven more reliable in commercial surveillance, with UPnP typically left to consumer use.

So are you saying you think UPnP is more reliable than setting ports manually?

(1)
U
Undisclosed #3
Feb 18, 2018

Of course not,

I ask JH?

and I put reference from his book

JH
John Honovich
Feb 18, 2018
IPVM

#3, thank you. I am going show you how much more responsible IPVM is than your partner Hikvision.

While you have taken that out of context, I recognize that the sentence could be misinterpreted as an endorsement. Moreover,  I also recognize the post that it comes from (Remote Network Access for Video Surveillance) needs to be more explicit in recommending against insecure practices. So I've immediately edited the report to do so, including these new sections:

Public Accessible Hacking Risk - UPnP, DDNS, and Port Forwarding

Using UPnP, DDNS and/or port forwarding exposes one's devices to the entire public Internet, meaning that anyone can attempt to connect and access one's device exposed (e.g., camera or recorder). Hackers can attack hundreds of millions of devices a day across the public Internet, either simply by randomly trying IP addresses or by finding lists of potentially vulnerable devices (e.g., Shodan list of Hikvision public accessible - typically port forwarded devices). For those unfamiliar with this risk, see The Atlantic's The Inevitability of Being Hacked: We built a fake web toaster, and it was compromised in an hour. More directly related to video surveillance, the massive Dahua hacking and the Hikvision IP camera hacking was driven by those devices being either port forwarded or UPnP enabled. We do not recommend making your devices publicly accessible.

And:

Recommended - VPNs

We recommend VPNs to properly secure your video surveillance devices. While port forwarding (or UPnP, DDNs, etc.) may be cheaper and simpler up front, they expose your devices to being attacked and hacked as new vulnerabilities are found. While cloud services are being improved, you run the risk of them being exploited and/or the cloud service provider accessing or abusing your system.

I am happy to update further if that helps. This will also be pushed out into an updated version of the 2018 book later today.

Now, let's compare IPVM's response to Hikvision's.

8 months ago, IPVM called out Hikvision for Hikvision's Hardening Guide Recommendation of Port Forwarding. Hikvision literally told people that the 'standard configuration' was to 'create a port forwarding rule':

5 months ago, they hired Chuck Davis. And, yet still, no change. It is still in their hardening guide and Hikvision continues to recommend port forwarding.

#3, do you think Hikvision is being responsible continuing to recommend port forwarding?

(2)
(3)
JH
John Honovich
Feb 18, 2018
IPVM

And the 2018 IP Networking Book is now updated with the above-referenced changes.

(1)
(3)
U
Undisclosed #3
Feb 25, 2018

"#3, do you think Hikvision is being responsible continuing to recommend port forwarding?"

Yes

NOTICE: This comment has been moved to its own discussion: Hikvision Is Being Responsible Continuing To Recommend Port Forwarding

UD
Undisclosed Distributor #5
Feb 19, 2018

If government security agencies are advising citizens against using Huawei phones due to security concerns, should they also be looking into the fact that HiSilicon, the chip vendor that makes almost all of the processors in the current IP camera and NVR/DVR market from China, is also owned by Huawei?

 

(1)
JS
Joe Summanen
Feb 19, 2018

Story on HikVision yesterday on Full Measure.

 

j

(3)
UD
Undisclosed Distributor #5
Feb 19, 2018

Interesting article.  I think that it gets lost or shuffled away as conspiracy theory when people think that these devices will be used to actively monitor what they are looking at.  After all, why does the local Mom-n-Pop convenient store guy think that the Chinese government is going to spy on him?

I find it much more troubling that these devices are not necessarily being used as active devices for spying, but that they are so dramatically insecure and are going to be more and more used as agents in botnet networks.

(2)
UI
Undisclosed Integrator #6
Feb 20, 2018

I know which PSA TEC session I will be attending.

psatec

(3)
UD
Undisclosed Distributor #5
Feb 20, 2018

Can we start a fund to pay Bashis' way to go to this so that he may offer a few pointers?

(1)
UE
Undisclosed End User #7
Feb 20, 2018

Thanks, but no thanks. I'll may do it anyhow, if I get the interest.

 

Avatar
Blake Murphy
Feb 21, 2018

I feel this is a case of allowing your pay to determine your ethics.

(3)