"Fear Mongering": Hikvision USA Cybersecurity Director Dismisses Chinese Government Ownership Concerns

By: John Honovich, Published on Feb 16, 2018

The facts are:

Despite that, in SP&T News, Hikvision USA Cybersecurity Director Chuck Davis simply dismisses concerns as fearmongering:

Unfortunately, for Davis and SP&T, Hikvision's own financials reveal the deception of that claim. It is not simply 'state-owned enterprises' owning stock, it is a CETHIK, a division created by the Chinese government to control Hikvision:

While Davis is an expert in cybersecurity, rather than politics and economics, he surely is smart enough to read through those primary documents to understand the truth about Hikvision's ownership and control.

Of course, he is in a difficult position. For him to continue being paid, he has to follow the party line (pun intended).

And cybersecurity is not simply about technical flaws, it is about countries adversarial to one's own exploiting systems (e.g., of companies they control) for geopolitical advantage. Just this week, The FBI, CIA and NSA say American citizens shouldn't use Huawei phones. And Huawei's Chinese government 'connections' are far less clear and definitive than Hikvision's.

Davis will continue his public relations tour and he should speak about and be questioned on Hikvision's Chinese government control. We encourage Davis to face these facts.

4 reports cite this report:

US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of...
Huawei Sues US Government Over NDAA Ban on Mar 07, 2019
Chinese telecom giant Huawei is suing the US government over the NDAA ban,...
Hikvision President Addresses AI and USA Challenges on Oct 31, 2018
In frank recent China interviews, Hikvision's President Hu Yangzhong has...
Hikvision Parent Conducts Communist Party Training, Urges Strengthened Party Leadership on Oct 30, 2018
Employees of Hikvision’s parent (CETHIK, for CETC HIKvision) underwent...

Comments (25)

Only IPVM Members may comment. Login or Join.

Actual snapshot of Hickvision making their PR plans to address their network security.

Image result for the matrix dodge

 

Last line from Chuck in that piece is illuminating RE: his understanding of priorities

subheader:  Never bite the hand that feeds you.

"I’m here to support the sales team, said Davis, but my goal here is to create good, secure products and make people aware."

 

 

 

Agreed, he is in a marketing role.

Guru Davis speciously says

Perhaps most importantly for installers, according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

But what about NVR’s?  Are they Ok? Are they really any different from a network perspective?

Hopefully he / they update their hardening guide which continues to recommend port forwarding to directly put devices on the Internet.

Also, it's funny, when our guys call Hikvision tech support to see what they will say about HikConnect speed / connectivity issues, each time they recommend port forwarding.

"each time they recommend port forwarding"

Where do I read your recommendation?

Thanks

Each time Hikvision's tech support recommends port forwarding. It's their recommendation, not ours.

What is your recommendation?

I don't recommend using port forwarding.

Don’t use hik-connect. I’m a Hik fan but I use vpn to access nvr or hikcentral. Cctv devices are blocked by FW, no cloud services enabled.

there are several rules which you have to follow if you want secure CCTV system. Any brand, not just Hik. And Hikvision becomes very interesting product in that case: secure as any else and best value for money 

It´s not Hikvision but the same issue according "security":

Don’t use Huawei phones, say heads of FBI, CIA, and NSA

 

Page 212

2018_IP_Networking Book by IPVM

"Because of these reasons, manual port forwarding has proven more
reliable in commercial surveillance, with UPnP typically left to consumer
use."

 

2018_IP_Networking Book by IPVM

 

More context shows this is a comparison of manual port mapping to UPnP, not a general endorsement of port forwarding:

However, in practice, UPnP is unreliable in many cases. In many business networks, large and small, UPnP functions are turned off, requiring manual port forwarding. In consumer use, port mappings may not function properly, may be added more than once, may conflict with other devices, or may simply not be added at all. Making things worse, error information is rarely available when UPnP port mapping fails, leaving the user without any means of troubleshooting.

Because of these reasons, manual port forwarding has proven more reliable in commercial surveillance, with UPnP typically left to consumer use.

So are you saying you think UPnP is more reliable than setting ports manually?

Of course not,

I ask JH?

and I put reference from his book

#3, thank you. I am going show you how much more responsible IPVM is than your partner Hikvision.

While you have taken that out of context, I recognize that the sentence could be misinterpreted as an endorsement. Moreover,  I also recognize the post that it comes from (Remote Network Access for Video Surveillance) needs to be more explicit in recommending against insecure practices. So I've immediately edited the report to do so, including these new sections:

Public Accessible Hacking Risk - UPnP, DDNS, and Port Forwarding

Using UPnP, DDNS and/or port forwarding exposes one's devices to the entire public Internet, meaning that anyone can attempt to connect and access one's device exposed (e.g., camera or recorder). Hackers can attack hundreds of millions of devices a day across the public Internet, either simply by randomly trying IP addresses or by finding lists of potentially vulnerable devices (e.g., Shodan list of Hikvision public accessible - typically port forwarded devices). For those unfamiliar with this risk, see The Atlantic's The Inevitability of Being Hacked: We built a fake web toaster, and it was compromised in an hour. More directly related to video surveillance, the massive Dahua hacking and the Hikvision IP camera hacking was driven by those devices being either port forwarded or UPnP enabled. We do not recommend making your devices publicly accessible.

And:

Recommended - VPNs

We recommend VPNs to properly secure your video surveillance devices. While port forwarding (or UPnP, DDNs, etc.) may be cheaper and simpler up front, they expose your devices to being attacked and hacked as new vulnerabilities are found. While cloud services are being improved, you run the risk of them being exploited and/or the cloud service provider accessing or abusing your system.

I am happy to update further if that helps. This will also be pushed out into an updated version of the 2018 book later today.

Now, let's compare IPVM's response to Hikvision's.

8 months ago, IPVM called out Hikvision for Hikvision's Hardening Guide Recommendation of Port Forwarding. Hikvision literally told people that the 'standard configuration' was to 'create a port forwarding rule':

5 months ago, they hired Chuck Davis. And, yet still, no change. It is still in their hardening guide and Hikvision continues to recommend port forwarding.

#3, do you think Hikvision is being responsible continuing to recommend port forwarding?

And the 2018 IP Networking Book is now updated with the above-referenced changes.

"#3, do you think Hikvision is being responsible continuing to recommend port forwarding?"

Yes

NOTICE: This comment has been moved to its own discussion: Hikvision Is Being Responsible Continuing To Recommend Port Forwarding

If government security agencies are advising citizens against using Huawei phones due to security concerns, should they also be looking into the fact that HiSilicon, the chip vendor that makes almost all of the processors in the current IP camera and NVR/DVR market from China, is also owned by Huawei?

 

Story on HikVision yesterday on Full Measure.

 

j

Interesting article.  I think that it gets lost or shuffled away as conspiracy theory when people think that these devices will be used to actively monitor what they are looking at.  After all, why does the local Mom-n-Pop convenient store guy think that the Chinese government is going to spy on him?

I find it much more troubling that these devices are not necessarily being used as active devices for spying, but that they are so dramatically insecure and are going to be more and more used as agents in botnet networks.

I know which PSA TEC session I will be attending.

psatec

Can we start a fund to pay Bashis' way to go to this so that he may offer a few pointers?

Thanks, but no thanks. I'll may do it anyhow, if I get the interest.

 

I feel this is a case of allowing your pay to determine your ethics.

Related Reports

Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...
Hikvision Put on US DoD "Communist Chinese Military Companies" List, Faces Risk of Presidential Sanctions on Jun 26, 2020
The US DoD has put Hikvision on a list of "Communist Chinese Military...
Hikvision Buys Baltics' Largest Distributor (BK Group) on Aug 20, 2020
While Hikvision faces global scrutiny over its connections to the PRC...
Hikvision USA Refuses [Now In], Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Hikvision Salespeople: We Don't Need A Blackbody on May 13, 2020
Dahua jumped out on its cross-town rival selling fever cameras but Hikvision...
Colombia's President Promotes Bad Hikvision Fever Camera Setup on Jun 17, 2020
Colombia's President Iván Duque has promoted a haphazard Hikvision fever...
US Passes Uyghur Human Rights Law Condemning Mass Surveillance on Jun 18, 2020
The US government has passed the Uyghur Human Rights Policy Act of 2020,...
Huawei HiSilicon Shortage Impacts Surveillance Manufacturers on Aug 14, 2020
Huawei acknowledged problems and challenges for its HiSilicon chip business,...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Hikvision And Dahua Now Blocked From Conforming ONVIF Products on Apr 03, 2020
Dahua and Hikvision, sanctioned for human rights abuses, are now blocked from...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
Hikvision Chairman Targeted For Sanctions As Federal Watchdog Calls Out Hikvision "Serious Religious Freedom Violations" on May 21, 2020
The US government's religious freedom watchdog has criticized Hikvision for...
Hikvision Global News Reports Directory on Aug 13, 2020
Hikvision has received the most global news reporting of any video...

Recent Reports

Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Huawei HiSilicon Production Shut Down on Sep 17, 2020
Huawei HiSilicon chips are no longer being manufactured or supplied to...
Virtual ISC West and GSX+ Exhibiting Contrasted on Sep 17, 2020
Both ISC West and ASIS GSX are going virtual this year, just weeks apart, but...
X.Labs Sues FLIR on Sep 16, 2020
X.Labs, the maker of Feevr, has sued FLIR, the publicly traded thermal...
Video Surveillance 101 September Course - Last Chance on Sep 16, 2020
Today is the last chance to sign up for the Fall Video Surveillance 101...
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Costar Technologies / Arecont H1 2020 Financials Examined on Sep 16, 2020
Costar's financial results have been hit by the coronavirus with the company...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
New Products Show Fall 2020 Announced - Register Now on Sep 14, 2020
IPVM's sixth online show will feature New Products from over 25...
Hanwha 8K / 33MP Camera Tested on Sep 14, 2020
Hanwha Techwin has released an 8K / 33MP resolution camera, the TNB-9000 with...