"Fear Mongering": Hikvision USA Cybersecurity Director Dismisses PRC Government Ownership Concerns
By John Honovich, Published Feb 16, 2018, 08:28am ESTThe facts are:
- The PRC government created Hikvision and is Hikvision's controlling shareholder.
- Hikvision's Chairman, a Communist Party Secretary, has pledged allegiance to the China Communist Party.
- Hikvision's VP of R&D simultaneously works for the ORC government.
- China has a history of cyber attacks against the USA.
- China exerts authoritarian control of their country and people.
Despite that, in SP&T News, Hikvision USA Cybersecurity Director Chuck Davis simply dismisses concerns as fearmongering:
Unfortunately, for Davis and SP&T, Hikvision's own financials reveal the deception of that claim. It is not simply 'state-owned enterprises' owning stock, it is a CETHIK, a division created by the PRC government to control Hikvision:
While Davis is an expert in cybersecurity, rather than politics and economics, he surely is smart enough to read through those primary documents to understand the truth about Hikvision's ownership and control.
Of course, he is in a difficult position. For him to continue being paid, he has to follow the party line (pun intended).
And cybersecurity is not simply about technical flaws, it is about countries adversarial to one's own exploiting systems (e.g., of companies they control) for geopolitical advantage. Just this week, The FBI, CIA and NSA say American citizens shouldn't use Huawei phones. And Huawei's PRC government 'connections' are far less clear and definitive than Hikvision's.
Davis will continue his public relations tour and he should speak about and be questioned on Hikvision's PRC government control. We encourage Davis to face these facts.
4 reports cite this report:
Comments (25)
02/16/18 05:36pm
Actual snapshot of Hickvision making their PR plans to address their network security.
Last line from Chuck in that piece is illuminating RE: his understanding of priorities
subheader: Never bite the hand that feeds you.
"I’m here to support the sales team, said Davis, but my goal here is to create good, secure products and make people aware."
Guru Davis speciously says
Perhaps most importantly for installers, according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”
But what about NVR’s? Are they Ok? Are they really any different from a network perspective?
It´s not Hikvision but the same issue according "security":
Don’t use Huawei phones, say heads of FBI, CIA, and NSA
Page 212
2018_IP_Networking Book by IPVM
"Because of these reasons, manual port forwarding has proven more
reliable in commercial surveillance, with UPnP typically left to consumer
use."
2018_IP_Networking Book by IPVM
More context shows this is a comparison of manual port mapping to UPnP, not a general endorsement of port forwarding:
However, in practice, UPnP is unreliable in many cases. In many business networks, large and small, UPnP functions are turned off, requiring manual port forwarding. In consumer use, port mappings may not function properly, may be added more than once, may conflict with other devices, or may simply not be added at all. Making things worse, error information is rarely available when UPnP port mapping fails, leaving the user without any means of troubleshooting.
Because of these reasons, manual port forwarding has proven more reliable in commercial surveillance, with UPnP typically left to consumer use.
So are you saying you think UPnP is more reliable than setting ports manually?
Of course not,
I ask JH?
and I put reference from his book
#3, thank you. I am going show you how much more responsible IPVM is than your partner Hikvision.
While you have taken that out of context, I recognize that the sentence could be misinterpreted as an endorsement. Moreover, I also recognize the post that it comes from (Remote Network Access for Video Surveillance) needs to be more explicit in recommending against insecure practices. So I've immediately edited the report to do so, including these new sections:
Public Accessible Hacking Risk - UPnP, DDNS, and Port Forwarding
Using UPnP, DDNS and/or port forwarding exposes one's devices to the entire public Internet, meaning that anyone can attempt to connect and access one's device exposed (e.g., camera or recorder). Hackers can attack hundreds of millions of devices a day across the public Internet, either simply by randomly trying IP addresses or by finding lists of potentially vulnerable devices (e.g., Shodan list of Hikvision public accessible - typically port forwarded devices). For those unfamiliar with this risk, see The Atlantic's The Inevitability of Being Hacked: We built a fake web toaster, and it was compromised in an hour. More directly related to video surveillance, the massive Dahua hacking and the Hikvision IP camera hacking was driven by those devices being either port forwarded or UPnP enabled. We do not recommend making your devices publicly accessible.
And:
Recommended - VPNs
We recommend VPNs to properly secure your video surveillance devices. While port forwarding (or UPnP, DDNs, etc.) may be cheaper and simpler up front, they expose your devices to being attacked and hacked as new vulnerabilities are found. While cloud services are being improved, you run the risk of them being exploited and/or the cloud service provider accessing or abusing your system.
I am happy to update further if that helps. This will also be pushed out into an updated version of the 2018 book later today.
Now, let's compare IPVM's response to Hikvision's.
8 months ago, IPVM called out Hikvision for Hikvision's Hardening Guide Recommendation of Port Forwarding. Hikvision literally told people that the 'standard configuration' was to 'create a port forwarding rule':
5 months ago, they hired Chuck Davis. And, yet still, no change. It is still in their hardening guide and Hikvision continues to recommend port forwarding.
#3, do you think Hikvision is being responsible continuing to recommend port forwarding?
If government security agencies are advising citizens against using Huawei phones due to security concerns, should they also be looking into the fact that HiSilicon, the chip vendor that makes almost all of the processors in the current IP camera and NVR/DVR market from China, is also owned by Huawei?
I know which PSA TEC session I will be attending.
I feel this is a case of allowing your pay to determine your ethics.
