Broken Hikvision App Exposes Hypocrisy

Author: John Honovich, Published on Dec 06, 2017

While Hikvision talks about a commitment to cybersecurity, their broken app and their insecure 'solution' exposes not only their engineering problems but their hypocrisy about cybersecurity.

In this note, we examine the problems, angry Hikvision dealers responses, how this invalidates historical defenses and the risks involved.

Broken App

The Hik-Connect app, which Hikvision is promoting as their cloud service/interface, continues to suffer from serious problems. One key problem is slow video streams that are frustrating customers and impairing the system's usability.

Since Hikvision is unable to fix that, they have now taken the unprecedented step of directing users, in the app itself, to set up port mapping (forwarding) to overcome their problem, as shown in the screenshot below:

Security Risks of Port Forwarding

Those Hikvision IP cameras getting hacked are not just because of their backdoor, it is because Hikvision continues to tell people to port forward, which exposes the device to the global public Internet, making it easy for hackers around the world to attack their devices.

And it is surreal that they are directing users to port forward when one of the core benefits of a cloud service like Hik-Connect is to stop exposing devices to the public Internet via port forwarding.

But Hikvision continues to do this, e.g., in this March 2017 guide from Hikvision corporate:

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

In this June 2017 Hikvision 'hardening guide':

In this summer 2017 Hikvision partner presentation that again recommends port forwarding because of Hik-Connect problems:

Cybersecurity may be 'tops' in Hikvision marketing but when it comes to Hikvision actual technical recommendations, it is ignored.

Angry Hikvision Dealers

And Hikvision dealers are rightfully angry about this, as a new LinkedIn discussion highlights:

These dealers understand the irony of Hikvision directing them to use port forwarding:

And even this prominent dealer gets no response to their concerns:

Disproves the Dealer's Fault Defense

The most popular Hikvision loyalist defense is that even though Hikvision ships insecure products, it is the dealer's responsibility and fault to cover for Hikvision's problems, as this dealer declared in response to Hikvision's UPnP security risks:

The reality is simple, though. Hikvision is directing integrators and end users to do insecure things, now even inside their app. When the manufacturer is telling customers to do insecure things, the manufacturer has to take blame.

Worse, Hikvision targets small dealers with their ongoing sales and no training requirements. This results in dealers who lack IT skills depending on a company that claims to be "#1" in R&D, with 10,000 "engineers". Despite this literal legion of "engineers", Hikvision cannot fix the Hik-Connect app nor can they control themselves from directing customers to insecure actions.

Where is Chuck Davis?

Chuck Davis is Hikvision's newest tactic in their cybersecurity PR campaign. He is supposed to bring his expertise to fix these types of basic cybersecurity errors. But, instead, to date, Hikvision is using him as a 'white monkey', parading him around.

Is Hikvision going to give Chuck Davis the power to do his real job of improving Hikvision's own cybersecurity issues? We hope so and are rooting for him.

Do Not Let Critics Win

Hikvision is very sensitive to not let their critics 'win'. They do not want to acknowledge nor give satisfaction to those who criticize them (in their minds 'bullied') that they were right. And perhaps they will keep up this trend here.

Customers Lose

The irony, of course, is that their customers are the ones losing and the rest of us are understanding their 10,000 'engineers' and the commitment to cybersecurity is just more deception.

6 reports cite this report:

Hikvision Critical Cloud Vulnerability Disclosed on Apr 25, 2018
Security researchers Vangelis Stykas and George Lavdanis discovered a vulnerability in Hikvision's HikConnect cloud service that: just by...
JCI / Tyco Security Acquires Smartvue on Apr 03, 2018
Johnson Controls (Tyco Security) has acquired cloud provider Smartvue (see recent IPVM Smartvue profile). Smartvue will join Exacq and VideoEdge...
P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding on Apr 02, 2018
Following criticism of Hikvision's ongoing port forwarding recommendation (e.g., Hikvision Hardening Guide Recommends Port Forwarding and Hikvision...
Hikvision HQ Contradicts Cybersecurity Director on Mar 07, 2018
Hikvision HQ has contradicted Hikvision USA's Director of Cybersecurity, Chuck Davis. Davis - Don't Put Cameras On The Internet Davis made a...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
Hikvision NA Biggest Sale of 2017 (Twice) on Dec 28, 2017
Hikvision North America has been relatively disciplined the past 5 months, reducing the number of sales and the breadth of what is on sale. No...
Comments (63) : PRO Members only. Login. or Join.

Related Reports

Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of...
July 2018 IP Networking Course on Jun 16, 2018
The last chance to save $50 on registration is this Thursday, June 21st. Register now and save. This is the only networking course designed...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring Dahua as a 'cyber responsible partner',...
Four Major Outdoor Camera Install Problems on Jun 14, 2018
Over 140 integrators told us the top four camera installation mistakes that lead to unexpected problems and failures. Their comments often...
China Public Video Surveillance Guide: From Skynet to Sharp Eyes on Jun 14, 2018
China is expanding its video surveillance network to achieve “100%” nationwide coverage by 2020, including facial recognition capabilities and a...
Access Control - Time & Attendance, Mustering and Mantraps Guide on Jun 13, 2018
Electronic access offers features that traditional mechanical locks cannot. While these features may not be as fundamental as keeping doors secure,...
Debating Relevance of China Hacking US Navy Plans on Jun 11, 2018
"Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to...
Powerline Networking For Video Surveillance Advocated By Comtrend on Jun 08, 2018
Powerline networking, using existing electrical wiring, has been around for many years. Indeed, over the years, some video surveillance providers...
Remove Dahua and Hikvision Gov Installs Required By US House Bill Ban on Jun 06, 2018
The final released US House Bill HR 5515 verifies that it not only prohibits the purchasing of Dahua and Hikvision products, it requires removing...
Dahua's Terrible Cybersecurity, Buys Credibility From PSA And SIA on Jun 04, 2018
Dahua has a terrible cybersecurity track record. But American organizations, like the Security Industry Association (SIA) and the PSA Security...

Most Recent Industry Reports

IFSEC Show Report - Live From London on Jun 19, 2018
IPVM is live from London reporting on the IFSEC show. The Chinese have taken over the UK, centered on Hikvision, flanked by Dahua, Huawei and a...
Axis Guardian - Cloud VMS for Alarm Companies on Jun 19, 2018
Axis has struggled to deliver a cloud-based managed service video platform. Video service providers have utilized AVHS for over a decade, and have...
IPVM Vulnerability Scanner Released on Jun 18, 2018
IPVM is proud to announce video surveillance's first and only cybersecurity vulnerability scanner. This tool allows quickly and simply...
Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of...
July 2018 IP Networking Course on Jun 16, 2018
The last chance to save $50 on registration is this Thursday, June 21st. Register now and save. This is the only networking course designed...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring Dahua as a 'cyber responsible partner',...
Amazon Ring Launches $10 Monthly Professional Alarm Monitoring on Jun 15, 2018
Amazon's Ring has announced an alarm system with 24/7 professional alarm monitoring for $10 per month, a fraction of the $30+ per month traditional...
Axis Releases First New Access Controller In 5 Years (A1601) on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test). Now, Axis has released its second...
Hikvision 12MP Fisheye Camera Tested (DS-2CD63C2F-IV) on Jun 14, 2018
Hikvision's DS-2CD63C2F-IV is their flagship panoramic camera, with a 12MP imager, 15m integrated IR, smart codec, and more. We tested the 63C2 in...
Four Major Outdoor Camera Install Problems on Jun 14, 2018
Over 140 integrators told us the top four camera installation mistakes that lead to unexpected problems and failures. Their comments often...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact