Broken Hikvision App Exposes HypocrisyBy John Honovich, Published on Dec 06, 2017
While Hikvision talks about a commitment to cybersecurity, their broken app and their insecure 'solution' exposes not only their engineering problems but their hypocrisy about cybersecurity.
In this note, we examine the problems, angry Hikvision dealers responses, how this invalidates historical defenses and the risks involved.
The Hik-Connect app, which Hikvision is promoting as their cloud service/interface, continues to suffer from serious problems. One key problem is slow video streams that are frustrating customers and impairing the system's usability.
Since Hikvision is unable to fix that, they have now taken the unprecedented step of directing users, in the app itself, to set up port mapping (forwarding) to overcome their problem, as shown in the screenshot below:
Security Risks of Port Forwarding
Those Hikvision IP cameras getting hacked are not just because of their backdoor, it is because Hikvision continues to tell people to port forward, which exposes the device to the global public Internet, making it easy for hackers around the world to attack their devices.
And it is surreal that they are directing users to port forward when one of the core benefits of a cloud service like Hik-Connect is to stop exposing devices to the public Internet via port forwarding.
But Hikvision continues to do this, e.g., in this March 2017 guide from Hikvision corporate:
In this June 2017 Hikvision 'hardening guide':
In this summer 2017 Hikvision partner presentation that again recommends port forwarding because of Hik-Connect problems:
Cybersecurity may be 'tops' in Hikvision marketing but when it comes to Hikvision actual technical recommendations, it is ignored.
Angry Hikvision Dealers
And Hikvision dealers are rightfully angry about this, as a new LinkedIn discussion highlights:
These dealers understand the irony of Hikvision directing them to use port forwarding:
And even this prominent dealer gets no response to their concerns:
Disproves the Dealer's Fault Defense
The most popular Hikvision loyalist defense is that even though Hikvision ships insecure products, it is the dealer's responsibility and fault to cover for Hikvision's problems, as this dealer declared in response to Hikvision's UPnP security risks:
The reality is simple, though. Hikvision is directing integrators and end users to do insecure things, now even inside their app. When the manufacturer is telling customers to do insecure things, the manufacturer has to take blame.
Worse, Hikvision targets small dealers with their ongoing sales and no training requirements. This results in dealers who lack IT skills depending on a company that claims to be "#1" in R&D, with 10,000 "engineers". Despite this literal legion of "engineers", Hikvision cannot fix the Hik-Connect app nor can they control themselves from directing customers to insecure actions.
Where is Chuck Davis?
[link no longer available]
Chuck Davis [link no longer available] is Hikvision's newest tactic in their cybersecurity PR campaign. He is supposed to bring his expertise to fix these types of basic cybersecurity errors. But, instead, to date, Hikvision is using him as a 'white monkey', parading him around.
Is Hikvision going to give Chuck Davis the power to do his real job of improving Hikvision's own cybersecurity issues? We hope so and are rooting for him.
Do Not Let Critics Win
Hikvision is very sensitive to not let their critics 'win'. They do not want to acknowledge nor give satisfaction to those who criticize them (in their minds 'bullied') that they were right. And perhaps they will keep up this trend here.
The irony, of course, is that their customers are the ones losing and the rest of us are understanding their 10,000 'engineers' and the commitment to cybersecurity is just more deception.