Hikvision Pledges 'Never' 'Backdoors'

Published Jan 27, 2017 11:07 AM

With criticisms rising, Hikvision has gone on the record publicly declaring [link no longer available]:

Hikvision never has, does or would intentionally contribute to the placement of “backdoors” in its products.

One indisputable point is that Hikvision is clearly feeling pain here to force such a public response.

Statement Analyzed

A key question is how the statement is structured.

********* ***** ***, **** ** *****

***** '*****' ** * ******, *********** term *** ** * ******** *** communicating * ***** *******.

*************

*** **** '*************' ** *********, ***** backdoors ***, ** ********** **** *************. However, **** ** ****** ** ********* that ****** *** ***** **** ***** illicit ****** ** ********, **** ** the ********* *** *** '******' ** provide **.

********** ** *** *********

*** '**********' ********* *** '*****' *********, adding ********** *** *********.

*******************

* *******, **** ********** ********* ***** be:

[******** ****]********* ***** ***, **** ** ***** intentionally****“*********” ** *** ********.

**** *******, **** ****** ********* ***** eliminate *** ********* ******** ***** '**********'.

China ********** ******* ********

** **********, ***** ********* ***** ***** Chinese ********** ********* ** ***** * backdoor ** ***** ********? ** **** scenario, ********* ****** ***** *** ** actively '************' ** *** *********, **** would **** ***** **.

**** ** * ********* ****** ** the***** ********** *** ** ********* ****** of ***** *******. *** ***** ******* ******* ********** ** *** *********** shareholder ** ************ **** ********* ** *** ******* surveillance ************ ** *** *****, ********* a ******** **** ********* ***** ** an ********** ******.

****

*****

** *** **** ****, **** ***** Hikvision ********* *** ******** ***** ** an ******** *********. ** ******, **********, you **** ** ****** ** *** trust *** **** ** *** ***** PRC ********** / ********* *****.

Comments (42)
UI
Undisclosed Integrator #1
Jan 27, 2017

We are going to build a firewall in Hikvision and make the chinese pay for it...  :D

(1)
(26)
RS
Robert Shih
Jan 27, 2017
Independent

The Communist government already built a firewall that their citizens pay for every day by not being able to browse freely on the internet or criticize their government online.

Sympathy for their people, curses upon their government.

(6)
U
Undisclosed #5
Jan 27, 2017
IPVMU Certified

We are going to build a firewall in Hikvision and make the customer pay for it... - Genetec

(6)
JH
John Honovich
Jan 27, 2017
IPVM

One interesting element is that Hikvision has published this but kept it out of their official PR process / emails / trade publications.

This statement was published dated January 5, 2017 on their HQ English site. However, it was inserted in a new section (Security Center / Cybersecurity), not in their general press release section nor existing security notices. When we viewed it, it only had 90 total views, even though ostensibly it had been published 3 weeks ago.

We have found no other instant of Hikvision promoting this. The only source mentioning it was an Australian website that cited the statement but did not link to it.

Best guess is that Hikvision has been using this tactically on a case by case basis to respond to specific concerns across the world but did not want to draw broader attention with their normal marketing campaign approach. Any other theories or input here?

(1)
Avatar
Armando Perez
Jan 27, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

Seems like a pretty strong statement. However, my concerns with hikvision have nothing to do with backdoors.

Army of botnets

Plenty of machines with default credentials

Other unscrupulous uses of a massive network of connected devices that I can't put into words right now due to lack of sleep.

(3)
UI
Undisclosed Integrator #6
Jan 27, 2017

I would add government subsidization contributing to unfair market competition to that list.

Related:  I can feel other country's pain pertaining to US subsidization of agriculture.  Unfair practices are unfair practices both here and abroad.

Avatar
Campbell Chang
Jan 29, 2017

Isn't this true of many sites though and not just Hikvision?

As it currently stands, Hik now forces you to activate and change the default credentials on each device you commission.

(1)
Avatar
Armando Perez
Jan 30, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

Yes they do, that means nothing when it comes to alternate methods, which almost all machines have. I'm less comfortable with a government having control of those alternate methods as well directly or indirectly.

EP
Eddie Perry
Jan 27, 2017

It is not a back door when the manufacturer leaves a "service Port" open for the manufacturer, I.E. the Chinese government 

(1)
UM
Undisclosed Manufacturer #2
Jan 27, 2017

"Intentionally" and "contribute" are interesting.  If they were to use a service or daemon that had a backdoor, but they didn't officially know about it.....

If this module were to be provided from another source, such as Big Brother, they can stick to their claim, all while someone still has these capabilities.

(1)
UM
Undisclosed Manufacturer #3
Jan 27, 2017

The bottom line is that if people don't trust a company, it doesn't matter what they say.  If they're really going be nefarious and put backdoors into their products, do you expect them to be honest about it?

(5)
Avatar
Jon Dillabaugh
Jan 27, 2017
Pro Focus LLC

If there is a backdoor, their US based tech support is certainly unaware of it.

(1)
(1)
(3)
(9)
Avatar
Sean Nelson
Jan 27, 2017
Nelly's Security

Good for Hikvision to finally come out and address this concern. Would like to see ongoing activism by Hikvision to continue to strengthen the cyber security of their products and statements showing what they have done.

(2)
(2)
UD
Undisclosed Distributor #4
Jan 27, 2017

I think there may be a language gap between china and the rest of the world as to what a "backdoor" is.  In my own words, a backdoor is a method of access into a product that is not published by the manufacturer and not made known to the customer either through ignorance or maliciousness.

The perfect example of this is the telnet entry into devices that is causing so many problems recently.  I've spoke with manufacturers personally and asked why they would need this type of access to devices that are finished, production units and why would they use static credentials that grant root level access using the telnet protocol which was known to be insecure and obsolete over a decade ago.  The answer I received was that they used it for "service purposes".

I could understand using this access method in a controlled environment of a service center by authorized personnel, but deploying finished products into the wild with this access enabled is irresponsible and, in my opinion, borders on criminal.

(2)
(1)
U
Undisclosed #5
Jan 27, 2017
IPVMU Certified

The word 'intentionally' is redundant, since backdoors are, by definition done intentionally. However, this is useful to emphasize that errors can occur that allow illicit access to products, even if the developer did not 'intend' to provide it.

IMHO, you are over-analyzing the language here, as if Hik is really trying to leave themselves an out, in case they are discovered to have allowed the government to place a backdoor in their product.

But as I have said before, people don't leave 'outs' in a statement when the offense is worse than the lie.

For instance, a murderer doesn't worry about being prosecuted for perjury.

An adulterer may craft a clever statement though, e.g. Bill Clinton.

Point is that Hik isn't planning on using as a defense:  "We just said we wouldn't contribute tonot that wouldn't allow a backdoor"

Because no one would care at that point.

JH
John Honovich
Jan 27, 2017
IPVM

But as I have said before, people don't leave 'outs' in a statement when the offense is worse than the lie.

Because you said it before does not make it true.

My experience is that corporations tend to craft language in such a way that what is said is true even if the 'offense' occurs. We have an example just this week with Avigilon.

I do not know what is in Hikvision's mind. However, my experience is that when well-educated people choose more complex language (e.g., like this "contribute to the placement of 'backdoors" instead of 'have') that it is generally done to provide a loophole so that they are not technically lying.

Again, I do not know what is in Hikvision's mind here nor do you. Let's see what other future statement they make and if the language becomes any more precise / simple.

(3)
Avatar
Sean Nelson
Jan 27, 2017
Nelly's Security

Any large company with a good legal team will say stuff like this. They will never have an absolute answer for anything. I think Hikvisions intentions were good as well as Avigilons, but to give an absolute answer to anything leaves them open to future issues should even the slightest bit of an incident should come up. 

(1)
JH
John Honovich
Jan 27, 2017
IPVM

should even the slightest bit of an incident should come up. 

Backdoors and direct end user sales are things that manufacturers inherently control, not 'incidents' that 'come up' randomly.

(1)
U
Undisclosed #5
Jan 27, 2017
IPVMU Certified

Because you said it before does not make it true.

It wasn't said as proof, only as reference, much like:

 

I do not know what is in Hikvision's mind...

Again, I do not know what is in Hikvision's mind here nor do you...

The Avigilon case actually supports what I am saying: Avigilon is being accused of selling direct sometimes, which if true would cause a good deal of fallout, no doubt.  

But they aren't being accused of a potentially criminally liable offense, i.e. privacy/espionage/cyberwarfare, so the 'hedge' would be little comfort.

Avatar
Joseph Marotta
Jan 27, 2017
IPVMU Certified

Hikvision, equivocate much?  

(1)
UM
Undisclosed Manufacturer #7
Jan 27, 2017

Aside from "backdoors", Hakvision is a major contributor (OEM and direct) to the lowering of profits, quality and value in the American video security industry through unfair trade practices, deceptive marketing and abstention of value-based selling. They have tricked hundreds of American companies into thinking they are forced to sell on lowest price because its easier which ends up lowering the sales skills of these small businesses and they don't even realize it.   Volume goes up, profits go down, bottom line barely grows and meanwhile you have double the number of support calls and points of failure. Swimming in a red sea is a great way to drown. 

"If you can't beat em, join em'" is a great way to poorly develop sales employees and set them up for failure in the future when you have to lay them off because of poor profits.

(2)
U
Undisclosed #9
Jan 27, 2017

low profits are better than no profits because you didnt "join em"

(5)
Avatar
Campbell Chang
Jan 29, 2017

To be honest, this argument sounds awfully similar to Uber vs Taxis.

Uber drivers don't have training, are unsafe blah blah.

But people largely ignored that and now Uber is permanently entrenched in society, along with half a dozen clones and none of those fears have panned out.

Same scenario for you guys.  You're the taxi cartel complaining about how Hik is unsafe, might have backdoors etc.  

(1)
U
Undisclosed #8
Jan 29, 2017

+1

Arguments creates discussion

Discussion creates posts

Nothing else counts IMO

I wish we have "sticky" folder with name "bla bla BS Talk"

with all those types

(1)
Avatar
Armando Perez
Jan 30, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

Hardly the same. Uber disrupted a market with innovation and a different mouse trap. Hik is disrupting a market with the use of chinese government funds to destabilize it for (insert disputed purpose here). The security concerns are an entirely different concern and not the same argument at least in my opinion.  I don't see hikvisions disruptive innovation unless it is their pricing, which is no doubt possible because of the money source and to an extent currency games. That source just happens to bring up other concerns because the product in question is in the security space.

MC
Marty Calhoun
Jan 27, 2017
IPVMU Certified

We remain a HIKVISION dealer, We will not change that position at any time in the near future. Pick it a part, word for word, completely out of context, blow it up bigger than Hillary's Email, beat the piss out of it, dont care. We have 1000'S of cameras and systems online and have never had one go rouge, south or anything else even close. And if We thought they would for one second We would replace every NVR at our expense.

When the clock struck 2000, nothing happened.

And another point, We have rarely if ever been a LOW bidder, we are normally higher than everyone. So that run to bottom with HIKVISION is someones imagination.

(1)
(3)
(1)
JH
John Honovich
Jan 27, 2017
IPVM

Marty, how do you think Trump will feel when he hears Chinese government surveillance cameras are deployed on US military bases?

(1)
Avatar
Armando Perez
Jan 27, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

Oh you're just stoking the fire now.

(2)
(1)
Avatar
Jon Dillabaugh
Jan 27, 2017
Pro Focus LLC

He will likely overreact, as usual. He will ban the word China from all federal government agencies. Then he will blame it all on the Clintons and the liberal media. 

(2)
(1)
U
Undisclosed #5
Jan 27, 2017
IPVMU Certified

He will ban the word China from all federal government agencies...

Now if Russia just made a decent camera, that might be different...

(1)
U
Undisclosed #8
Jan 27, 2017
UM
Undisclosed Manufacturer #7
Jan 27, 2017

 If you have 1000's of cameras online, then that's tens of thousands of dollars of your company directly supporting a communist government and unfair business practices, not to mention enhanced cyber security risks (all proven, not a 2K conspiracy theory).  Hillary would be proud. I give you major props for your sales team's ability to both sell Hik AND be the highest bidder normally. That is impressive in the USA market. With that kind of skill, you could sell any brand that isn't guilty of the aforementioned. 

(2)
Avatar
Jon Dillabaugh
Jan 27, 2017
Pro Focus LLC

Which is it...?

a) supporting a communist gov by sending them profits

b) Hikvision products are subsidized by the Chinese gov

You cannot have both. Either they are making money, or they are not. Both statements cannot be true. 

Either the Chinese gov is profiting off of the sales of Hikvision products, or they are subsidizing the sales price, which is them losing money. 

I've never understood how people can claim both?

(2)
(1)
UM
Undisclosed Manufacturer #7
Jan 27, 2017

c) Supporting a communist government, not necessarily by profits, but by a longer term more nefarious plan of infiltrating the world with Chinese government controlled tech.

d) anti-competitive predatory pricing model to force competitors out of the market and bar new ones from entering, topping market share, and then incrementally raising prices\reduce manufacturing costs via increased economy of scale and therefore increasing profits and then passing to the government. 

U
Undisclosed #9
Jan 27, 2017

Give me a break, your supporting the Chinese Government in one way or another on nearly a daily basis. You cant buy hardly anything in this country without it having some Chinese part in it. Even your overpriced cameras of whatever "non-chinese" brand you use are probably atleast 50% made in China.

Just because you buy a product that isnt subsidized by the government doesnt mean your not supporting their government. Anytime you buy a product that is made in a foreign country, you are essentially supporting that foreign country finanically. Why do you think China is such a wealthy country?

Im not saying we dont have unfair trade deals with China, but we are all guilty of doing business with China one way or another. 

(1)
(3)
UM
Undisclosed Manufacturer #7
Jan 27, 2017

Its not guilty to do business with China. I love most of my Chinese manufactured products (although most designed and QC'ed by other countries).

Its guilty, in my personal opinion, to do business with a Chinese government controlled and subsidized $6 Billion to perpetuate predatory pricing in the logical and physical security industry that has had several major security vulnerabilities (bit coin mining?? Chinese hacking of UK government Hik video systems??) in a security market that has infiltrated our government (court houses, US Embassies, military bases). 

(1)
MC
Marty Calhoun
Jan 27, 2017
IPVMU Certified

Do you use candles or light bulbs? Guess where they are made. Get over it!

Avatar
Robert Tabbara
Jan 28, 2017

We need to get over the fact that  we are no longer a manufacturing  nation, the same way we got over it 140 years ago when we moved away from agriculture to something  better. I know giving up on this will suck for many Americans that  are 40+, that don't have a college degree and have worked all their life in a factory thinking  things are set. Similar to the Taxi driver that I met in NY 2 years ago that worked all his life to pay for his $1 M medallion thinking he set  to retire by leasing it and then witness a company  called  uber crash his retirement dream. It sucks but nothing  is guaranteed . 

Let the Chinese  be the laborers, while we focus our energy on innovation so we can build products  like the iPhone  that cost  $90 to make in China and the Chinese  are lining up to buy it for $800.

(1)
UM
Undisclosed Manufacturer #10
Feb 03, 2017

You don't need a back door if you are sending it out the front door.

(1)
U
Undisclosed #11
Feb 04, 2017

Hikvision never has, does or would intentionally contribute to the placement of “backdoors” in its products.

What is interesting about this statement is that it allows for HV to allow the government to install backdoors in various parts of the product offerings.  In the networking components, the processors, the firmware - any number of things can be contributed that HV would not do on their own.

HV never has intentionally contribute(d) to the placement of "backdoors" says they did not do it for their own purposes, but may have to place other backdoors through other piece of code required by the Chinese government.

HV never does intentionally contribute to the placement of "backdoors" again says they did not do it for their own purposes, but may have to place other backdoors through other piece of code required by the Chinese government.

HV never would intentionally contribute to the placement of "backdoors" yet again says they did not do it for their own purposes, but may have to place other backdoors through other piece of code required by the Chinese government.

I love parsing political English.

Kind of like: "the largest audience ever to witness an inauguration, period, both in person and around the globe"

Sure - it was pretty well watched in person, on TV and over social media (which was not in full swing in 2008), so technically - he was likely correct.  But the addition of the "period" was certainly helped the other side.

(1)
U
Undisclosed #5
Feb 04, 2017
IPVMU Certified

What is interesting about this statement is that it allows for HV to allow the government to install backdoors in various parts of the product offerings.

Do you really think Hikvision crafted the language so that if caught they could say "we told the truth, we did not contribute. the government did it for their own purposes"?

If you don't think that, then why would they even bother being cagey?

U
Undisclosed #12
Feb 04, 2017

The toughest security Sony has is that darned password on their Ipela datasheets. /facepalm.

Security is vast, especially phone home applications, static one time firmware flashing for system bios, meeting NIST, NERC and BestBuy Geek Squad requirements.

I can foresee Hikvision launching a GSA, buy America line. Why not? all they need is a brick and mortar residence to attenuate to the line of: Research & Development, Manufacturing/Production and Distribution.

Perhaps I may be wrong, but I do not see why it is not possible. One could fancy a PR move by supplying FREE (hikvision) dash cams to Uber drivers......catch my drift? Soon Hikvision is a household name not just a security device manufacturer.