Hikvision Pledges 'Never' 'Backdoors'

By: John Honovich, Published on Jan 27, 2017

With criticisms rising, Hikvision has gone on the record publicly declaring [link no longer available]:

Hikvision never has, does or would intentionally contribute to the placement of “backdoors” in its products.

One indisputable point is that Hikvision is clearly feeling pain here to force such a public response.

Statement Analyzed

A key question is how the statement is structured. 

**** ********** ******, ********* has **** ** *** record ******** ********* [**** no ****** *********]:

********* ***** ***, **** or ***** ************* ********** to *** ********* ** “backdoors” ** *** ********.

*** ************ ***** ** that ********* ** ******* ******* pain **** ** ***** **** a ****** ********.

Statement ********

* *** ******** ** how *** ********* ** structured. 

[***************]

********* ***** ***, **** or *****

***** '*****' ** * strong, *********** **** *** is * ******** *** communicating * ***** *******.

*************

*** **** '*************' ** redundant, ***** ********* ***, by ********** **** *************. However, **** ** ****** to ********* **** ****** can ***** **** ***** illicit ****** ** ********, even ** *** ********* did *** '******' ** provide **.

********** ** *** *********

*** '**********' ********* *** 'never' *********, ****** ********** and unclarity.

*******************

* *******, **** ********** statement ***** **:

[******** ****] ********* ***** ***, **** or ***** ************* **** “*********” ** *** ********.

**** *******, **** ****** statement ***** ********* *** potential ******** ***** '**********'.

China ********** ******* ******** 

** **********, ***** ********* allow ***** ******* ********** superiors ** ***** * backdoor ** ***** ********? In **** ********, ********* itself ***** *** ** actively '************' ** *** placement, **** ***** **** allow **.

**** ** * ********* matter ** ******** ********** *** ** extensive ****** ** ***** attacks. *** ***** ******* ******* ********** ** the *********** *********** ** Hikvision*** **** ********* ** the ******* ************ ************ in *** *****, ********* a ******** **** ********* would ** ** ********** target.

****

***** 

** *** **** ****, this ***** ********* ********* and ******** ***** ** an ******** *********. ** ******, ultimately, *** **** ** decide ** *** ***** the **** ** *** China *** ********** / Communist *****.

Comments (42)

We are going to build a firewall in Hikvision and make the chinese pay for it...  :D

The Communist government already built a firewall that their citizens pay for every day by not being able to browse freely on the internet or criticize their government online.

Sympathy for their people, curses upon their government.

We are going to build a firewall in Hikvision and make the customer pay for it... - Genetec

One interesting element is that Hikvision has published this but kept it out of their official PR process / emails / trade publications.

This statement was published dated January 5, 2017 on their HQ English site. However, it was inserted in a new section (Security Center / Cybersecurity), not in their general press release section nor existing security notices. When we viewed it, it only had 90 total views, even though ostensibly it had been published 3 weeks ago.

We have found no other instant of Hikvision promoting this. The only source mentioning it was an Australian website that cited the statement but did not link to it.

Best guess is that Hikvision has been using this tactically on a case by case basis to respond to specific concerns across the world but did not want to draw broader attention with their normal marketing campaign approach. Any other theories or input here?

Seems like a pretty strong statement. However, my concerns with hikvision have nothing to do with backdoors.

Army of botnets

Plenty of machines with default credentials

Other unscrupulous uses of a massive network of connected devices that I can't put into words right now due to lack of sleep.

I would add government subsidization contributing to unfair market competition to that list.

Related:  I can feel other country's pain pertaining to US subsidization of agriculture.  Unfair practices are unfair practices both here and abroad.

Isn't this true of many sites though and not just Hikvision?

As it currently stands, Hik now forces you to activate and change the default credentials on each device you commission.

Yes they do, that means nothing when it comes to alternate methods, which almost all machines have. I'm less comfortable with a government having control of those alternate methods as well directly or indirectly.

It is not a back door when the manufacturer leaves a "service Port" open for the manufacturer, I.E. the Chinese government 

"Intentionally" and "contribute" are interesting.  If they were to use a service or daemon that had a backdoor, but they didn't officially know about it.....

If this module were to be provided from another source, such as Big Brother, they can stick to their claim, all while someone still has these capabilities.

The bottom line is that if people don't trust a company, it doesn't matter what they say.  If they're really going be nefarious and put backdoors into their products, do you expect them to be honest about it?

If there is a backdoor, their US based tech support is certainly unaware of it.

Good for Hikvision to finally come out and address this concern. Would like to see ongoing activism by Hikvision to continue to strengthen the cyber security of their products and statements showing what they have done.

I think there may be a language gap between china and the rest of the world as to what a "backdoor" is.  In my own words, a backdoor is a method of access into a product that is not published by the manufacturer and not made known to the customer either through ignorance or maliciousness.

The perfect example of this is the telnet entry into devices that is causing so many problems recently.  I've spoke with manufacturers personally and asked why they would need this type of access to devices that are finished, production units and why would they use static credentials that grant root level access using the telnet protocol which was known to be insecure and obsolete over a decade ago.  The answer I received was that they used it for "service purposes".

I could understand using this access method in a controlled environment of a service center by authorized personnel, but deploying finished products into the wild with this access enabled is irresponsible and, in my opinion, borders on criminal.

The word 'intentionally' is redundant, since backdoors are, by definition done intentionally. However, this is useful to emphasize that errors can occur that allow illicit access to products, even if the developer did not 'intend' to provide it.

IMHO, you are over-analyzing the language here, as if Hik is really trying to leave themselves an out, in case they are discovered to have allowed the government to place a backdoor in their product.

But as I have said before, people don't leave 'outs' in a statement when the offense is worse than the lie.

For instance, a murderer doesn't worry about being prosecuted for perjury.

An adulterer may craft a clever statement though, e.g. Bill Clinton.

Point is that Hik isn't planning on using as a defense:  "We just said we wouldn't contribute tonot that wouldn't allow a backdoor"

Because no one would care at that point.

But as I have said before, people don't leave 'outs' in a statement when the offense is worse than the lie.

Because you said it before does not make it true.

My experience is that corporations tend to craft language in such a way that what is said is true even if the 'offense' occurs. We have an example just this week with Avigilon.

I do not know what is in Hikvision's mind. However, my experience is that when well-educated people choose more complex language (e.g., like this "contribute to the placement of 'backdoors" instead of 'have') that it is generally done to provide a loophole so that they are not technically lying.

Again, I do not know what is in Hikvision's mind here nor do you. Let's see what other future statement they make and if the language becomes any more precise / simple.

Any large company with a good legal team will say stuff like this. They will never have an absolute answer for anything. I think Hikvisions intentions were good as well as Avigilons, but to give an absolute answer to anything leaves them open to future issues should even the slightest bit of an incident should come up. 

should even the slightest bit of an incident should come up. 

Backdoors and direct end user sales are things that manufacturers inherently control, not 'incidents' that 'come up' randomly.

Because you said it before does not make it true.

It wasn't said as proof, only as reference, much like:

 

I do not know what is in Hikvision's mind...

Again, I do not know what is in Hikvision's mind here nor do you...

The Avigilon case actually supports what I am saying: Avigilon is being accused of selling direct sometimes, which if true would cause a good deal of fallout, no doubt.  

But they aren't being accused of a potentially criminally liable offense, i.e. privacy/espionage/cyberwarfare, so the 'hedge' would be little comfort.

Hikvision, equivocate much?  

Aside from "backdoors", Hakvision is a major contributor (OEM and direct) to the lowering of profits, quality and value in the American video security industry through unfair trade practices, deceptive marketing and abstention of value-based selling. They have tricked hundreds of American companies into thinking they are forced to sell on lowest price because its easier which ends up lowering the sales skills of these small businesses and they don't even realize it.   Volume goes up, profits go down, bottom line barely grows and meanwhile you have double the number of support calls and points of failure. Swimming in a red sea is a great way to drown. 

"If you can't beat em, join em'" is a great way to poorly develop sales employees and set them up for failure in the future when you have to lay them off because of poor profits.

low profits are better than no profits because you didnt "join em"

To be honest, this argument sounds awfully similar to Uber vs Taxis.

Uber drivers don't have training, are unsafe blah blah.

But people largely ignored that and now Uber is permanently entrenched in society, along with half a dozen clones and none of those fears have panned out.

Same scenario for you guys.  You're the taxi cartel complaining about how Hik is unsafe, might have backdoors etc.  

+1

Arguments creates discussion

Discussion creates posts

Nothing else counts IMO

I wish we have "sticky" folder with name "bla bla BS Talk"

with all those types

Hardly the same. Uber disrupted a market with innovation and a different mouse trap. Hik is disrupting a market with the use of chinese government funds to destabilize it for (insert disputed purpose here). The security concerns are an entirely different concern and not the same argument at least in my opinion.  I don't see hikvisions disruptive innovation unless it is their pricing, which is no doubt possible because of the money source and to an extent currency games. That source just happens to bring up other concerns because the product in question is in the security space.

We remain a HIKVISION dealer, We will not change that position at any time in the near future. Pick it a part, word for word, completely out of context, blow it up bigger than Hillary's Email, beat the piss out of it, dont care. We have 1000'S of cameras and systems online and have never had one go rouge, south or anything else even close. And if We thought they would for one second We would replace every NVR at our expense.

When the clock struck 2000, nothing happened.

And another point, We have rarely if ever been a LOW bidder, we are normally higher than everyone. So that run to bottom with HIKVISION is someones imagination.

Marty, how do you think Trump will feel when he hears Chinese government surveillance cameras are deployed on US military bases?

Oh you're just stoking the fire now.

He will likely overreact, as usual. He will ban the word China from all federal government agencies. Then he will blame it all on the Clintons and the liberal media. 

He will ban the word China from all federal government agencies...

Now if Russia just made a decent camera, that might be different...

Read it and sent e-mail to Trump :)

the-russian-emigre-leading-the-fight-to-protect-america/

 If you have 1000's of cameras online, then that's tens of thousands of dollars of your company directly supporting a communist government and unfair business practices, not to mention enhanced cyber security risks (all proven, not a 2K conspiracy theory).  Hillary would be proud. I give you major props for your sales team's ability to both sell Hik AND be the highest bidder normally. That is impressive in the USA market. With that kind of skill, you could sell any brand that isn't guilty of the aforementioned. 

Which is it...?

a) supporting a communist gov by sending them profits

b) Hikvision products are subsidized by the Chinese gov

You cannot have both. Either they are making money, or they are not. Both statements cannot be true. 

Either the Chinese gov is profiting off of the sales of Hikvision products, or they are subsidizing the sales price, which is them losing money. 

I've never understood how people can claim both?

c) Supporting a communist government, not necessarily by profits, but by a longer term more nefarious plan of infiltrating the world with Chinese government controlled tech.

d) anti-competitive predatory pricing model to force competitors out of the market and bar new ones from entering, topping market share, and then incrementally raising prices\reduce manufacturing costs via increased economy of scale and therefore increasing profits and then passing to the government. 

Give me a break, your supporting the Chinese Government in one way or another on nearly a daily basis. You cant buy hardly anything in this country without it having some Chinese part in it. Even your overpriced cameras of whatever "non-chinese" brand you use are probably atleast 50% made in China.

Just because you buy a product that isnt subsidized by the government doesnt mean your not supporting their government. Anytime you buy a product that is made in a foreign country, you are essentially supporting that foreign country finanically. Why do you think China is such a wealthy country?

Im not saying we dont have unfair trade deals with China, but we are all guilty of doing business with China one way or another. 

Its not guilty to do business with China. I love most of my Chinese manufactured products (although most designed and QC'ed by other countries).

Its guilty, in my personal opinion, to do business with a Chinese government controlled and subsidized $6 Billion to perpetuate predatory pricing in the logical and physical security industry that has had several major security vulnerabilities (bit coin mining?? Chinese hacking of UK government Hik video systems??) in a security market that has infiltrated our government (court houses, US Embassies, military bases). 

Do you use candles or light bulbs? Guess where they are made. Get over it!

We need to get over the fact that  we are no longer a manufacturing  nation, the same way we got over it 140 years ago when we moved away from agriculture to something  better. I know giving up on this will suck for many Americans that  are 40+, that don't have a college degree and have worked all their life in a factory thinking  things are set. Similar to the Taxi driver that I met in NY 2 years ago that worked all his life to pay for his $1 M medallion thinking he set  to retire by leasing it and then witness a company  called  uber crash his retirement dream. It sucks but nothing  is guaranteed . 

Let the Chinese  be the laborers, while we focus our energy on innovation so we can build products  like the iPhone  that cost  $90 to make in China and the Chinese  are lining up to buy it for $800.

You don't need a back door if you are sending it out the front door.

Hikvision never has, does or would intentionally contribute to the placement of “backdoors” in its products.

What is interesting about this statement is that it allows for HV to allow the government to install backdoors in various parts of the product offerings.  In the networking components, the processors, the firmware - any number of things can be contributed that HV would not do on their own.

HV never has intentionally contribute(d) to the placement of "backdoors" says they did not do it for their own purposes, but may have to place other backdoors through other piece of code required by the Chinese government.

HV never does intentionally contribute to the placement of "backdoors" again says they did not do it for their own purposes, but may have to place other backdoors through other piece of code required by the Chinese government.

HV never would intentionally contribute to the placement of "backdoors" yet again says they did not do it for their own purposes, but may have to place other backdoors through other piece of code required by the Chinese government.

I love parsing political English.

Kind of like: "the largest audience ever to witness an inauguration, period, both in person and around the globe"

Sure - it was pretty well watched in person, on TV and over social media (which was not in full swing in 2008), so technically - he was likely correct.  But the addition of the "period" was certainly helped the other side.

What is interesting about this statement is that it allows for HV to allow the government to install backdoors in various parts of the product offerings.

Do you really think Hikvision crafted the language so that if caught they could say "we told the truth, we did not contribute. the government did it for their own purposes"?

If you don't think that, then why would they even bother being cagey?

The toughest security Sony has is that darned password on their Ipela datasheets. /facepalm.

Security is vast, especially phone home applications, static one time firmware flashing for system bios, meeting NIST, NERC and BestBuy Geek Squad requirements.

I can foresee Hikvision launching a GSA, buy America line. Why not? all they need is a brick and mortar residence to attenuate to the line of: Research & Development, Manufacturing/Production and Distribution.

Perhaps I may be wrong, but I do not see why it is not possible. One could fancy a PR move by supplying FREE (hikvision) dash cams to Uber drivers......catch my drift? Soon Hikvision is a household name not just a security device manufacturer.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Bloomberg Warns Of Huawei Hisilicon IP Camera Usage on Jan 30, 2019
Bloomberg has picked up IPVM's December exclusive - "Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices" and ran its own...
First US State, Vermont, Bans Dahua and Hikvision on Feb 21, 2019
The first US state, Vermont, has issued a ban on a number of Chinese and Russian manufacturers including the world's 2 largest video surveillance...
Dahua and Hikvision Products Illegally Sold To US Government GSA on May 06, 2019
Dahua and Hikvision products are being widely and illegally sold to the US government GSA. The sellers are falsely claiming these China products to...
Hikvision VP On Muslim Oppression on May 14, 2019
Hikvision has won tens of millions of dollars, at least, in direct contracts with the Chinese government that oppresses Muslims, including a forced...
Trump Signs 'Huawei Ban' - Executive Order Targeting Foreign Adversary Technology on May 16, 2019
US President Donald Trump has signed an executive order targeting technology provided by 'foreign adversaries', in what is widely being called a...
Dahua, Hikvision, Huawei US Ban Rules Released on Aug 08, 2019
The US government has released rules on how the 2018 NDAA ban of Dahua, Hikvision, and Huawei will be implemented when it takes effect in 5...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
US - China Review Commission Cites IPVM on Foreign Provider Threat on Oct 01, 2019
A bipartisan congressional commission cited IPVM twice in its analysis of how the PRC government protects its surveillance firms from foreign...
US Issues Criminal Charges Against Aventura For Fraudulently Selling Hikvision And Other China Products on Nov 07, 2019
The US government has made an unprecedented move on the video surveillance supply chain, charging a US company, Aventura for "having conspired with...

Most Recent Industry Reports

Brivo Business Profile 2020 on Jan 27, 2020
Brivo has been doing cloud access for more than 20 years. Is the 2020s the decade that cloud access becomes the norm? CEO Steve Van Till recently...
Favorite VMS / NVR Manufacturers 2020 on Jan 27, 2020
In 2018, a new winner emerged and a former top choice declined. Now, there is a new #1, a new top 5 finisher and 2 major VMSes in decline. Our...
"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...
Intersec 2020 Final Show Report on Jan 21, 2020
IPVM spent all 3 days at the Intersec 2020 show interviewing various companies and finding key trends. We cover: Middle East Enterprise...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...