Hikvision CSO Denies Backdoor, Denies Government Control

By John Honovich, Published Oct 20, 2021, 07:58am EDT

Hikvision's DPO/CSO Fred Streefland has fired back, issuing Hikvision's most blunt and public statement alleging that Hikvision's 2017 backdoor was not a backdoor and that Hikvision is not controlled by the PRC.

IPVM Image

Streefland also had words for an Axis Communications employee, telling the employee that Axis has more CVEs than Hikvision.

IPVM released a video covering Hikvision's most recent critical vulnerability and its history of issues, embedded below:

*********'*********** ****** * ******** rebuttal** **** ***** ****** on ********, ****** ** full *****:

IPVM Image

************, ********** ********* ** an **** ******** ** the **** ******:

IPVM Image

Backdoor ** *********

********* *** ********** *******:

*** **** '********' *** a '*************' *** *** a ******** (**********, **** doesn't ********** *** ********** between * ******** *** a *************);

** ********, *** ********** that ***** ********** ** *** * backdoor, ******:

* ******** **** ****** unauthenticated ************* ** *** configured **** *******... *** vulnerability ** ******* ** exploit

********* ******** * ***** string **** ******* ******* access ** *** ******, regardless ** **** *** admin ******** ***. *** that ****** *** ********* this ****** ** ********* camera ********:

?****=************

***** ******* ** *** magically ****** ********** **** code. ********* ******** **** magic ****** ** *** code, ***** *** ***** below ** *** *** it ******:

*** ********* ******** **** magic ******, ********* *** never ******** *********. *** clear ************** ** *** 2017 ******** ** ********* than *** *** **** critical *************.*** **** ************* ***** of ******* ** *** disclosed *** ** ********** here, *** **********.

*** *** ****,********* ******** ********:

**. ********* **** *** have ********** ********* ** our ********

***** ***** ***, ** asked *********, "*** ********* update **** ** *** "Hikvision **** *** **** any ********* ** *** products"? **** ***, ********* would ** ** *** record ********* ** ********* of *** ****, *** simply ******* ** '**********' ones."

** ******** *** ******** and ** ******* ** that *********** **** **** made.

* ********** ******* ********* they "** *** **** government *********" ** **** someone ******* *** * drink *** ******** ***, "I *** *** ****** this **** *******."

Government ******* **** *********

********* *** ********** **** alleged:

********* ** *** * 'PRC ******** & ********** company'; **'* * ****** company **** **** **** 58% ** *** ***** in ******;

** ********, *********'* *** annual ********* ****** ***** clear **** ************** ************* "******* *****-*****":

IPVM Image

*** *********'* **************** ********* ** ** a "*****-***** *******"** **** **** ** Jinping ******* *********. ***** more ***** *********'* ********* and ******* ****:

*********'********** ** ** ****** Affairs ******* *********** ************** *** ** Director **** **** ********** *** ******* ** IPVM's ******* *** ********, despite ***** ***** **** days ***** ** **********. Nonetheless, ********* ******* ***** who ***** *********** *********** is *** **** ** the *** **********.

** ********, ***********'* ****** *** **********, *********'* ********* ** not **** **** *** PRC ********** ** ***** controlling ***********, **** ****** omit **** ******** *********** and ***** **** **** is *** ******** ** day ** *** **********:

*** ******* *********** ** China *********** ********** ***** Corporation (“****”), * ******* state-owned **********, **** ** not ******** ** *** day-to-day ********** ** *** company[.]

*******, ** *********'* *** financial ******* ****, *** controlling *********** ** ******, a ********** **** ******* specifically ** *** *********. The ******** ** ****** and ********* ** *** same ***—**** ********.

*************, ** *** **** filing, ********* ***** **** if *** *** ******* influence **** ********* ** would *** ****** ******* of *** ******* *** firewalling:

******, **** ** *** Chinese *****-***** ********** *** exert *********** ********* **** Hikvision, ***** ***** ** no ****** ** ******** businesses *** ********* **, again, *** ***** ** the ****** ****** ****** Hikvision’s ******* ** **** they *** ********** ** logically ******** **** ****************** networks, ** ** ** Internet-connected **********, *** ********* using ***** *** *********.

** ******, ********* ***** that ** * ******** argument ** **** **** long ********** ********* *** to ******* ***** ** devices ** *** ******** (*.*., **** **** ********* document).

*VE ********** ********* *** *********

********* *** ********** **** alleged:

***** *** ********** ** Hikvision (****), **** ** vulnerabilities (****) **** **** detected ** *** ********* devices, ** ** *** compare **** ****** **** with ***** *******, **** you **** ***** **** Hikvision ***** ***** ******** very *********;

** ************ ********* ** Axis ************** ********:

****** ******* *** ******* of *************** (****) ******* Axis *** ********* *** you ***** **** ** different **********!

******* ******** ***** ** CVEs ** **** ******* intelligence ***** ** *** many ***** ****** ***** they *** *****. ** that **** *** ****, Donald ***** ***** ** the *****'* ******** ******.

***** **** ****** *********:

**.*** ******* *** *** a **** ****** ** rank ******** ** ***** "overall ********".

*** **** **** ****** the *** ****** ** to ****** ****** *********** for ******** ***************. **'* not ******** ** ** a ******** *** ******** database ** *** ***** vulnerabilities ** *** *******. That **, * ****** or ********** ***** ****** decide ** *** ******* a *** ****** *** a ***** ****. *******, entries ********* ******* ******* bugs ***** * ****** ID ** ***'* ******** the ***** ******, ****** a ****** "*** *****" a ****** *********** ******** criterion. ****, *** * ranking ***'* **** ** find ******** ******* ** compare ********* **********. (*** many *** **** ***** a ****** **** *********...?)

********** ***** **** **** do *** ***** *** many *************** "**** **** detected", ** ****** *** many **** **** ******** admitted. ********* ***** **** argument ************ **** ** hide *** ***************, * particular ******* ***** **** Hikvision **********, **** **********, cannot **** *********** ***** disclosed ** *** *******'* own *******.

Comments (11)

** **** *** **** backdoor *** ******** * "vulnerability", **** * ***** of **** ******* ****** this ********* ****** ** position ********* ** *** a ************* ****.

*** ***** ****** *** clearly ********** ******. ** wasn't *** ****** ** a ***, * ****** over ***, ***. ** was **** *** ***** explicitly ** ******* *****-***** commands ******* ********* ***** credentials.

**, ********* ** ********* to ************ ******* *************** into ***** ********, *** at *** **** **** trying ** *** **** take ***** ******** *********?

Agree: 19
Disagree: 3
Informative: 1
Unhelpful: 1
Funny: 2

**** **** *****, *'* like ** **** *** Hik ***'* ****** ** the ***** ******.

Agree: 1
Disagree
Informative
Unhelpful: 1
Funny: 2

*** ********** ** **** is ******. **'* *** about ** ** ** when *** ********. *** difference ** ** *** the ******** ** ******* out. **** ** *** years ***** *** ** are ***** ******* **** truths **** **** ******* whereas **** *********** ************. The ********** **** ***** the ************* **** ** was ** ****** ** exploit **** ** ******'* fathom **** **** ********* missing **. **** ****** be ******* ** ******* and ***** ** ****** won't ****. ****, ***** own *********** ***** ****** a **** ************ **** the ***. **** **** nothing *** ********* ****'* cred.

Agree: 3
Disagree
Informative: 1
Unhelpful: 1
Funny

****** ****** ** ****** for *** ***** *** seeing *** ****** ******** at *** "****", ****** within *** ******* ***** hack **** *** ** their **** *** *** to *******, **** ***** get ** ***** ****** of ******* **** ** China.

*** ********** ** *** easy *** ********* *** into ********* ******** *** as **** ** ******* on * ********** ** recess ** * ***** in ********** ******.

*** * *** ********* doing *** **** ***** they **** **** *** years *** ** ** similar ** ******** *****, deny, ****, ****.... *** if *** *** ******, spin *** *****, ***** wrong, *** ** ***** to ***** ** ** you.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny: 1

*'* *** ********* *** at ***, *** *** installer/integrator/owner-operator ** *** *******(*) should **** ** *********** for ******** *** ** Camera ******* **** ****/******** rules/etc.

**** **********/***-**** ***** ***** barley **** *** ** open ***** ** * router *** ***** *** up * ****** *** from ***** ****** ** view *** *******/***.

"** ** *** **** to *** * *** app **** **** * want ** **** ** the *******, ***'* ** just **** ******* *** use *****/**** ** *** my ********* *** ****** view *** ******* **** anywhere?"

**** **** ***** ****, cloud ******/******** *** ******** more *** **** ******, but ****'* ******* ***** to *******, ***** *** pros/cons *****, ** ****.

Agree: 3
Disagree
Informative
Unhelpful
Funny

?****=************

$ **** -** '************' | ****** -*

*****:**

Agree: 2
Disagree
Informative: 5
Unhelpful
Funny

**, ****'* *******. * hadn't ******* ****. *********** ****** ** **** disclosure**** **** (******** *****):

*** ****** ******** ******* checks *** *** ******** of * ********* ***** "auth" ** *** ***** string ***if **** ********* ******** * ******-******* "********:********" ******, the HikCGI API call assumes the idntity of the specified user. The ******** ** *******.

********* *** ********* ******** come **** * ********* account ***** "*****", ***** can ** ****** ************.

** ***********, ************ ** just********* *** *** ***. You *** **** *** in **** ************ (*****:***), for *******. *** ** in ******:****://*****************.******.***/*****-****/********?****=************

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny

*** ****, **** * quick ********.................

*** **** *** *** get **** *** *** comments ******** ** **** article?

* **** **** ** know *** **** ** costs ** *** *** an *********.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 2

…** **** ******* ******* you * ***** *** assuring ***, "* *** not ****** **** **** hemlock."

******** ********* :)

Agree
Disagree
Informative
Unhelpful
Funny

***** **** *** *** government ** *********** ****'* back ****.

Agree
Disagree
Informative
Unhelpful
Funny: 1

*********'* *** *** *********** ** **'* ********* saying:

** **** *********, ********* are ***** *********** ** products ** ************* ** support ***********, *******, ** maintenance ********* – *** these ********* *** *** removed ** ********.

***** ** **** *** explicitly ******* **** ***********'* **** ********, **** ** *** closest ** **** **** any ********* ******** ******* how *** ******* ******** was *****.

** **** **** ** to *** "******* ** backdoors **********" ******* *** users *** ***********:

*** ***-***** *** *** these ******* *** *********** for *** ****/***** ******* they ********...

** **** ******* **** backdoors ***’* ** **** to *** ** *********, individuals, ** *******. *** security ******** ***** **** devices, ********, *** **** centres, ******** **** ***-***** data-protection ****************, **** ********* and ***** ******* ** backdoors **********.

** **** ** / when ********* **** ********* in ***** ********, ** is *** ***** ** users.

Agree
Disagree
Informative
Unhelpful
Funny: 2
Read this IPVM report for free.

This article is part of IPVM's 7,324 reports and 971 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports