Hikvision CSO Denies Backdoor, Denies Government Control
Hikvision's DPO/CSO Fred Streefland has fired back, issuing Hikvision's most blunt and public statement alleging that Hikvision's 2017 backdoor was not a backdoor and that Hikvision is not controlled by the PRC.
Streefland also had words for an Axis Communications employee, telling the employee that Axis has more CVEs than Hikvision.
IPVM released a video covering Hikvision's most recent critical vulnerability and its history of issues, embedded below:
*********'*********** ****** * ******** ********** **** ***** ****** ** ********, copied ** **** *****:
************, ********** ********* ** ** **** employee ** *** **** ******:
Backdoor ** *********
********* *** ********** *******:
*** **** '********' *** * '*************' and *** * ******** (**********, **** doesn't ********** *** ********** ******* * backdoor *** * *************);
** ********, *** ********** **** ***** it******** ** *** * ********, ******:
* ******** **** ****** *************** ************* of *** ********** **** *******... *** vulnerability ** ******* ** *******
********* ******** * ***** ****** **** allowed ******* ****** ** *** ******, regardless ** **** *** ***** ******** was. *** **** ****** *** ********* this ****** ** ********* ****** ********:
?****=************
***** ******* ** *** ********* ****** themselves **** ****. ********* ******** **** magic ****** ** *** ****, ***** the ***** ***** ** *** *** it ******:
*** ********* ******** **** ***** ******, Hikvision *** ***** ******** *********. *** clear ************** ** *** **** ******** is ********* **** *** *** **** critical *************.*** **** ************* ***** ** ******* is *** ********* *** ** ********** here, *** **********.
*** *** ****,********* ******** ********:
**. ********* **** *** **** ********** backdoors ** *** ********
***** ***** ***, ** ***** *********, "Can ********* ****** **** ** *** "Hikvision **** *** **** *** ********* in *** ********"? **** ***, ********* would ** ** *** ****** ********* no ********* ** *** ****, *** simply ******* ** '**********' ****."
** ******** *** ******** *** ** changes ** **** *********** **** **** made.
* ********** ******* ********* **** "** not **** ********** *********" ** **** someone ******* *** * ***** *** assuring ***, "* *** *** ****** this **** *******."
Government ******* **** *********
********* *** ********** **** *******:
********* ** *** * '*** ******** & ********** *******'; **'* * ****** company **** **** **** **% ** the ***** ** ******;
** ********, *********'* *** ****** ********* report ***** ***** **** ************** ************* "******* *****-*****":
*** *********'* **************** ********* ** ** * "*****-***** company"** **** **** ** ******* ******* Hikvision. ***** **** ***** *********'* ********* and ******* ****:
*********'********** ** ** ****** ******* ******* He********* ************** *** ** ******** **** Erik ********** *** ******* ** ****'* ******* for ********, ******* ***** ***** **** days ***** ** **********. ***********, ********* clearly ***** *** ***** *********** *********** is *** **** ** *** *** government.
** ********, ***********'* ****** *** **********, *********'* ********* ** *** **** that *** *** ********** ** ***** controlling ***********, **** ****** **** **** material *********** *** ***** **** **** is *** ******** ** *** ** day **********:
*** ******* *********** ** ***** *********** Technology ***** *********** (“****”), * ******* state-owned **********, **** ** *** ******** in *** ***-**-*** ********** ** *** company[.]
*******, ** *********'* *** ********* ******* show, *** *********** *********** ** ******, a ********** **** ******* ************ ** run *********. *** ******** ** ****** and ********* ** *** **** ***—**** ********.
*************, ** *** **** ******, ********* muses **** ** *** *** ******* influence **** ********* ** ***** *** matter ******* ** *** ******* *** firewalling:
******, **** ** *** ******* *****-***** enterprise *** ***** *********** ********* **** Hikvision, ***** ***** ** ** ****** to ******** ********** *** ********* **, again, *** ***** ** *** ****** States ****** *********’* ******* ** **** they *** ********** ** ********* ******** from ****************** ********, ** ** ** Internet-connected **********, *** ********* ***** ***** and *********.
** ******, ********* ***** **** ** a ******** ******** ** **** **** long ********** ********* *** ** ******* their ** ******* ** *** ******** (*.*., **** **** ********* ********).
*VE ********** ********* *** *********
********* *** ********** **** *******:
***** *** ********** ** ********* (****), ONLY ** *************** (****) **** **** detected ** *** ********* *******, ** if *** ******* **** ****** **** with ***** *******, **** *** **** admit **** ********* ***** ***** ******** very *********;
** ************ ********* ** **** ************** employee:
****** ******* *** ******* ** *************** (CVEs) ******* **** *** ********* *** you ***** **** ** ********* **********!
******* ******** ***** ** **** ** like ******* ************ ***** ** *** many ***** ****** ***** **** *** wrong. ** **** **** *** ****, Donald ***** ***** ** *** *****'* smartest ******.
**.*** ******* *** *** * **** source ** **** ******** ** ***** "overall ********".
*** **** **** ****** *** *** system ** ** ****** ****** *********** for ******** ***************. **'* *** ******** to ** * ******** *** ******** database ** *** ***** *************** ** any *******. **** **, * ****** or ********** ***** ****** ****** ** not ******* * *** ****** *** a ***** ****. *******, ******* ********* combine ******* **** ***** * ****** ID ** ***'* ******** *** ***** impact, ****** * ****** "*** *****" a ****** *********** ******** *********. ****, for * ******* ***'* **** ** find ******** ******* ** ******* ********* severities. (*** **** *** **** ***** a ****** **** *********...?)
********** ***** **** **** ** *** track *** **** *************** "**** **** detected", ** ****** *** **** **** been ******** ********. ********* ***** **** argument ************ **** ** **** *** vulnerabilities, * ********** ******* ***** **** Hikvision **********, **** **********, ****** **** acknowledge ***** ********* ** *** *******'* own *******.
*** ********** ** **** ** ******. It's *** ***** ** ** ** when *** ********. *** ********** ** in *** *** ******** ** ******* out. **** ** *** ***** ***** and ** *** ***** ******* **** truths **** **** ******* ******* **** proactively ************. *** ********** **** ***** the ************* **** ** *** ** simple ** ******* **** ** ******'* fathom **** **** ********* ******* **. Fred ****** ** ******* ** ******* and ***** ** ****** ***'* ****. Also, ***** *** *********** ***** ****** a **** ************ **** *** ***. This **** ******* *** ********* ****'* cred.
****** ****** ** ****** *** *** years *** ****** *** ****** ******** at *** "****", ****** ****** *** company ***** **** **** *** ** their **** *** *** ** *******, they ***** *** ** ***** ****** of ******* **** ** *****.
*** ********** ** *** **** *** engineers *** **** ********* ******** *** as **** ** ******* ** * playground ** ****** ** * ***** in ********** ******.
*** * *** ********* ***** *** same ***** **** **** **** *** years *** ** ** ******* ** politics *****, ****, ****, ****.... *** if *** *** ******, **** *** truth, ***** *****, *** ** ***** to ***** ** ** ***.
*'* *** ********* *** ** ***, but *** *********/**********/*****-******** ** *** *******(*) should **** ** *********** *** ******** the ** ****** ******* **** ****/******** rules/etc.
**** **********/***-**** ***** ***** ****** **** how ** **** ***** ** * router *** ***** *** ** * proper *** **** ***** ****** ** view *** *******/***.
"** ** *** **** ** *** a *** *** **** **** * want ** **** ** *** *******, can't ** **** **** ******* *** use *****/**** ** *** ** ********* can ****** **** *** ******* **** anywhere?"
**** **** ***** ****, ***** ******/******** are ******** **** *** **** ******, but ****'* ******* ***** ** *******, there *** ****/**** *****, ** ****.
?****=************
$ **** -** '************' | ****** -d
*****:**
**, ****'* *******. * ****'* ******* that. *********** ****** ** **** ************** **** (******** *****):
*** ****** ******** ******* ****** *** the ******** ** * ********* ***** "auth" ** *** ***** ****** ***if **** ********* ******** * ******-******* "********:********" ******, the HikCGI API call assumes the idntity of the specified user. The ******** ** *******.
********* *** ********* ******** **** **** a ********* ******* ***** "*****", ***** can ** ****** ************.
** ***********, ************ ** ************* *** *** ***. *** *** also *** ** **** ************ (*****:***), for *******. *** ** ** ******:****://*****************.******.***/*****-****/********?****=************
*** ****, **** * ***** ********.................
*** **** *** *** *** **** for *** ******** ******** ** **** article?
* **** **** ** **** *** much ** ***** ** *** *** an *********.
…** **** ******* ******* *** * drink *** ******** ***, "* *** not ****** **** **** *******."
******** ********* :)
***** **** *** *** ********** ** threatening ****'* **** ****.
*********'* *** *** *********** ** **'* ********* ******:
** **** *********, ********* *** ***** temporarily ** ******** ** ************* ** support ***********, *******, ** *********** ********* – *** ***** ********* *** *** removed ** ********.
***** ** **** *** ********** ******* this ***********'* **** ********, **** ** *** ******* ** have **** *** ********* ******** ******* how *** ******* ******** *** *****.
** **** **** ** ** *** "misuses ** ********* **********" ******* *** users *** ***********:
*** ***-***** *** *** ***** ******* are *********** *** *** ****/***** ******* they ********...
** **** ******* **** ********* ***’* be **** ** *** ** *********, individuals, ** *******. *** ******** ******** built **** *******, ********, *** **** centres, ******** **** ***-***** ****-********** ****************, make ********* *** ***** ******* ** backdoors **********.
** **** ** / **** ********* puts ********* ** ***** ********, ** is *** ***** ** *****.
** **** *** **** ******** *** actually * "*************", **** * ***** of **** ******* ****** **** ********* trying ** ******** ********* ** *** a ************* ****.
*** ***** ****** *** ******* ********** coding. ** ****'* *** ****** ** a ***, * ****** **** ***, etc. ** *** **** *** ***** explicitly ** ******* *****-***** ******** ******* requiring ***** ***********.
**, ********* ** ********* ** ************ putting *************** **** ***** ********, *** at *** **** **** ****** ** say **** **** ***** ******** *********?