Hikvision Corrects False Cybersecurity Announcement

By IPVM Team, Published Jun 18, 2018, 05:29am EDT

Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of Hikvision's products.

Below, highlighted, are the specific false assertions:

Hikvision Corrects

After IPVM raised concerns to Hikvision corporate, Hikvision acknowledged this, adding the following correction:

Correction

An earlier version of the press release suggested that the Cyber Essentials Plus status relates to products and has caused some confusion. To clarify, Hikvision has been awarded ‘Cyber Essentials Plus’ accreditation, which directly relates to the security and robustness of our own infrastructure within the UK operation. It was never our intention to mislead the reader with inference that the accreditation related in any way to our products. We sincerely apologise for the unclear statement about the award.

Cyber Essentials Plus Explained

Cyber Essentials is a UK sponsored government program that aims to help organizations protect against cyber attacks. The requirements of the program list the scope of this certification as IT infrastructure, not products manufactured:

Assessment and certification can cover the whole of the Applicant's IT infrastructure, or a sub-set. Either way, the boundary of the scope must be clearly defined in terms of the business unit managing it, the network boundary and physical location. [emphasis added]

Hikvision received the Cyber Essentials 'Plus' certification, which consists of an auditor doing a vulnerability assessment of their UK office. The certification costs 1,999 GBP (~$2,655 USD).

History of Misrepresenting Cybersecurity

Hikvision has repeatedly misrepresented the cybersecurity of their products, starting with claiming their backdoor was simply a 'privilege escalation vulnerability', misleading their dealers on the backdoor, hiring Cisco and issuing a press release with them the day after the backdoor was confirmed, announcing a 'dedicated' cybersecurity 'hotline' that has since been demoted to generic technical support, opening a 'source code transparency center' that is neither particularly open nor transparent, and now deceptively turning an IT infrastructure certification into a false endorsement of their products.

No Excuse

Hikvision has no excuse here. Hikvision took the certification so they clearly know it is not about a company's products yet Hikvision's announcement over and over again emphasized products. It is either a question or competence or ethics.

Commend The Correction

That noted, we certainly commend Hikvision and, in particular, their new Global PR lead, Karl Erik Traberg, for quickly and responsibly issuing a correction. It is a small step in the greater scheme of things but indisputably positive that Hikvision is willing to acknowledge mistakes and focus on improvement rather than disparaging critics.

Poll / Vote

5 reports cite this report:

2019 Video Surveillance Cameras State of the Market on Jan 07, 2019
Each year, IPVM summarizes the main advances and changes for video...
"At Hikvision, We Build Trust" on Jan 03, 2019
Hikvision has joined a growing number of video surveillance manufacturers...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security...
2018 Mid-Year Surveillance Industry Guide on Jun 28, 2018
2018 has been an explosive year for the video surveillance industry, with...
Hikvision Covers Up Racial Profiling And AI Error on Jun 25, 2018
Faced with global scrutiny, led by the US government-funded Voice of America...
Comments (21) : Members only. Login. or Join.
Loading Related Reports