Hikvision USA Misleads Dealers On Backdoor
By John Honovich, Published Oct 03, 2017, 10:21am EDTHikvision USA emailed their dealers overnight with their 5th cyber security 'special bulletin' of the year.
Misleading
Unfortunately, they have misled their dealers by omitting critical information:
- Details of how to exploit the vulnerability were published last month. This is new, significantly increasing the risk to Hikvision dealers and not mentioned by Hikvision at all.
- The vulnerability can be easily exploited. This is new and important since it further increases the risk to Hikvision dealers.
- Hikvision IP cameras are being actively hacked using this exploit and Hikvision is well aware of this. However, Hikvision does not mention this to their dealers.
Hikvision USA is clearly concerned about scaring or upsetting their dealers. And some dealers will never find out the truth. But many others will and it will rightfully reduce their trust in Hikvision.
One general pattern that has emerged is that dealers can understand vulnerabilities occurring (though certainly not as bad as Hikvision's backdoor) but they want their manufacturers to be up front and clear about risks. Hikvision does not need to call this a backdoor but they certainly can be clear about critical details like the exploit being publicly known and that attacks against vulnerable Hikvision devices are now ongoing.
Vote / Poll
Video Demo
The video below demoing the Hikvision backdoor exploit:
5 reports cite this report:
Comments (39)
Maybe, if Hikvision starts another big discount-week, will everybody forget about this disturbing IT-Security-Thing?
Edit: Misssing - - > :)
I doubt it.
I swear every time I log into ADI, Hik is on sale. Its the norm now. Now if Milestone or AXIS ran a 20% off sale, that might distract.
I swear every time I log into ADI, Hik is on sale. Its the norm now
I was wondering if you were exaggerating so I went to ADI's homepage:
I am a Hikvision Dealer, I dont feel exploited, I do not think I have been tricked or mislead by the company. I buy a substantial quantity of equipment and converse with the company often so please to keep this honest put it in print (Black & White) the Dealer's name , their Dealer # and where they are located that has told IPVM directly that they feel mistreated or tricked, please.
Hikvision needs to learn how to get ahead of issues like this and to promote a more proactive approach to fixing and marketing/communicating the fix to their integrator network.
I also think IPVM loves to pile on a bit. I appreciate hearing about the issues within the IPVM forum, but the coverage doesn't need to be a new headline everyday about how stupid and untrustworthy Hikvision continues to be.
The software industry and specifically Microsoft have been fighting OS security vulnerabilities for decades. No one really pay attention to forced Microsoft updates any longer. Just a matter of business/upgrades as usual.
This is my first post, I'm sure I'll get ripped to shreds....
Agree, equal important to acknowledge positive as negative, no matter what subject it has.
One day, I hope and believes (?) it will be acknowledged and easy to keep these things updated as well.
It's software written by humans, humans do errors, it's all about how you own the errors, learn from them and not to be ashamed to fix them.
There was an article published in the States on the 25th by a Hik representative in which they brushed over mostly everything and branded it as rubbish. The same article in which IPVM was accused of 'tabloid' tactics and JH got a sneer or two as well (supposed he's used to that now anyway). Unfortunately I lost the link but I'm sure someone else will have it. It again underlines the arrogance and denial within Hikvision and their sheer incompetence when it comes to dealing with the issues disclosed.
10/03/17 05:48pm
It would be alot easier on Hikvision and Dahua to allow the user to receive push notifications to notify the user to upgrade their equipment of some sort as opposed to putting a notice every 2 months on their website reminding people to upgrade their firmware. Hopefully the take this into consideration as a feature for future firmwares. I would like to see a press release announcing this.
I spoke with HikVision USA about "Cyber Security" at ASIS 2017 last week and it sounds like their new Director of Cyber Security is at least aware of the situation.
He said two things that gave me some hope as an integrator.
Step 1:
He wants to update the EULA to include forced updates on HikVision's devices so that if a situation like this were to occur again they could push firmware to the device.
Step 2:
He wants to enable the NVR/VMS Software to push firmware over the LAN to make firmware updates more manageable in the future.
That being said words mean little in this industry. Hopefully he can actually accomplish what he has set out to do.
Maybe this deserves it's on thread, and 'misleading' might be a bit strong here, but I recently came across this in the description posted by a Hik employee in the UK;
Providing professional services to integrators and end users, demonstrating HikVisions hardware with 3 times the low light performance of other leading brands, easy to use licensed software and demonstrating how Hikvision can offer the industries lowest Total Cost of Ownership and Business Intelligence to take your business to the next level of site management.
I wasn't aware of Hikvision offering licensed software...did I miss something?
10/03/17 08:04pm
How could anyone vote no on either of those questions? Of course their dealers should be made as fully aware as soon as possible in any security issue.
I believe that honesty is the best policy. If a company as large as Hikvision wants to retain its customers then it should do all it can to provide information on possible security threats and also provide fixes to these issues in a timely manner.
What should the counter be set to (10....20...50...100...1000)? @Undisclosed Integrator #7
I am always puzzled by the fact that these articles promote sensationalism and conflict related to the current most popular camera manufacturer.
i remember the days when IPVideo Marketplace was an educational forum for discussions regarding how to solve problems in the industry. Now the posts and responses are on par with National Enquirer.
Maybe we should discuss how to not make these devices vulnerable to security threats in the first place. If IPVM and others who respond would discuss how to create a secure network for these systems, we would not have to cry in the model of "Trumpism". (I am a longtime member and contributor to this service). Why not help the integrators and customers create secure systems that are not vulnerable?
I can only see these threats existing when the devices are given a public address or by designation of them or DVR/NVR/Servers as DMZ via port forwarding. Who does this? For those that do, why not respond with advice with technical know-how on the proper way to secure the networks and devices.
Stop the witch hunts against Dahua, Hikvision, etc. You have bred a new generation of IPVM members who are posting non-constructive critisizm, without providing needed education, which was the original intent of this service.
I used to read the content of this site daily, and the responses in the discussion section were highly valuable. Now. I find myself visiting maybe once a week, and I wince at the negative and non productive content that is occurring.
This is an exciting field for those that are new and old to the technology. In the last decade we have seen, since h.264 megapixel in 2008, a product that has become highly valuable to our clients. Lets change course back to the original intent of IPVM, and do away with the nonsense and constant attacks on manufacturers that make this, and our careers, possible. You have scared away many from making valuable input to this site.
Identifying "undisclosed" contibutors by IPVM staff in posts is also a new low.
A suggestion would be to use the P2P option with the qr code and an app such as easy4ip. I have heard that the refresh rate is slower than accessing your NVR via port forwarding but this solution I believe is far safer.
http://www1.dahuasecurity.com/products_category/easy4ip-587.html
I would appreciate your thoughts and experience on using this option.
