Hikvision USA Misleads Dealers On Backdoor

By John Honovich, Published on Oct 03, 2017

Hikvision USA emailed their dealers overnight with their 5th cyber security 'special bulletin' of the year.

Misleading

Unfortunately, they have misled their dealers by omitting critical information:

  • Details of how to exploit the vulnerability were published last month. This is new, significantly increasing the risk to Hikvision dealers and not mentioned by Hikvision at all.
  • The vulnerability can be easily exploited. This is new and important since it further increases the risk to Hikvision dealers.
  • Hikvision IP cameras are being actively hacked using this exploit and Hikvision is well aware of this. However, Hikvision does not mention this to their dealers.

Hikvision USA is clearly concerned about scaring or upsetting their dealers. And some dealers will never find out the truth. But many others will and it will rightfully reduce their trust in Hikvision.

One general pattern that has emerged is that dealers can understand vulnerabilities occurring (though certainly not as bad as Hikvision's backdoor) but they want their manufacturers to be up front and clear about risks. Hikvision does not need to call this a backdoor but they certainly can be clear about critical details like the exploit being publicly known and that attacks against vulnerable Hikvision devices are now ongoing.

Vote / Poll

Video Demo

The video below demoing the Hikvision backdoor exploit:

5 reports cite this report:

Hikvision Covers Up Racial Profiling And AI Error on Jun 25, 2018
Faced with global scrutiny, led by the US government-funded Voice of America...
Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua...
Hikvision Europe Warns Of "A Wave of Cyberattacks" on Sep 28, 2017
Hikvision Europe has issued a "Hikvision Security Advisory" press release...

Comments (39)

Only IPVM Members may comment. Login or Join.

Maybe, if Hikvision starts another big discount-week, will everybody forget about this disturbing IT-Security-Thing?

Edit: Misssing - - >   :) 

I doubt it.

 

I swear every time I log into ADI, Hik is on sale. Its the norm now. Now if Milestone or AXIS ran a 20% off sale, that might distract.

I swear every time I log into ADI, Hik is on sale. Its the norm now

I was wondering if you were exaggerating so I went to ADI's homepage:

I am a Hikvision Dealer, I dont feel exploited, I do not think I have been tricked or mislead by the company. I buy a substantial quantity of equipment and converse with the company often so please to keep this honest put it in print (Black & White) the Dealer's name , their Dealer # and where they are located that has told IPVM directly that they feel mistreated or tricked, please.

That's because you read IPVM every day and know about their issues through us. You're welcome.

As for asking for the dealers name, #, and location, shouldn't every seller or installer of Hikvision product also list that Hikvision is majority owned by the Chinese Communist Government? Just guessing, I have no statistics here, but I feel confident a majority of end users and corporate purchase managers would feel "exploited", tricked", or "mislead" if later discovering what they bought.

Hikvision needs to learn how to get ahead of issues like this and to promote a more proactive approach to fixing and marketing/communicating the fix to their integrator network.  

I also think IPVM loves to pile on a bit.  I appreciate hearing about the issues within the IPVM forum, but the coverage doesn't need to be a new headline everyday about how stupid and untrustworthy Hikvision continues to be.

The software industry and specifically Microsoft have been fighting OS security vulnerabilities for decades.  No one really pay attention to forced Microsoft updates any longer.  Just a matter of business/upgrades as usual.

This is my first post, I'm sure I'll get ripped to shreds....

 

Brian, thanks for the feedback!

I definitely think reasonable people can disagree about the amount of coverage of any one company or topic. We posted positively last week on Hikvision when Hikvision Europe did a better job of communicating. We posted negatively today on Hikvision when Hikvision USA did a poor job.

Agree, equal important to acknowledge positive as negative, no matter what subject it has.

One day, I hope and believes (?) it will be acknowledged and easy to keep these things updated as well.

It's software written by humans, humans do errors, it's all about how you own the errors, learn from them and not to be ashamed to fix them.

It's software written by humans, humans do errors, it's all about how you own the errors, learn from them and not to be ashamed to fix them.

I have to call BS on this.This is not simple human error. This is pure laziness, and sloppy work. I am not sure I am ready to say it was done on purpose.

Hik and Dahua should step up, hire a 3rd party if necessary and fix this once and for all.

Neither one has done a decent job of addressing the issues or fixing them. They just get away with bare minimum, if that

I think they are both pretty big POS right now.

I would say both yes and no in this
 
This is pure laziness, and sloppy work. I am not sure I am ready to say it was done on purpose.
 
But I can do (and I have done so too), and I'm still convinced.
 
 
In this i totally agree with you.
Hik and Dahua should step up, hire a 3rd party if necessary and fix this once and for all. Neither one has done a decent job of addressing the issues or fixing them. They just get away with bare minimum
 
With one exception.
 
fix this once and for all.
 
If you want to stop all development, yes - then I can agree, if not - I won't agree.
 
In the end, it's all about how you own it, putting your head down in a hole and hoping it will disappear is defiantly not the right way, for sure. 
 
Both HIK (Except HIK Europe) and Dahua have shown good examples of trying to make things disappear by dipping their heads into a (another) hole.
 

There was an article published in the States on the 25th by a Hik representative in which they brushed over mostly everything and branded it as rubbish. The same article in which IPVM was accused of 'tabloid' tactics and JH got a sneer or two as well (supposed he's used to that now anyway). Unfortunately I lost the link but I'm sure someone else will have it. It again underlines the arrogance and denial within Hikvision and their sheer incompetence when it comes to dealing with the issues disclosed.

There was an article published in the States on the 25th by a Hik representative in which they brushed over mostly everything and branded it as rubbish. The same article in which IPVM was accused of 'tabloid' tactics

Yes, this is the Hikvision blog post you are alluding to: Hikvision North America’s Jeffrey He Talks Company’s Progress, Cybersecurity, Growth, Partner.Win. including:

In recent years an online blogger has sought to gain blog subscribers with tabloid-style attacks on Hikvision and by promoting offensive rhetoric about China and the Chinese people.

Hikvision is under a lot of pressure and it might feel good momentarily to respond like this but it is a poor counter to legitimate issues raised.

It would be alot easier on Hikvision and Dahua to allow the user to receive push notifications to notify the user to upgrade their equipment of some sort as opposed to putting a notice every 2 months on their website reminding people to upgrade their firmware. Hopefully the take this into consideration as a feature for future firmwares. I would like to see a press release announcing this.

I spoke with HikVision USA about "Cyber Security" at ASIS 2017 last week and it sounds like their new Director of Cyber Security is at least aware of the situation.

He said two things that gave me some hope as an integrator.

Step 1:

He wants to update the EULA to include forced updates on HikVision's devices so that if a situation like this were to occur again they could push firmware to the device.

Step 2:

He wants to enable the NVR/VMS Software to push firmware over the LAN to make firmware updates more manageable in the future. 

 

That being said words mean little in this industry. Hopefully he can actually accomplish what he has set out to do. 

1. "Want to do" and "achieve what to do" is two totally different things.

2. "Forced updates" I don't like, but notification about new updates along with easy "update" I do like (and not by using P2P)

3. "Updates more manageble" I also like (Dahua ????)

 

 

I agree. What they want to do versus what they will do are probably two very different things. All I can do at this point is hope for the best and prepare for the worst. Not much else to say.

I spoke with HikVision USA .... their new Director of Cyber Security is at least aware of the situation.... He wants to update the EULA

Updating the EULA would be good idea. While they are at it, they should re-examine this: Hikvision EULA Rejects Responsibility for Hacked Hikvision Cameras (Hi Chuck).

John - what do you mean, "Hi Chuck"?

Maybe this deserves it's on thread, and 'misleading' might be a bit strong here, but I recently came across this in the description posted by a Hik employee in the UK;

Providing professional services to integrators and end users, demonstrating HikVisions hardware with 3 times the low light performance of other leading brands, easy to use licensed software and demonstrating how Hikvision can offer the industries lowest Total Cost of Ownership and Business Intelligence to take your business to the next level of site management.

I wasn't aware of Hikvision offering licensed software...did I miss something?

easy to use licensed software

Even free software (like the iVMS-4200) has a license technically. And Hikvision has paid software like the iVMS-5200 and HikCentral, which he could be alluding too.

 

How could anyone vote no on either of those questions? Of course their dealers should be made as fully aware as soon as possible in any security issue. 

How could anyone vote no on either of those questions?

  1. Hik employee
  2. Fat finger

Must... resist... compulsion to... add a third option.

We all know who the third option is :)

Hmm.. are you the "third option"? o_O

I can assure you I am not.  Not enough commas.

....Ma....Ma... Never mind, it's too early. 

I believe that honesty is the best policy. If a company as large as Hikvision wants to retain its customers then it should do all it can to provide information on possible security threats and also provide fixes to these issues in a timely manner. 

I agree, but it really doesn't matter if its big manufacture or small, mistake has been made - take the pain as a grown up, do something about it, admit it - folks will appreciate that better then sticking the head into a hole and hoping it going away.

Sure, it's some pain and some efforts, but it's surely a lot better to have customers relying into to have security issues fixed, and fixed fast - than never.

I remember in the beginning of Microsoft issues with security fixes, they did the same - and even back then asked for money to have fixes issued to customers, especially in the NT4 period, there was lots of hassle to get Microsoft get this kind of issues fixed.

But not to long time until they started to release HotFix'es.

Why I bring this up here, I see exactly the same tendency here - ignore and hope it will go away.

Frankly speaking, it is somewhat true, keep quiet - do absolutely minimal, and it will actually not be any "no new news" anymore, and sort of "forgotten" - until what's happen the last weeks with Hikvision and Dahua globally hacked, only to what I can guess as reminder - Install your patched firmware now!

Hikvision, Dahua, whoever... don't be ashamed - shit happens!, take the pain, fix it by new release and easy update for customers.

Ok, I know you are not there in any of it, but you will need to start - if you not already have, you loosing money by not doing so - simple math.

 

Each IPVM thread critical of manufacturer antics should have a counter until someone brings out the buried head meme.  I am guilty of it, too.

What should the counter be set to (10....20...50...100...1000)? @Undisclosed Integrator #7

I am always puzzled by the fact that these articles promote sensationalism and conflict related to the current most popular camera manufacturer.

i remember the days when IPVideo Marketplace was an educational forum for discussions regarding how to solve problems in the industry.  Now the posts and responses are on par with National Enquirer.

Maybe we should discuss how to not make these devices vulnerable to security threats in the first place.  If IPVM and others who respond would discuss how to create a secure network for these systems, we would not have to cry in the model of "Trumpism".  (I am a longtime member and contributor to this service).  Why not help the integrators and customers create secure systems that are not vulnerable?

I can only see these threats existing when the devices are given a public address or by designation of them or DVR/NVR/Servers as DMZ via port forwarding.  Who does this?  For those that do, why not respond with advice with technical know-how on the proper way to secure the networks and devices.

Stop the witch hunts against Dahua, Hikvision, etc.  You have bred a new generation of IPVM members who are posting non-constructive critisizm, without providing needed education, which was the original intent of this service.

I used to read the content of this site daily, and the responses in the discussion section were highly valuable.  Now. I find myself visiting maybe once a week, and I wince at the negative and non productive content that is occurring.

This is an exciting field for those that are new and old to the technology.  In the last decade we have seen, since h.264 megapixel in 2008, a product that has become highly valuable to our clients.  Lets change course back to the original intent of IPVM, and do away with the nonsense and constant attacks on manufacturers that make this, and our careers, possible.  You have scared away many from making valuable input to this site.

Identifying "undisclosed" contibutors by IPVM staff in posts is also a new low.

 

I can only see these threats existing when the devices are given a public address or by designation of them or DVR/NVR/Servers as DMZ via port forwarding. Who does this? For those that do, why not respond with advice with technical know-how on the proper way to secure the networks and devices.

Jeffery, Hikvision and Dahua both tell customers to use port forwarding. You can certainly say it is unprofessional but it is being driven by those manufacturers.

1 - Hikvision Hardening Guide Recommends Port Forwarding

2 - Dahua How-to remote access through port forwarding

What do you have to say about that? Is that a National Enquirer smear or is that a genuine issue that Dahua and Hikvision need to address?

As for:

Identifying "undisclosed" contibutors by IPVM staff in posts is also a new low.

What undisclosed poster did IPVM staff identify?

Why not help the integrators and customers create secure systems that are not vulnerable?

 

I think that is the point of all of these posts.  Bring attention to these security issues so manufacturers have to focus on making security hardware more secure. 

I do agree with Jeffrey about helping integrators. 

To that end, it is worth noting we have a VPNs for Video Surveillance Guide and we teach that in each of our IP networking classes to help integrators better understand the importance and steps to using VPNs.

A suggestion would be to use the P2P option with the qr code and an app such as easy4ip. I have heard that the refresh rate is slower than accessing your NVR via port forwarding but this solution I believe is far safer. 

http://www1.dahuasecurity.com/products_category/easy4ip-587.html

I would appreciate your thoughts and experience on using this option. 

Related Reports

Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Don't Be Fooled By Hot Water Bottle Fever Camera Demos on Aug 24, 2020
Fever camera salesmen like to fool buyers (and themselves) with hot water...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Hikvision Illicitly Uses Back To The Future In Marketing on Jul 03, 2020
NBCUniversal told IPVM that Hikvision UK's ongoing coronavirus marketing...
South Korea Bus Outdoor Temperature Screening Endangers Public on Aug 26, 2020
These $80,000+ South Korea bus stations have gained world-wide attention but...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
Hikvision Impossible 30 People Simultaneously Fever Claim Dupes Baldwin Alabama on Sep 01, 2020
The Alabama school district which spent $1 million on Hikvision fever cameras...

Recent Reports

Motorola Solutions Total Revenue Down, Video Revenue Up on Oct 30, 2020
Motorola Solutions' total revenue is down, but video (both fixed and...
Recruiters Show 2020 On-Demand Recordings on Oct 30, 2020
Recordings from the 12 recruiter presentations are now available...
Consultants Show 2020 On-Demand Recording on Oct 29, 2020
Recordings from the consultant show are available on-demand at the end of...
Hikvision AcuSense G2 Camera Test on Oct 29, 2020
Hikvision has released their next generation of AcuSense analytic cameras...
Biggest Problems Selling Access Control 2020 on Oct 29, 2020
Access control can cause integrators big headaches. What practical issues do...
Taiwan Geovision AI Analytics and NDAA Examined on Oct 29, 2020
Taiwan manufacturer Geovision's revenue has been falling for years. However,...
Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...