Hikvision, HWG Deceive FCC About New Critical Vulnerability [Update: Hikvision Issues Correction]

By Charles Rollet, Published Sep 23, 2021, 09:53am EDT

Hikvision and its law firm, HWG, deceived the FCC in a lengthy submission filed on September 20th about Hikvision's critical new vulnerability impacting 100+ million devices.

IPVM Image

Despite days earlier admitting this critical vulnerability, Hikvision asserted to the FCC that "no vulnerability in Hikvision video surveillance equipment to date in 2021" by citing the Common Vulnerabilities List (CVE).

***********, ********* *** *** law **** ** ****** was **** ***** ** this *** ******** ************* even ******* ** ** a ******** ** *** filing.

**** ******** ********* *** key ****** ******:

IPVM Image

Hikvision ****** ** ***** **** ****

** ********* **, ****, DC *** ********** ********* & *******, ******* *** *********, sent* ****** ** *** FCC************** *** *** ***** *********/*****/******/******/*** **************.

*** ****** ******* *********** space ** *********'* ************* record, ******** **** ********* "reports ** *************** [...] to **** ** ****" in ****** ****, *** ******** ******** for ******** ***************:

IPVM Image

"Stellar" *************

*** '** ***' ***** bolstered *********'* ******** **** its ************* ** "*******" with "** ******** **********" that *** ********* "** more **********" **** ******:

IPVM Image

Hikvision ******** *** ** ****

*******, ****** **** **** **** a ********* ******** *** ******** ************* which ***** **** *********, as **** ********* ********* (***),******** *** ************* ** July **:

IPVM Image

*********, ****** ********, *** *************'* ****** said ********* ********* *********** the ************* ****** ****, on **** **.

***** *** ***** ***********, claiming '"** *************** ** Hikvision ***** ************ ********* to **** ** ****' is *****, ***** ********* had ******* ******** * CVE ***** *** **** about *** ************* ****** beforehand.

Buried ** *** ******

******, *** ******* **** about **** ************* ******* they ******** ** ** the *** ********** *** buried ** ** * footnote ** * ******** about *** **** ********:

*** *******, ** ***** 2017 * ******** ********** found *** ******** * vulnerability—six **** *****, ********* released * ******** *****, notified *** ******** ******* a ******* ********, *** notified *** ****** **** a ****** ** *** website.20

******** **, ** **** print:

IPVM Image

******* ****, *** *** Hikvision ****** ** ****, and ******* ******* *** FCC **** ** ******** no *************** ** **** in ****.

Updates *** ** ********* ****

*******, * **** ***** filing, **+ **** ***** creating *** ***, *** 3 ** * **** after ******** ********** *** vulnerability,********* ******* *** *** to ******** **** ** *** announcement.

No ******** *** *** ****

** ********* ********* ** well ** *** *** the **** ****** ** the ********* **********,**** ********, ****** ***** ** Staff ** *** ***, to ******* *** **** submitted *** ****** ** such *** ******* **** would ****** ** ******* the **********. ** ******** was ********.

Update: ********* ******** **********

*********'* ******* *** ******** a ********** ** *** FCC, *******:

*** ******** ******** ******* an ***** ***** *** the ****** ** * conforming ****** ***** ************* omitted. ********* ******* **** erratum ** ******* **** the ********** ********** *** attached ******** *** *** version ***** ** ********* 20.

**** ****** *** ***** September **, ****. ** 8:28 ** **** *******, IPVM ******* ********* *** HWG ***** **** *****:

IPVM Image

******** **** ******** ** response, *** ******* *** FCC *******. *******, *** new ********* ******** ********* language:

*** *** *********** **** several ** ***** ******* vulnerabilities ** ******** *** has *** *** ************* the **** ************* ** of *** **** ** this ******.

***** *** *** *** not *** *********** *** vulnerability, ********* ***, ****** it * **** **** score ** *.*, ***** is ********. **** ** material *********** **** **** have ******* **** *** submission. ** **** ******* out ** *** ** ask **** ***** **** and **** ****** ** they *******.

Update: '** ********' **** *********

***** ********* *** *** Hikvision ** *** ******** on ****. ** ** 12:16 ** **, **** received * ***** **** Hikvision ********* ** ** Global ************** **** *:** ** **:

IPVM Image

**** **** ****** **** any ***** **** ***.

Comments (14)

John Honovich

IPVM | 09/23/21 01:51pm

*******, **** *********!

********* ******* *** * trust ******* **** *** US ********** (** **** they ***** *** ** covered ** ******** **** lists **** *** ****).

** ********* ****** **** will ******* ***** **** the ** ********** ** pulling * ***** ***** like ****. ********, ****'* the **** **** **** approach? ** **** ***** the *** ** ******? Why *** ****** ***** what ** ********* **** and **** ***** **** by ********* *** *** law ****? ******'* ********* build **** ***** ** being *******?

*** ***** ** * lot ** ****** ***********'* **-**** ****** ** the ** ****** ** **** ******* with **** **** ******** one ****** **** **** week's ****.

Agree: 1
Disagree
Informative: 3
Unhelpful: 1
Funny

Undisclosed Integrator #3

In reply to John Honovich | 09/25/21 06:33am

** **** ***** *** FCC ** ******?

****, **** *** * government ******...

Agree
Disagree
Informative
Unhelpful
Funny

Andrew Myers

09/23/21 11:31am

**'* ****** ******* **** Hikvision ** ******* ***** here, *** ** **** a ****** ******* ************:

**** *************** *** *** SYSTEM, ******

The ****** ** **** **** That is not what the CVE system was designed to do. I'll quote ********'* ********* ******** ******** ***** ********:

*** **** **** ****** the********* ** ** ****** unique *********** *** ******** vulnerabilities. **'* *** ******** to ** * ******** and ******** ******** ** all ***** *************** ** any *******. **** **, a ****** ** ********** could ****** ****** ** not ******* * *** number *** * ***** flaw. *******, **************** ************** **** ***** * single ** *****'* *********** ***** ******, ****** a ****** "*** *****" a ****** *********** ******** criterion. ****, *** * ranking ***'* **** ** find ******** ******* ** compare ********* **********. (*** many *** **** ***** a ****** **** *********...?)

**** ****, **** ** surely **** *** ** idea ***** **** **** of *************** **** **** found ** * ******* and ****'** * **** starting ***** *** ********. But *** ****** ******** depends ** *** *** of *** ******** *** how **** ********* ** receives ******* ******** ********. You ***'* ****** ****** if * *** ** CVE *********** ***** **** the ******** ** ****** written ** ** ** actually ***** **** **'* particularly ****** ******* ********* a *** ** *************** are ******* *****. * personally **** ** **** it ********** ** ** older ******* *** * very ***** ****** ** patched *************** ******* ***************** ** ****'* **** audited **********.

**** ********* ***** * lack ** ****, **** are ************ * ****** method ** ******** ********. And *** ***** *** even **** ******* **** you *** *** **** it ** *** **** to **** *** ******.

*** ****** *** *** trying ** ******** ******, Arminius ******** ******* *** other *****:

  • *** ******** ** **** and ********* ********.
  • *** ****** ********** ****** to ****** *** *************** (and ***** **** ****** bounties).
  • *** ******** **** *** processed *** ******* *******.
Agree: 4
Disagree
Informative: 5
Unhelpful
Funny

Undisclosed #1

In reply to Andrew Myers | 09/23/21 03:50pm

**** *** ************ * flawed ******

****, ****** "************ ****** methods" *** ****** **** been *********'* **** ********. Deny ***************, ******* ****** about *** ******* *********, try ** **** ***** criticisms ** ****** ******, etc.

Agree: 5
Disagree: 1
Informative
Unhelpful
Funny: 1

bashis mcw

In reply to Undisclosed #1 | 09/23/21 07:14pm

****, ********* *** *** the **** **** *** doing ****.

Agree: 3
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Andrew Myers | 09/23/21 12:06pm

*****, **** ** ********** companies ***** **** ** hide ***************, ***** **** is *** ****** **** judge ********** **.

****, ****** ******'* ***** on **** *****: "* vendor ** ********** ***** simply ****** ** *** request * *** ****** for * ***** ****"

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

In reply to Andrew Myers | 09/25/21 06:29am

* ********** **** ** find ** ********** ** an ***** ******* *** a **** ***** ****** of ******* *************** ******* that************* ** ****'* **** audited **********.

**, ***** *** ******* of ****** *** ****** at **** ****.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

In reply to Andrew Myers | 09/25/21 06:32am

**** ********* ***** * lack ** ****, **** are ************ * ****** method ** ******** ********.

**********. *** *** ************ assumptions. ***** **** **** opinions

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | 09/24/21 04:07pm

Update: ********* ******** **********

*********'* ******* *** ******** a ********** ** *** FCC, *******:

*** ******** ******** ******* an ***** ***** *** the ****** ** * conforming ****** ***** ************* omitted. ********* ******* **** erratum ** ******* **** the ********** ********** *** attached ******** *** *** version ***** ** ********* 20.

**** ****** *** ***** September **, ****. ** 8:28 ** **** *******, IPVM ******* ********* *** HWG ***** **** *****:

IPVM Image

******** **** ******** ** response, *** ******* *** FCC *******. *******, *** new ********* ******** ********* language:

*** *** *********** **** several ** ***** ******* vulnerabilities ** ******** *** has *** *** ************* the **** ************* ** of *** **** ** this ******.

***** *** *** *** not *** *********** *** vulnerability, ********* ***, ****** it * **** **** score ** *.*, ***** is ********. **** ** material *********** **** **** have ******* **** *** submission. ** **** ******* out ** *** ** ask **** ***** **** and **** ****** ** they *******.

Agree
Disagree
Informative
Unhelpful
Funny: 2

Undisclosed #2

IPVMU Certified | In reply to John Honovich | 09/24/21 06:34pm

*** *** *********** **** several ** ***** ******* as ********.

”**** *******” ** **** “only ****” - *** is *** ******* *** the *** *****.

Agree
Disagree: 1
Informative
Unhelpful: 1
Funny: 1

Undisclosed Integrator #3

In reply to Undisclosed #2 | 09/25/21 02:38am

”**** *******” ** **** “only ****” - *** is *** ******* *** the *** *****.

IPVM Image***·**·**

/ˈ***(ə)*ə*/**********, *********** **** *** *** not ****."*** ****** ** ******* books"********: ****, * ****** of, * ***, *** very ****, * ******* of, * ***** ***** of, *******, * ******* of, ********, ******, *******, divers

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to Undisclosed Integrator #3 | 09/25/21 04:45pm

**** ******* ** ***** synonyms **** *****.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Undisclosed Integrator #3

In reply to Undisclosed #2 | 09/25/21 05:10pm

**** ******* ** ***** synonyms **** *****.

**, ***'* ****; ** sources **** *** **** dictionary **** * **** so ** **** ** a ********* ********** *** synonyms

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Carl Stoffers

IPVMU Certified | 09/24/21 05:54pm

Update: '** ********' **** *********

***** ********* *** *** Hikvision ** *** ******** on ****. ** ** 12:16 ** **, **** received * ***** **** Hikvision ********* ** ** Global ************** **** *:** ** **:

IPVM Image

**** **** ****** **** any ***** **** ***.

Agree
Disagree
Informative
Unhelpful
Funny: 2
Read this IPVM report for free.

This article is part of IPVM's 7,264 reports and 968 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports