Hikvision Argues Airgapping And Firewalling Negate FCC Concerns
By Conor Healy and John Honovich, Published Oct 26, 2021, 09:03am EDTHikvision told the FCC that fears about its equipment are "unfounded" and "implausible" arguing for air gapping and firewalling them. However, this ignores insider threats and Hikvision designing its equipment for Internet use, which end-users increasingly demand.
Inside this report, we examine the argument from Hikvision's 64-page submission to the FCC.
No Internet = No Cybersecurity Threat
Hikvision devoted considerable time and money arguing that the potential use of their equipment without an internet connection negates the FCC's cybersecurity concerns.
In a 64-page reply comment crafted by law firm Harris, Wiltshire & Grannis, Hikvision stressed that "fears of Chinese espionage or third-party access" are "implausible" because equipment can be 'airg apped' i.e. used without an internet connection:
Fears of Chinese espionage or third-party access to Hikvision equipment are not only unfounded but implausible given that Hikvision video surveillance equipment can be deployed so as to be either physically or logically isolated from Internet-connected devices. [emphasis added]
Hikvision repeatedly said the onus is on installers and end-users to secure systems but did not cite any data on how often air gapped deployments are actually used:
End user businesses, not Hikvision, choose how to deploy their Hikvision equipment...Hikvision devices can be, and often are, installed by experienced professional installers for end users. These professionals can install video surveillance equipment on standalone, physically separate internal networks with no Internet connection, or on a standalone deployment that is logically separated from any Internet connection.
They even hired FTI Consulting, an advisory firm, to produce a 5-page report for the FCC demonstrating that Hikvision equipment allows various air gapped or firewalled setups.
5 Main Problems
There are 5 main problems with this argument:
- Depends on millions of third parties to take steps to mitigate the deficiencies in Hikvision cybersecurity.
- Hides a massive number of Hikvision devices that are publicly accessible on the Internet.
- Deceives on Hikvision's advocating making its devices Internet accessible for years.
- Runs contrary to clear market trends of making surveillance more Internet accessible.
- Ignores internal security threats.
(1) Dependence Third Party
Relying on voluntary airgapped configurations is akin to a laptop manufacturer suggesting that, because users may choose to not use WiFi - a key feature of laptops - it does not matter if their products are insecure.
Hikvision's position depends on the clearly impossible actions of literally millions of third parties to take steps to mitigate against Hikvision's deficiencies. That Hikvision devices theoretically "can" be "isolated from the Internet" does not mean they will. Indeed, Hikvision obviously designs its IP (Internet Protocol) cameras and Network Video Records to be connected to the Internet. Hikvision clearly knows that massive numbers of Hikvision devices not only can but are connected to the Internet.
(2) Massive Number Publicly Accessible
Hundreds of thousands of Hikvision devices are publicly accessible, according to Shodan, and as the map below of Hikvision devices so accessible near the US capital visually demonstrates:
(3) Deceives on Hikvision's Own Advocacy
While Hikvision attempts to minimize Internet connectivity, Hikvision has long advocated and taught its customers to connect their products to the Internet, ranging from this year to as far back as 10 years ago, as the excerpt of this 2011 Hikvision technical bulletin shows:
(4) Contrary To Clear Market Trends
Connecting IP devices to the Internet is growing, including within video surveillance. Consumers and businesses expect to be able to connect to their surveillance systems regardless of where they are and not be constrained to watching only from inside their internal network. This is, for example, why Hikvision markets "Hik-Connect" where Hikvision controls remote Internet access to Hikvision devices. Hikvision's recommendation of "no Internet connection" is a significant practical problem today and will become even worse as the market nearly universally demands remote access.
(5) Ignores Internal Threats
Hikvision overlooks that even air-gapped systems can be exploited by insiders with internal network access, despite implying no risks exist for these deployments:
Hikvision video surveillance equipment can be—and often is— deployed and operated entirely physically separated from any telecommunications networks. No commenter posits how Hikvision equipment could pose any cybersecurity threat to telecommunications networks or end users in that configuration. [Emphasis added]
Furthermore, Hikvision argued their recent critical vulnerability could affect "only those devices that end users chose to connect to the Internet." Again, this vulnerability could also be exploited by an insider.
In September 2021, Hikvision disclosed a 'zero click remote code execution vulnerability,'...In any event, this vulnerability could have affected only those devices that end users chose to connect to the Internet—which is not necessary for operation and not commonly done. [emphasis added]
Insider security threat risks are well understood, for example as the US Department of Homeland Security explains:
insider threats are the source of many losses in critical infrastructure industries. Additionally, well-publicized insiders have caused irreparable harm to national security interests. An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.
This is exacerbated by Hikvision's critical vulnerabilities and falsely telling Hikvision users that they "could have affected only those devices that end users chose to connect to the Internet".
Conclusion: FCC to Review Comments, Move to Vote
Hikvision deceived the FCC with overtures to internet-free surveillance use that fails to match the reality of how these devices are designed, marketed, and used. Moreover, this contradicts the trend of increasing demand for internet-connected surveillance and ignores insider threats.
Hikvision's reliance on disingenuous arguments may hurt its case with the FCC. On the other hand, the considerable resources expended signal that Hikvision views this as a winning strategy. The company submitted 150+ pages of material crafted by expensive lawyers and experts, much of which focused on airgapped/firewalled configurations.
In June, the FCC Commissioners were united in the view that Hikvision poses a national security threat. The final outcome remains to be seen, but winning this FCC vote has been an uphill - and undoubtedly expensive - battle for Hikvision.
Vote / Poll
If all video surveillance systems were required to be blocked from the Internet, this could largely address Hikvision's concerns. However, this would also largely reduce the benefits of IP-based surveillance, including eliminating remote access.
8 reports cite this report:
Comments (30)
Sounds plausible. All they need to do is get every integrator, end user, IT department, etc. to comply. Seriously though, this seems to be just another miscalculation in a long series of miscalculations in dealing with this issue by Hikvision.
I love this argument. If you use our IP cameras and NVR's, 100% offline and segmented out, it's perfectly safe...... We always recommend segmenting off the IP camera/security system. In the real world (with our customers), it's only done about 75-85% of the time.
One of the biggest benefits of IP systems is it's accessibility outside of the local network. Not to mention remote monitoring capabilities. Instead of arguing that you need to air gap and segment off the system, why not make your camera/system more secure? Or, at least, acknowledge the fact that you have vulnerabilities instead of hiding them or arguing what a "vulnerability" is defined as according to your marketing/executive team.
"well see, endpoint security isn't really our responsibility because we really don't recommend deploying our endpoints as endpoints. That's the responsibility of tHe CoNsOoMeR."
I'd call them something like responsibility-shirking dogs, but even dogs have loyalty or something.
10/26/21 01:46pm
This is a very interesting tactic from Hikvision.
Their claims are just utter shit. There really is not much of a better way to put it.
Anyone with even a basic understanding of cyber security and how these products are generally used and installed can see right through these statements, and is going to view Hikvision as incompetent and/or immoral (not like this isn't already the case).
So Hikvision is just doubling, or quadrupling, down on the deception campaign to try and stay in the market. Forget about dancing around the issues anymore, they're just resorting to releasing statements that show how poorly they grasp the situation.
The real question is how many end users and integrators are just in it for the prices and willing to continue to ignore Hikvision's outright lies and incompetence here. I don't think Hikvision is going to go down easy in this, they are at that backed-into-a-corner stage now, so I would expect any remaining integrity to be completely discarded soon and we might get to see the actions of a government-backed trapped animal.
The Shodan image under section 2 is a great visual depiction, maybe it provides a different perspective for people not concerned.
It seems like a perfect Trojan horse for foreign intelligence interests.
A foreign company that is tied to a government with “sometimes questionable”motives has provided surveillance cameras for many years at prices well below market, ensuring people bought them and installed them across the country (like free candy to children). Now these cameras are deployed and connected to the internet, reachable by anyone. Sure, They are secured with user name/password combinations (sometimes left default), so generally speaking these cameras are “secure”, but the back door access discovered in the past and the vulnerabilities found over the years might show the cameras came with strings attached… maybe there’s even more there that we don’t know yet. And people love the uPNP/P2P function, routing the cameras internet traffic through manufacturers controlled servers…
Whereas the US military focuses on aerial surveillance using satellites and UAV’s/drones the Chinese government focused on ground level surveillance using millions of cameras, and people bought them and installed them willingly, even connected them to the internet and using convenient features provided by the manufacturer for remote access…
I think it’s a brilliant move by the Chinese government, they are playing the long game, but what they’ve done is something the US could not have pulled off… they potentially have a ground level surveillance system they could turn on when they want (a simple firmware update in the future would enable discreet access relatively easily)… that’s pretty powerful…
it may sound contrary to what I’ve just said, but I’m not big into conspiracy theories and sensationalism. However, the visualisation presented by that one single image from Shodan put it in a different perspective for me… maybe I’m way off base, but would it be foolish not to consider the possibilities? maybe it’s not even a strategic play by the Chinese government, but what is out there and what has been “stumbled upon” and presented to us should at least raise some questions and make us think twice…
The beginning of the 5 page report states that air gapped systems means it is impossible to penetrate the cyber worthiness of the device. I guess no one told the consultant that Hik makes wifi nvrs and wifi cameras. Thus there is a way in to the network. These systems can not be air gapped.
Also interesting because many researchers have proved there are attack vectors in air gapped systems.
And saying that using USB drives to update nvrs introduces another vulnerability.
Stating that plugging a monitor directly into the nvr for monitoring is crazy. Sure mini marts do it, but for any real installation, come on..
Wi-Fi Series | Network Cameras | Hikvision
Wi-Fi NVRs | Hikvision US | The world’s largest video surveillance manufacturer
| 10/26/21 04:22pm
The beginning of the 5 page report states that air gapped systems means it is impossible to penetrate the cyber worthiness of the device.
Someone should get some input from Iran on that topic.
While I did vote yes and we always firewall and airgap our cctv equipment to prevent unauthorized access, this does not remove responsibility from the manufacturer to secure their product. Reducing the attack surface does not eliminate it.
Sure we mitigate against manufacturers' failures or malicious actions but that does NOT make them any less responsible for those failures.
A fair report but the argument against internal threats is specious because that applies to ANY manufacturer and ANY organization on Earth, regardless of their locale, hardware, or IT configurations. It's akin to suggesting that a business shouldn't use a certain brand of safe because an employee might skim from the till.
A fair report but the argument against internal threats is specious
I understand your concern but let us explain why it is germane.
In the 64-page submission that Hikvision / its law firm submitted they chose to make the following argument:
The "could have affected only those devices that end users chose to connect to the Internet" as, both of us know, is flat wrong. That is, insider threats are a real risk to exploiting this.
We brought this up only in response to Hikvision falsely telling the FCC that its latest critical vulnerability "could have affected only those devices that end users chose to connect to the Internet", is that fair?
Hackers and researchers always find innovative ways around airgapped systems. Here is another one. Takes the wind out of hiks sails in saying air gapped systems are completely secure.
Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers | Hackaday
I mean we could pile on:
How to Hack a Camera with just Light
but I think in a practical sense your chances of being hacked with an air-gap is roughly zero.
Is IPVM misleading on the number of internet accessible Hikvision cameras?
- Depends on millions of third parties to take steps to mitigate the deficiencies in Hikvision cybersecurity. Where do you get this "millions" number from? If you use Shodan and look into the data quite a bit are shown as being Amazon.
When you click on the top organization with 262,386 devices you learn that they are "Honeypots"
- Hides a massive number of Hikvision devices that are publicly accessible on the Internet. Same as above. Also there are many other IP cameras from various vendors that people choose to put directly on the internet. Or else the DVR is. All IP cameras have either had vulnerabilities or else most likely will one day.
- Deceives on Hikvision's advocating making its devices Internet accessible for years. While they might be deceiving I can't think of any other manufacturer that doesn't give instructions for how to make it internet accessible.
- Runs contrary to clear market trends of making surveillance more Internet accessible. Exactly. And which camera/dvr manufacturer hasn't had vulnerabilities discovered that required firmware or software patches?
- Ignores internal security threats. Maybe they should have instead said HikVision cameras have the same internal security threats that any network device does to someone trying to manipulate it on the internal network.
So IPVM how about getting a more accurate number of HikVision cameras directly on the internet and compare it with the number from other top camera manufacturers?
I don’t get it…
Isn’t the first rule of honeypot club “there is no honeypot club”?
Well if they aren't honeypots then Amazon has millions of these cameras on their cloud hosting servers all accessible to the internet. Not sure how Shodan decides they are honeypots but there must be a way.
Well if they aren't honeypots then Amazon has millions of these cameras on their cloud hosting servers all accessible to the internet.
#8, thanks for sharing! It's a good question to get more accurate numbers in general about devices on the Internet.
Related, first you declared:
The images I posted from Shodan clearly show that the majority of the 5+ million Hik devices accessible from the internet are Honeypots running on services like Amazon Cloud.
Later, you posted images showing hundreds of thousands on Amazon, etc. Andrew Myers ran a different analysis and came up with roughly 1/3rd being cloud services and therefore probably not IoT devices.
In any event, I've asked John S on our team to look more deeply into how Shodan categorizes devices as I think it's a genuinely good topic to analyze.
Your other claims are different than the specific Shodan and I wanted to give some feedback:
All IP cameras have either had vulnerabilities or else most likely will one day.
Do you have evidence of them having 9.x / critical vulnerabilities? That's the bigger question. Twice in the last 4 years Hikvision has been caught with extremely critical vulnerabilities. That's simply way out of scale for anyone but Dahua.
While they might be deceiving I can't think of any other manufacturer that doesn't give instructions for how to make it internet accessible.
The point here is the deception. Hikvision should just be honest about it, arguing that Internet Protocol devices won't be connected to the Internet is bad faith.
Maybe they should have instead said HikVision cameras have the same internal security threats that any network device does to someone trying to manipulate it on the internal network.
Yes, maybe, though they did not. That was their choice to ignore internal threats altogether and like their deception about not recommending their devices to be connected to the Internet is in bad faith.
When you look at this specific host it has over 100 CVE vulnerabilities and the Hikvision shows up under port 8874 along with many other web addresses. If you try to browse to this IP on any of these ports it doesn't answer. You don't get a Hikvision logon page.
I filtered by cloud service and got 1,865,243 for Amazon and 4 on Azure Cloud.
Doing subtraction, I still get 3,360,559 that aren't cloud hosted. I haven't come to a conclusion about the cloud devices, but honeypots does seem likely. But either way, "millions" still seems to be the correct word for the number of public Hikvision devices.
It looks like the counts are inaccurate the way that we've done them. The first IP I checked from Amazon has 25 ports open and ~100 CVEs listed...honeypot.
A more accurate way to search on shodan for hikvision devices is using the "product" search. This will search the name of the software or product identified in the banner
Just searching for Hikvision shows 5.3m results:
This will include bogus results...like this the result below is a Dahua NVR, which has "Verkada" as a channel description:
When I search for product: "Hikvision" it provides more accurate results without honeypots, etc:
I also reached out to Shodan support for feedback from their side.
The image in the report showing the US Capital Region has been updated.
I was able to get in touch with John, the founder of Shodan. He responded to me stating that they did make changes and there are better search techniques, including the method I mentioned previously / above:
The previous search query for "hikvision" only discovered IPs where a service banner had the exact word "hikvision" in its "data" property. It didn't return all Hikvision devices. Since last year we've improved our fingerprinting and product detection for Hikvision devices so we now grab additional metadata. And that extra metadata is appended to the "data" property on the banner which is why your search query for "hikvision" now returns more results. And as you noted we now also set the "product" property to a value of "xxx IP camera" which would be the correct way to search for Hikvision cameras. Note that there are other vendors that OEM the Hikvision product so they also support the same metadata API. This search query would return all available Hikvision cameras (excluding honeypots):
And the breakdown of vendors:
