Hikvision Argues Airgapping And Firewalling Negate FCC ConcernsBy Conor Healy and John Honovich, Published Oct 26, 2021, 09:03am EDT
Hikvision told the FCC that fears about its equipment are "unfounded" and "implausible" arguing for air gapping and firewalling them. However, this ignores insider threats and Hikvision designing its equipment for Internet use, which end-users increasingly demand.
Inside this report, we examine the argument from Hikvision's 64-page submission to the FCC.
No Internet = No Cybersecurity Threat
Hikvision devoted considerable time and money arguing that the potential use of their equipment without an internet connection negates the FCC's cybersecurity concerns.
In a 64-page reply comment crafted by law firm Harris, Wiltshire & Grannis, Hikvision stressed that "fears of Chinese espionage or third-party access" are "implausible" because equipment can be 'airg apped' i.e. used without an internet connection:
Fears of Chinese espionage or third-party access to Hikvision equipment are not only unfounded but implausible given that Hikvision video surveillance equipment can be deployed so as to be either physically or logically isolated from Internet-connected devices. [emphasis added]
Hikvision repeatedly said the onus is on installers and end-users to secure systems but did not cite any data on how often air gapped deployments are actually used:
End user businesses, not Hikvision, choose how to deploy their Hikvision equipment...Hikvision devices can be, and often are, installed by experienced professional installers for end users. These professionals can install video surveillance equipment on standalone, physically separate internal networks with no Internet connection, or on a standalone deployment that is logically separated from any Internet connection.
5 Main Problems
There are 5 main problems with this argument:
- Depends on millions of third parties to take steps to mitigate the deficiencies in Hikvision cybersecurity.
- Hides a massive number of Hikvision devices that are publicly accessible on the Internet.
- Deceives on Hikvision's advocating making its devices Internet accessible for years.
- Runs contrary to clear market trends of making surveillance more Internet accessible.
- Ignores internal security threats.
(1) Dependence Third Party
Relying on voluntary airgapped configurations is akin to a laptop manufacturer suggesting that, because users may choose to not use WiFi - a key feature of laptops - it does not matter if their products are insecure.
Hikvision's position depends on the clearly impossible actions of literally millions of third parties to take steps to mitigate against Hikvision's deficiencies. That Hikvision devices theoretically "can" be "isolated from the Internet" does not mean they will. Indeed, Hikvision obviously designs its IP (Internet Protocol) cameras and Network Video Records to be connected to the Internet. Hikvision clearly knows that massive numbers of Hikvision devices not only can but are connected to the Internet.
(2) Massive Number Publicly Accessible
Hundreds of thousands of Hikvision devices are publicly accessible, according to Shodan, and as the map below of Hikvision devices so accessible near the US capital visually demonstrates:
(3) Deceives on Hikvision's Own Advocacy
While Hikvision attempts to minimize Internet connectivity, Hikvision has long advocated and taught its customers to connect their products to the Internet, ranging from this year to as far back as 10 years ago, as the excerpt of this 2011 Hikvision technical bulletin shows:
(4) Contrary To Clear Market Trends
Connecting IP devices to the Internet is growing, including within video surveillance. Consumers and businesses expect to be able to connect to their surveillance systems regardless of where they are and not be constrained to watching only from inside their internal network. This is, for example, why Hikvision markets "Hik-Connect" where Hikvision controls remote Internet access to Hikvision devices. Hikvision's recommendation of "no Internet connection" is a significant practical problem today and will become even worse as the market nearly universally demands remote access.
(5) Ignores Internal Threats
Hikvision overlooks that even air-gapped systems can be exploited by insiders with internal network access, despite implying no risks exist for these deployments:
Hikvision video surveillance equipment can be—and often is— deployed and operated entirely physically separated from any telecommunications networks. No commenter posits how Hikvision equipment could pose any cybersecurity threat to telecommunications networks or end users in that configuration. [Emphasis added]
Furthermore, Hikvision argued their recent critical vulnerability could affect "only those devices that end users chose to connect to the Internet." Again, this vulnerability could also be exploited by an insider.
In September 2021, Hikvision disclosed a 'zero click remote code execution vulnerability,'...In any event, this vulnerability could have affected only those devices that end users chose to connect to the Internet—which is not necessary for operation and not commonly done. [emphasis added]
Insider security threat risks are well understood, for example as the US Department of Homeland Security explains:
insider threats are the source of many losses in critical infrastructure industries. Additionally, well-publicized insiders have caused irreparable harm to national security interests. An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.
This is exacerbated by Hikvision's critical vulnerabilities and falsely telling Hikvision users that they "could have affected only those devices that end users chose to connect to the Internet".
Conclusion: FCC to Review Comments, Move to Vote
Hikvision deceived the FCC with overtures to internet-free surveillance use that fails to match the reality of how these devices are designed, marketed, and used. Moreover, this contradicts the trend of increasing demand for internet-connected surveillance and ignores insider threats.
Hikvision's reliance on disingenuous arguments may hurt its case with the FCC. On the other hand, the considerable resources expended signal that Hikvision views this as a winning strategy. The company submitted 150+ pages of material crafted by expensive lawyers and experts, much of which focused on airgapped/firewalled configurations.
In June, the FCC Commissioners were united in the view that Hikvision poses a national security threat. The final outcome remains to be seen, but winning this FCC vote has been an uphill - and undoubtedly expensive - battle for Hikvision.
Vote / Poll
If all video surveillance systems were required to be blocked from the Internet, this could largely address Hikvision's concerns. However, this would also largely reduce the benefits of IP-based surveillance, including eliminating remote access.
8 reports cite this report:
Back to Top