Suffering Criticism, Hikvision Keeps Insecure Online Service Up [Now Down]

By: John Honovich, Published on Jan 03, 2017

Hikvision suffered severe criticisms for its abrupt plan to discontinue its Hikvision Online service, with 3 core functions to be removed on Dec 30th.

However, all of those functionalities continue to run in 2017, including the security vulnerabilities, and Hikvision has no explanation of what will happen next.

Update January 5th, Hik-online.com is now shut down. The site is up and one can login but when doing so, it just displays the discontinuation notice with no other options - e.g., no ability to manage devices or check status. In addition, new devices cannot be added, despite the notice saying that this could be done through February 16th.

********* ******** ****** ********** for ********* **** ** ************** ********* ****** *******, with * **** ********* to ** ******* ** Dec ****.

*******, *** ** ***** functionalities ******** ** *** in ****, ********* *** security ***************, *** ********* has ** *********** ** what **** ****** ****.

****** ******* ***, ***-******.*** is *** **** ****. The **** ** ** and *** *** ***** but **** ***** **, it **** ******** *** discontinuation ****** **** ** other ******* - *.*., no ******* ** ****** devices ** ***** ******. In ********, *** ******* cannot ** *****,******* *** ****** ****** **** this ***** ** **** through ******** ****.

[***************]

Dec **** ***

*** **** *** ******** to ** *** *** for *** **** ************, and ****** ****** *** management ************. **** ** the *********** **** ********* China:

*** ******* *** **** Hikvision ***:

******, **** ** ***** notices ******** ** ** displayed, ** **, ** Hikvision's *****.

******* *****

*** *** ************ ********* to **** *** **** logged **, ****** ****** and ********** ******* ****** as ***** *****:

No ***********

********* *** *** ******** any ****** *********** *** response ** ****'* *******. Indeed, **** ******* ** to *** *******, *** interstitial ********* ** *** Dec **** ** *** date ** *** ***** 3 *********, *** **** immediately ******* *** **** to ***** ****** *********.

Fix *** ******** ***************

** ********* ******* ** reverse ***** ******** **** and **** *** ****** fully **********, **** ** understandable ***** *** *********** and ********** ********** **** have *****.

*******, ** ********* ** serious ***** ***** ***** security ********* ****** *** want ** ****** ********** concern **** ***** **** track ******, *** ******** vulnerabilities ** ********* ****** must ** *****.

*** *******, *** ****** does *** ******* ***** at ***. **********, ***** OEM *** ******** **** the **** ***** **** their **** ******* *** they ***** ** ******* after **** ****** ** out. *********, ******* ***** self-proclaimed *,*** '*********' *** not **** **** **** ***'* engineers.

********, *** ****** ***** suffers **** ** *********** flaw (***** ******** ****) ***** *** ****** IP ******* ** ***** device ********* ** *** service *** ****** ** discovered ** ********* ****** the *********** *** ********* they ******, ********** *** probability ***** ******* **** be ****** ** ******.

Communication ******** ********

**** ** *** ***** in * ****** ** communication ******.

  • *****, ********* ***** ***** * notice ** *************** **** logging **. ** *** a **** ***** **** Hikvision *** ********* **, and **** ********* ******* and ********* *** ***********.
  • ******, ********* *** ******* said **** *** ****-**** was ***** ************ *** it *** *** ***** 5 **** ***** **** Hikvision ********** ******** **** they ***** ***
  • ***, ********* ****** ******* as **, ******** ** Hikvision's ***** ******, **** unclarity ***** **** ***** next.

***** ********* ***** **** those functionalities ********, ** ** a **** ***** *** planned ***********. ***** **** keep ** ************ *** leave *** ******** *************** exposed. ** ** ** unfortunate ********* *** ********* dealers as ********* ********* ** change ****** *** **** users **********.

Comments (15)

Avatar

Ethan Ace

IPVM | 01/03/17 11:27pm

In new press releases, Hikvision has given new details on their new Hik-Connect platform. See the North America and Global releases. The releases are mainly the same, but:

  • The USA release is dated today, global is dated December 30th.
  • The USA release informs users that they may continue using their HiDDNS URLs for existing devices, not mentioned in the global release.
  • The USA release links to several how-to guides for creating accounts, adding devices, etc., on iVMS-4200 and iVMS-4500.

Both releases state that the new Hik-Connect app is coming in 4-7 days, awaiting App Store and Play Store approval:

The new Hik-Connect web interface looks like a stripped down EZVIZ device management page:

But there is no actual cloud access, either to settings or live/playback. Instead, clicking on the IP/Port No. opens the device's IP address. Port forwarding is still required. 

You can push UPnP/port settings to the device via settings, but this is the only configuration available.

We'll take a look at things again when the mobile app is released.

Undisclosed #1

01/04/17 12:16am

With all my due respect,

How many years it took IPVM to have "S" at the end of http?

5-7?

John Honovich

IPVM | In reply to Undisclosed #1 | 01/04/17 12:23am

We have had HTTPS support for login / billing / payment for many many years, since January 2009.

We added HTTPS for the rest of the site, e.g., reading articles, in 2016.

Hikvision still does not have HTTPS for anything on Hik Online, including logging in and managing device information for dealers / customers. 

Undisclosed #1

In reply to John Honovich | 01/04/17 12:26am

They don't take credit cards like you do :)

John Honovich

IPVM | In reply to Undisclosed #1 | 01/04/17 12:32am

They have a master database of hundreds of thousands or millions of devices that can easily be scraped / downloaded because of an ongoing enumeration vulnerability. If you do not mind, that is certainly your prerogative but surely many dealers do not want that exposed.

Undisclosed #1

In reply to John Honovich | 01/04/17 01:03am

Was IPVM hacked before or after "S" :)

John Honovich

IPVM | In reply to Undisclosed #1 | 01/04/17 01:30am

IPVM was not hacked. There was a leak in 2014. We changed how we handled information after that and there has not been a recurrence.

Avatar

Jeffrey Hinckley

Norris, Inc., S. Portland, ME | 01/04/17 10:28am

It took me a couple hours to migrate the systems we had (maybe 20) on this to no-ip, followed by deletion from the hikvision website. This was followed up with new ddns address and instructions to the customers.

This would be a better longterm plan since you can also run the no-ip client on other systems and/or routers/firewalls.  Cost is about a buck a year per host from a company whos core offering is secure supported ddns service.  Kind of a no brainer.

I tested no-ip and dyndns and chose no-ip because I could assign passwords to groups of hosts (using random password generator).  With dyndns, you could assign a long code-key but Hikvision would not accept this many characters in the password field.

To me, this is common sense to make this switch.  Just make sure you have a group allocation and system naming scheme before you do this.  I used a password generator with all characters 8 in length.  (username is "group":"siteusername").

I find it hard to believe that there is such commotion over a service offered for convenience (which no other vendors offered), but should have said "use at your own risk".  Now that I look back at it, it was pure laziness on our part not to use a reputable ddns source, especially with all the other systems and firewalls we have deployed (you should be using it on the router/firewall, anyway).

Undisclosed Integrator #2

01/04/17 01:42pm

Hi

Isn't that what a corporation should do? Listen to its customers and react in kind? They made  a decision based on the data available. Data proved to be wrong. Reverse course. That we are so much talking about this means that this is a company to take even more seriously. Not only are they listening, they have the wherewithal to act swiftly upon our desires and perhaps needs. They should be commanded.

Now frankly, we have always made sure of disabling this "feature" and still do heavy firewalling on corporate networks. For the most part we block everything except what's necessary for video recording, camera management and other associated data.

 

This is somewhat similar to the path taken by Microsoft which for the longest time weren't listening... They are now making great products based on customer feedback (read criticism).. OTOH Apple is moving in a different direction...They removed the so-basic earphone jack from the iPhone and changed not much inthe Macbook except to add a RIDICULOUS touch bar . Meanwhile Micro$oft cannot keep up with the demand for the Ultimate Laptop:The Surface which is not a laptop but a tablet .... or is it a laptop :) Sorry to be OT

 

if anything this will add to Hikvision bottom-line and sales.

John Honovich

IPVM | In reply to Undisclosed Integrator #2 | 01/04/17 01:49pm

Not only are they listening, they have the wherewithal to act swiftly upon our desires and perhaps needs. They should be commanded.

Presuming they intend to keep it long term. But there is still no clarity.

I will definitely agree with you if they keep it and fix the security vulnerabilities and announce it publicly. Otherwise, it is just not clear what they are doing.

if anything this will add to Hikvision bottom-line and sales.

Mitigating this problem will definitely help reduce lost sales. However, the whole episode, starting with the move on Dec 8/9th, is definitely a negative to bottom-line and sales. 

I do agree that if they can resolve it well over the next month or two, it will repair things over time but I do not believe that this will ever be a net benefit to Hikvision (or any company that goes through an episode like this).

Undisclosed Integrator #2

01/04/17 02:22pm

John

 

Again this is what leaders face everyday. Microsoft is the most hacked OS because it is the overwhelming leader.. Hik is criticized for good reasons among these that they're  the leader in the industry by a very large margin. The vulnerabilities are real but so are those from many of their competitors Axis especially another leader which faces less scrutiny at this point.

The entire field  of IP-based surveillance and security systems needs to take a deep breath and consider cybersecurity as part of what we do. Not a separate field to be handled-off casually to another party. We are whether we admit it or not responsible for the well being and correct behavior of the systems we put in place. While this creates a new level of responsibility and complexity it also will drive more revenues. The Internet Of Things is upon us. This new road will bring new threats. For us Integrator in IP Surveillance it is both an opportunity and a threat. I personally tend to see it as a much needed opportunity when prices of hardware is falling so precipitously. Hik is one small driver in this: The real culprit is Moore's Law. Silicon has been growing cheaper and better by the nanosecond... It wasn't 3 years ago that a 1080p was the TOL now 4 MP are <$200 with WDR....

John Honovich

IPVM | In reply to Undisclosed Integrator #2 | 01/04/17 02:29pm

Axis especially another leader which faces less scrutiny at this point.

I know you are aware of this but I want to emphasize that we were the only ones to cover the Axis critical security vulnerability and we covered it repeatedly, including tests, e.g.: Axis Critical Security VulnerabilityAxis Camera Hack TestedAxis Exploit Allows Changing Camera Root Password Confirmed, etc.

Things that I believe helped Axis:

  • Timing, it happened at the beginning of summer, when many people were on vacation
  • The difficulty of the vulnerability - it was very hard to find and took some skill / effort to exploit
  • Axis strong historical reputation

The other factor is Hikvision's government ownership. Certainly we played a major role in scrutinizing this but we did similarly with the Axis vulnerability. Some things catch on and some do not, depending on what integrator overall concerns and experiences are.

John Honovich

IPVM | 01/05/17 12:39pm

Update January 5th, Hik-online.com is now shut down. The site is up and one can login but when doing so, it just displays the discontinuation notice with no other options - e.g., no ability to manage devices or check status. In addition, new devices cannot be added, despite the notice saying that this could be done through February 16th.

Avatar

John Scanlan

IPVM | IPVMU Certified | 01/06/17 06:38pm

We confirmed with Hikvision technical support that they will help with retrieving device lists if you contact them with your credentials: URL / username / password.

They also recommended using 3rd party services listed on the DNS tab: noip, peanuthull, or dyndns.

Undisclosed Manufacturer #3

01/09/17 02:45pm

I guess the ADI flyer is now incorrect - as they do not have a free DDNS service included...

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Hikvision OEM Directory on Aug 13, 2019
The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of compressed air may defeat it. With no special training, intruders can...
ROG Security - Cloud AI For Remote Monitoring on Jan 28, 2020
ROG Security is offering cloud-based AI analytics to remote guard companies, by touting having "nothing to install" to "add virtual guards." We...
Brivo Business Profile 2020 on Jan 27, 2020
Brivo has been doing cloud access for more than 20 years. Is the 2020s the decade that cloud access becomes the norm? CEO Steve Van Till recently...
Favorite VMS / NVR Manufacturers 2020 on Jan 27, 2020
In 2018, a new winner emerged and a former top choice declined. Now, there is a new #1, a new top 5 finisher and 2 major VMSes in decline. Our...
"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...

What IPVM Is

The world's leading authority on video surveillance, with 200,000+ visits monthly.

  • Articles on cameras, video analytics, VMS, and trends
  • Tests showing actual performance and problems
  • Courses in surveillance, access control, etc
  • Camera Calculator for designing systems

Dedicated To Independence

We're dedicated to staying independent and objective. We're the only industry source to refuse any and all advertisements, sponsorship, and consulting from manufacturers. Why?