Hikvision Admits Backdoor 'PR Issue'

JH
John Honovich
Published Oct 24, 2017 13:04 PM

Hikvision is admitting a problem.

The backdoor itself is evidently not the problem for them.

The problem, according to Hikvision, is a public relations issue, as their new Cybersecurity Director / spokesperson Chuck Davis [link no longer available] explained:

Undoubtedly, Hikvision is correct that they have a 'PR issue' but the 'PR issue' is grounded in real product and communication problems.

Vote / Poll

Positive - ****** *** ************* ************

** ********** ******* ** ** * positive **** ********* *** **** ** hire * *** ************* ************ *** that *****' ********** (********* ******* ** IBM) ***** ******** *********'* ********** ************* efforts, ********** ***** *****' *********** ************ disappeared ******* **** **** (************ *** **** ** ************* *****).

********, ****** ***** ** * ****** face ** * **** ** **** their****** ******* ****** * ****** ************** writer, *********-**** **** *********'******' *****. ***, **** **** ** *********** cybersecurity ****** ******* ** ** *** public **** *** *********, ****** **** PR ****** ** *** ***** ***** releases.

*** ***** ** ****** ********, ***** Hikvision's ** ******, **** ** ***** was ** *****, ** ***** ******** make ****** ***** ** *** **** already ********* ***** *********'* *************.

Hikvision *** ******

***** ** ******* **** *** ******** of *********'* *************, **********:

*************, ***** *** *** ******* ** the ******* ****** **** **** **** many ** ******** ********* ******* ******** such **:

Reaching *** ******, ******** *** ****

***** ***** ****** ******* ******** *** says ** **** ***** *** ** the ****** ** ** ****:

**********, ** ***** *********** ** *** industry ******* ** ********* ******** ******, obviously *** ******* **** ** *** exist, *** ******* ********* ***** ** hide ** **** *** ******. *** only **** ********* *** ******* *** trade ***** ** ****** ********** ** cybersecurity ******** ** ** * ******* to ********* **** ****. *** **** Hikvision **** *********** **** **** *** dealers,*** ************* ** ****** **** **** and *****************.

*******, ** **** ******* *** ** Davis ********** ** **** *** ***** has ******* ** *******. ** ********* do *** **** ******** ******* *** for ****. ** *** ** **** the ****** ** *** ******* ********** superiors.

Chinese ** *********

**********, ********* ***** ********** ******* *** main ******** *** ***** *** ********* 'overseas'. ******** *******:

  • ****** *****, ***** ******** ****** *** generally *** *********. **** ** ****, this ** * ******* ***** *** government ******** *** ******** ******* *** entire ******** *** *** ****** ****** code ** ******** ******** ** *****. By ********, *** '********' ************* ******** seems *********** *** *****.
  • ********* ** **** ********* ***** *** reporting ***********'* ******* ********** ********* *** *******. *** ************* *****, ********** ***** how *** ******* ********** ******** *** own ********* ********, ***** ** ** associated **** ***** ********** *********, ******** criticism ** ****.
  • ******* *** ***** ** ******* ********** inside *****, ***** ***** ************ **** Hikvision **** ** ********** *** ************* about *** **** ******** ***** ** criticized ** * **** *****. ***** default ** ****** ** ** ***** spin *** ** ****** ******** ** simply ****** **. **** ******* ********* ************* ************* ** ****.
  • ****** ************* ***** ****** ***** *** more ******* ******. **** ** * part ** *** ******* ******* ******* security *** *********. ******* ********* ** and ****** ******** ***** *** ******** passwords ** ***** **** *** ***** it ****** *** ******* ** ******* products, ********** **** ********* **** *** cost ** * *** **************. ****** taking ************* ********* **** ******** ***** and **** ******** **** ********* ** support.

New ****** / **** ********?

*****, ****** ***** ** ********** * good ****. *** **** ********* ***** allow ***** ** **** *********** ******** changes ** ******* *** *************? *********'* track ****** *** *** ***** ****** communication ******** *** *** ** **** definitely ** *********** ** *** ** that ******** **** *** **** ****.

Comments (16)
RS
Robert Shih
Oct 24, 2017
Independent

At BEST, Hikvision could be graded as average! Who voted strong? I mean c'mon, I sell Dahua, but I don't drink the Kool-Aid.

The WHOLE of IoT is a cybersecurity sh*tshow atm. One motivated hacker and any one AAA manufacturer is the new victim. Until we stop relying on obfuscation to protect our products and switch over to fearless open penetration testing by third parties we're just waiting for another disaster to hit.

I keep saying we need a Pwn2Own style competition to keep all manufacturers accountable and frosty. This needs to happen if we are to get ahead of these issues and the attacks of tomorrow.

 

0900 CDT Edit: Now we're up to 3 votes... Seriously guys?

(16)
(1)
UM
Undisclosed Manufacturer #1
Oct 24, 2017
In reply to Robert Shih

At BEST, Hikvision could be graded as average! Who voted strong?

Current Odds

Sean: Even Money

Marty: 3-2

Jon D.: 4-1

John H: 10,000-1 

:) 

(1)
(16)
RS
Robert Shih
Oct 24, 2017
Independent
In reply to Undisclosed Manufacturer #1

Now with 3 votes in the "Strong" category, I should probably make my guesses.

Sean is actually NOT one of those votes if my previous conversations with him are any indicator. He's just a businessman, not a Kool-Aid drinking believer. I'm trusting he would be an "Average" vote.

Marty, on the other hand, he'd vote "Strong", depending on if he saw the poll yet and if he cared any more.

Jon D., also in the "Average" category.

If anything, all 3 are Hikvision employees.

(2)
(2)
Avatar
Campbell Chang
Oct 24, 2017
In reply to Robert Shih

Given the entirely non scientific nature of this poll, I'd suggest that anyone voting strong is merely doing it for s&gs.

(1)
(4)
UM
Undisclosed Manufacturer #4
Oct 24, 2017
In reply to Robert Shih

I think the best thing all the manufactures could do is to have hack-fests (as Robert mentioned) and bug bounty programs.  Pay hackers and researchers to find bugs and disclose them so they can be fixed.  Crowd source better security.

(3)
UM
Undisclosed Manufacturer #5
Oct 25, 2017
In reply to Undisclosed Manufacturer #4

But they do reward hackers for reporting their bugs. Dahua gives out cameras.

 

(4)
UI
Undisclosed Integrator #7
Oct 26, 2017
In reply to Robert Shih

"frosty"?  Im not a member of or associated in any way with the US Marine Core, but Semper Fi.

UM
Undisclosed Manufacturer #2
Oct 24, 2017

Disagreeing with anything that has Chinese Government involvement, or worse dismissing it, is a dangerous hobby especially if you are Chinese and living in China. The latest disclosures involving mass doping in the 80's and 90's and the threat to anybody involved around it with imprisonment etc speaks for itself. Back to topic...This to me sounds like what it is, another PR exercise. Words are cheap, although this new guy I'm sure comes with a hefty price tag, and action is what's required, not more words...

I wonder if this gentleman is able to turn around what seems to be a 'culture' within Hikvision and if he has enough influence for the Chinese to actually listen to him.

Time will tell...

(3)
(1)
(1)
Avatar
Sean Nelson
Oct 24, 2017
Nelly's Security

I voted average, but probably would have voted weak if they didnt patch the vulnerability and were not making positive moves towards cyber security. I will vote strong once they:

- implement optional firmware updates. These updates need to be notified to the end user via a push notification on the mobile app (or when they login) or if there is a notice that pops up whenever they login to the devices thru web interface of CMS. What Im saying is: Slapping up a notice on your website to inform users to update firmware is not working.

- Continue to invest more in cybersecurity and let the public know about it. Hiring this guy is a good move. He will need to be vocal about specific steps Hikvision is taking to make the most secure device in the industry. Make the steps often and specific.

If Hik really wants to get into the enterprise level their goal should literally be to make the most secure device in the industry. The only downside to this would be that their would be far less talking points on IPVM.

(2)
RS
Robert Shih
Oct 24, 2017
Independent
In reply to Sean Nelson

Called it! See, I know you well enough that you would never be a drone. Cheap as hell, but never a bought and paid for drone. :P

(1)
(1)
Avatar
Sean Nelson
Oct 24, 2017
Nelly's Security
In reply to Robert Shih

Cheap as hell

 

Says the guy that still works at a Dahua distributor.... :)

(4)
RS
Robert Shih
Oct 24, 2017
Independent
In reply to Sean Nelson

You're the one who brings up Alibaba as a counterargument to my prices! :P

(2)
UM
Undisclosed Manufacturer #3
Oct 24, 2017

I would like to vote for both weak and average.  What I mean is that I think that cyber security in this industry is generally weak.  If you compare Hik to a lot of other camera/DVR manufacturers (even VMS manufacturers) I think they're about average.  But if you compare the video surveillance industry to most other technology industries I think it's pretty weak.  

(6)
BP
Bas Poiesz
Oct 24, 2017
In reply to Undisclosed Manufacturer #3

Agreed. Any network device needs attention. No network engineer would advice a company to use a Windows laptop on a network without the proper security measures. They take the neccessary steps to ensure a safe network.

All backdoors and 'hacks' (not changing the admin), could have been prevented by creating the right environment. We all know Windows to be a good platform but with issues. I think any IP security device should be treated the same way. Don't leave it in the hands of the one who builds it to decide your level of security.

(1)
Avatar
John Day
Oct 24, 2017
LMN Software Corp

It's not news that our industry is unprepared for providing network security nor that most security manufacturers are hoping not to be "outed" in public for shoddy workmanship.

What is news is that a company in the midst of all this is referring to it as a "PR Problem". That is beyond ridiculous..... I voted "Weak" just based on that comment.

(5)
(1)
UM
Undisclosed Manufacturer #6
Oct 25, 2017

 

(3)
(8)