Hikvision NA Biggest Sale of 2017 (Twice)

Published Dec 28, 2017 14:59 PM

Hikvision North America has been relatively disciplined the past 5 months, reducing the number of sales and the breadth of what is on sale.

No more.

After hitting a record price cutting run in the first half of 2017, Hikvision NA is back with its biggest sale of 2017.

Update: And again, a second time in 3 weeks.

Inside, we examine this sale, what has changed, how it compares and reflects on Hikvision's positioning and the overall market.

Biggest **** ****

*** **** ** ********* ******* ** up ** **%, **** **** ******* *** recent *********** ** ***-*** ******** *** cut *** ******* ******** ****** ** half. **** ** *** ******** **** sale ***** **** ***:

*** * ***** *****, ******* '******* time *****':

** ********, ******** **** *** **** deals were ********** ** '***** & ***** HD ******** ****' *** ******** ***** as **** *** *********:

 

Joining ** **** *** ********* ** * ** *

*** ********* ***** *** **** (** its ***-*** ********) *** *** ****** company / *** ********* ** **** ** but **** ** *** ***** ******** one, *** *********'* ********** ****** *****.

**** *** *** * ***** **** (see: **** ******** ******** **********) *** *********'* ***** ***** ****** ***** due ** ***** ********* ***** *** ownership ** ***.

Hikvision ***** ** ****

********* *** *** * ***** **** second ****. ** *********, ******* ******* ** *********'* ** ****** backdoor**** *********, ******* *** **** *** bad *** ************* ***. ** ********,*** *** ************ *********, ******** *********'* **** *** ******* ********** ownership ** *** ******* *****. ** the ********,*********'* ****** ***** *** *** ******* dealers************'* ******** ******* ******** ***** *************** ****** ******** *** **** ********* IP ******* **** **** ****** ** ****** exploiting *** ******** *** *********'* ****-**** ******** process *** ********** ** *** **** **********. 

Winner ***

*******, *** ** *** ****** ****. That **** *** ******** ** *** struggling ************* ******* **** *****, *** the ************** **** **** **** ***** *** W-Box ********, ***** *** ***** *** ******* ** ADI.

Bad **** *********

**** ********* ** ****** *** **********, that ** ***** ** **** *** the **** * ******, ** * bad **** *** **** *** **** a ********** ** *** ******* **** they ****. *** **** ******* ****** has ****** **** ***** ******** *** this **** ***** **** **** **** to **** ** ** ******* *** pricing ** *** ** ******* ****, especially **** *** *** ******** ****** of *** **** *** ******.

From *** *** ** ***** ************ ** ********** **** *****, ********* *** ******* ******

** *** **** * ****** *** **** Hikvision *** *********** *** '*** ** ***** ************':

*** *** ** ** * ********** different *****. *********'* *** ***** ** trying ** **** *** ****** **** are ****** *** ** ***** ************* issues, ********** ********* *** ******* ********. Unfortunately *** ****, ***** **** *** stop ****.

 

Comments (42)
MC
Marty Calhoun
Dec 08, 2017
IPVMU Certified

You must admit this is all guess work, right? Did Hikvision inform you of their NA Sales numbers? Without direct knowledge of Sales numbers (which you do not have) this is an attempt to misrepresent what has been an outstanding year actually as Hikvision has released many new and innovative products and accepted several industry awards.  Hikvision is well on the way to year 1,2,3,4,5,6 #7 in a row leading the Industry, is that not correct?

This is nothing more than an end of year offering from a company that has the same issues as every other manufacturer in this space offering IP Cameras.Glorifying and lambasting over 'possible short-lived engineering oversights' certainly does not constitute 'losing its discipline' mentality as being portrayed here.

As a dealer in good standing, we look forward to a very prosperous 2018.

 

 

(8)
(5)
(2)
(1)
(4)
JH
John Honovich
Dec 08, 2017
IPVM

Marty, you're back! A lot of us have been waiting for a classic Marty comment!

You must admit this is all guess work

No, we have lots of industry sources and the reports are consistent that Hikvision NA is missing their numbers significantly and struggling to grow.

Even without that, you don't need to be Sherlock Holmes to realize that a company who was crushing their numbers is not going to put their products on such aggressive price cuts.

Hikvision has released many new and innovative products

I actually agree that Hikvision has released many new products and many have been ambitious, like DarkfighterX and DeepInMind but those products have come out so late in the year that from a revenue standpoint (which is what we are talking about here) it will have minimal impact.

and accepted several industry awards

Irrelevant to growth. If growth was caused by industry awards, Arecont would be killing it, but they are not.

company that has the same issues as every other manufacturer in this space offering IP Cameras

Backdoor, security codes cracked, emailing admin passwords in plain text, UPnP issues, recommending port forwarding in their hardening guide and now in their cloud app - Let's be fair, Marty. Hikvision is #1.... in cybersecurity problems.

As a dealer in good standing

No, you are not a dealer in good standing. You are a dealer in GREAT standing and all Hikvision sources say that :)

(11)
(3)
(3)
(16)
DR
Dennis Ruban
Dec 08, 2017

John, when you're talking about 

cybersecurity problems

Do you have any facts about current, not fixed yet vulnerabilities? I understand that you hate Hik (and I don't care about your personal reasons), but as a user of this product and an integrator, I'd like to know if there's a real, non-hypothetical risk of getting security problems with Hik devices. If you know something, please disclose this information.

(1)
(1)
(3)
JH
John Honovich
Dec 08, 2017
IPVM

Dennis, I don't hate Hikvision and it's unprofessional of you to state that as if it is a fact when you ask a question of me. I don't smear you and then ask you for input.

Hikvision, like most every manufacturer, fixes vulnerabilities that are publicly disclosed. 

#1, are you using a VPN for Hikvison products? Or are you, as Hikvision directs, using port forwarding or Hik-Connect? Both of the later are going to expose you to future issues. Regardless of everything else, use a VPN.

#2, Hikvision has a track record of not fixing known vulnerabilities nor disclosing them unless and until someone publicly complains/publishes about it. With a company like that, you are taking a risk that you will be exploited by vulnerabilities that hackers know and Hikvision hides.

#3, Hikvision's poor track record is a bad sign about future issues. You can certainly take the stance that the future will be much different than the past but it is more prudent and realistic than the past is predictive of the future.

(8)
DR
Dennis Ruban
Dec 08, 2017

I came to security area from IT/Telco so all those cybersecurity problems that physical security world actively discuss for the last couple years are pretty common for me, as IT guys always think about protecting the network devices. And, if we're talking about commercial installations, there're simple rules every specialist follows:

1. No port mapping, no exposed services to the Internet. There're some exclusions like when you have some servers in DMZ, etc. But it's not about CCTV. VPN only, all the cameras with a local access only (delete GW and DNS settings, monitor traffic, apply traffic policies for CCTV at your network security appliances).

2. IPS/IDS installed. Router with a firewall, managed by network professional, not a camera guy.

3. Policies in place. Starting from the installation to accessing system in the future.

4. Test new FW, upgrade ASAP.

5. We don't use android mobile devices, but, as we've seen, iOS app could be compromised too. When you have an idiot in your company who downloads XCode from some unknown server instead of apple resource, that's a major problem. That's a risk you bear when you deal with a young company that still learns how to do the business properly. No similar issues for the last 2 years, and that's good.

There were a lot of issues with Hik before. But tell me, what would be a problem for a business that has a network configured properly?

I agree, all those cheap chinese products are a big risk for residential.

(4)
JH
John Honovich
Dec 08, 2017
IPVM

Dennis, good feedback, well thought out, thanks for sharing!

what would be a problem for a business that has a network configured properly?

3 thoughts:

  • Lots of businesses don't have networks configured properly and lots of security integrators, especially smaller ones that 'multi-task' between video, alarms and locksmithing, etc. are not capable of properly setting up networks.
  • Secondly, there's always a risk if someone makes a mistake or makes a change later that exposes the network. But for someone like you who clearly knows what they are doing that risk is certainly low.
  • Third, if you are concerned about internal threats (and many larger businesses certainly are), Hikvision still has a known unfixed vulnerability. Anyone inside of the network can reset the admin password without any verification or authentication. We covered that here and here - Hikvision Security Code Cracked and Hikvision Responds To Cracked Security Codes
(2)
(1)
DR
Dennis Ruban
Dec 08, 2017

again, it's all about network security. In my case, any unauthorized connection to the dedicated security network would raise a flag.

As for me, it's very unprofessional to have the same network for your business needs and CCTV/alarm/access control devices. Don't tell me about vlans :)

As you mentioned, a lot of security installers, especially small businesses, are not professional network security specialists. I fully understand that and I strongly suggest never request services other than simple cable pull or camera mount from the security companies without good network background. Those days are gone. In this new reality, you shall think about cybersecurity and don't trust just a random guy who has a truck with some hand tools to protect you from those issues.

(3)
DR
Dennis Ruban
Dec 08, 2017

and that issue

Hikvision still has a known unfixed vulnerability

isn't it fixed in a new NVR FW?

JH
John Honovich
Dec 08, 2017
IPVM

No, they simply changed/strengthed the algorithm used, explained here Hikvision Responds To Cracked Security Codes.

But the admin password can still be reset by anyone on site. Hikvision has a page dedicated to explaining it.

To them, it is a customer convenience feature but to those who care about insider threats, it is a vulnerability. Your thoughts?

DR
Dennis Ruban
Dec 08, 2017

In my case, they wouldn't get that far: you have to be connected to the security network to be able to request that, wait for 1-2 hours for a key to be generated and sent back to you.

But in general, it is definitely a vulnerability. I hope they will remove this feature. It looks like it was made with residential market in mind: one guy installed, another guy services, nobody documents the install, and a customer doesn't know the password - all those typical issues.

I'd separate pro- solutions from home products and I would remove any known possibility to break into the system from the pro-rated NVRs and cameras.

(1)
Avatar
Brian Karas
Dec 08, 2017
IPVM

Dennis -

We generally cover cyber security issues as they are reported and as we verify/investigate them.

We have covered all of the recent Hikvision vulnerabilities that we are aware of, and Hikvision has released updated firmware for these. However, given that the majority of Hikvision's many cyber security vulnerabilities have been rather simple to find and exploit, it would be very prudent to assume there are several more yet-to-be-discovered vulnerabilities still in the products. Particularly in some of the more recent apps and cloud services, which are frustrating users and integrators.

Hikvision's track record with shipping products with easily exploitable vulnerabilities should certainly have you as a user/integrator very concerned if you believe cyber security is an important component of delivering a quality system.

Hikvision, and several dealers, tend to take the approach of "but we fixed it!" as these vulnerabilities are continuously discovered. While they certainly should be fixing reported issues, it is well known that software updated for installed products are often missed, leaving hundreds of thousands, or even millions, of exposed and vulnerable devices. 

Also keep in mind, that vulnerabilities may be discovered by black hat hackers and not publicized, increasing the risks.

Those who value cyber security in their surveillance systems should avoid Hikvision until the company can go for a continuous period of no new vulnerability reports (minimum 1 year and multiple release cycles) before beginning to consider the product for cyber security oriented projects.

 

(7)
(1)
DR
Dennis Ruban
Dec 08, 2017

that's a good point

Those who value cyber security in their surveillance systems should avoid Hikvision until the company can go for a continuous period of no new vulnerability reports (minimum 1 year and multiple release cycles) before beginning to consider the product for cyber security oriented projects.

(2)
UI
Undisclosed Integrator #6
Dec 29, 2017

There is no way John hates Hikvision, he probably loves them in all honesty.  The ratings and article comments on Hikvision stories are probably the most popular on the site and drive up membership activity :)

(1)
(3)
UI
Undisclosed Integrator #1
Dec 08, 2017

Backdoorsecurity codes crackedemailing admin passwords in plain textUPnP issues, recommending port forwarding in their hardening guide and now in their cloud app - Let's be fair, Marty. Hikvision is #1.... in cybersecurity problems.

 

Forgot one.  This is the reason I stopped using them.  Quite a painful discovery.

(1)
(1)
(1)
JH
John Honovich
Dec 08, 2017
IPVM

Forgot one.

Well :), in my defense I was trying to keep it just to 2017 issues. But the infected iOS app is good to note, since it extends a pattern of minimally very sloppy procedures for Hikvision's development.

Btw, also recall just a year ago this week, Hikvision Online / DDNS service had a critical security vulnerability.

(2)
MC
Marty Calhoun
Dec 08, 2017
IPVMU Certified

Let's be fair, Marty. Hikvision is #1.... in cybersecurity problems.???

 I 100% disagree with your statement.

Hikvision is the #1 company portrayed on IPVM to be a cybersecurity risk. IPVM does have good things to say as well, that is noted.

I strongly disagreed that polling a readership base of 10,000 constitutes a majority opinion of anything where there are most likely a million or more dealers and certainly more end-users. Selling 1 Million documented cameras per week, somebody, somewhere is pissed off about something.

(7)
(5)
(3)
DR
Dennis Ruban
Dec 08, 2017

Agree.

I understand, for the most of the guys here it's Terra incognita, but it's very typical for IT industry: the more products you sell, the more people search (and find) vulnerabilities.

MS Windows is a perfect example. Let's stop using it, they still have issues with cybersecurity (google patch Tuesday) and they are like 30 years on a market! :)

(6)
(1)
UI
Undisclosed Integrator #6
Dec 29, 2017

While I agree that every company will have to face cyber issues the more the product is used, backdoors and admin resets are not something every manufacturer or software company faces.  I believe Axis has been around longer in the IP camera space than anyone and they don't have 1/10th of the problems that Hikvision has had.

(2)
U
Undisclosed #2
Dec 08, 2017
IPVMU Certified

I 100% disagree with your statement.

Then who is #1 in cyber-security problems?

Or at least name anyone who has more cyber security issues than Hik.

That should be 100% easy, right?

(1)
(1)
Avatar
Brian Karas
Dec 08, 2017
IPVM

Marty -

Hikvision's "#1 Rank" for vulnerabilities is a factor of the number of vulnerabilities they have had, and the severity/ease of exploit of those vulnerabilities.

This is based on publicly verifiable data, not a "poll" of our readership. However, surveys of our readers show high awareness and negative perception of Hikvision's ongoing struggles reinforcing the fact that these ongoing vulnerability discoveries are negatively affecting Hikvision.

If you disagree, show me another manufacturer with as many publicly-verified vulnerabilities as Hikvision. This has nothing to do with size of company, units shipped, etc. It is a simple statistic of publicly reported vulnerabilities.

(1)
DR
Dennis Ruban
Dec 08, 2017

Brian, the big amount of units shipped leads to the big amount of researchers looking for vulnerabilities. So, I can't agree on that: 

 This has nothing to do with size of company, units shipped, etc.

The amount of known and disclosed to public vulnerabilities is definitely a direct consequence of the amount of the units shipped.

(2)
(2)
Avatar
Brian Karas
Dec 08, 2017
IPVM

Brian, the big amount of units shipped leads to the big amount of researchers looking for vulnerabilities.

Yes, but that is only part of the story. Hikvision is certainly more likely to be looked at by vulnerability researchers, but you also have to look at the kinds of vulnerabilities discovered. Should the "#1 vendor" by revenue or product volume not also be aware they are more likely to be scrutinized, and therefore place a high priority on vulnerability discovery and response? 

Many of Hikvision's exploits have been found by what I would call "casual" researchers, people who did not set out to actively audit Hikvision's security, but discovered crucial vulnerabilities while investigating other aspects of the product.

Further, many of the vulnerabilities discovered were very severe and very easy to exploit. They tell a story of poor engineering practice and a lack of focus on cyber security in general. Hard-coded backdoor accounts, which can be easily leveraged, are a clear example of poor development practices, and also a lack of internal audits/controls to find and remove any vulnerabilities proactively.

If Hikvision's rank as the #1 manufacturer in terms of cyber security vulnerability discoveries was mostly do to obscure buffer overflow exploits that were difficult to leverage, or years-old discoveries that were still haunting them, I could see how their position as the largest device manufacturer was a contributing factor and it might be unfair to call them the least secure manufacturer. However, they are being called out for simplistic mistakes, many of which are less than a year old in terms of discovery date. They are making coding errors that are very atypical of large organizations seeking to be dominant players in enterprise markets.

Hikvision earned their spot as #1 in cyber security vulnerabilities due more to their own preventable errors than to intense scrutiny by advanced researchers in proportion to their market share.

 

(1)
UM
Undisclosed Manufacturer #7
Jan 02, 2018

Sorry but with HIK you are opening your doors to everyone

 

UI
Undisclosed Integrator #5
Dec 09, 2017

Thank you.

U
Undisclosed #2
Dec 08, 2017
IPVMU Certified

(1)
(7)
UI
Undisclosed Integrator #3
Dec 08, 2017

Man I belong to a lot of forums and don't think people should be removed or censored.  However, I don't think there is one single thing out of Mr. Hikvision's pinyin keyboard that is of any use to anybody here.  

(3)
(1)
(2)
UE
Undisclosed End User #4
Dec 08, 2017

$$$ corrupts people and they in turn slightly entertain us with their desperate words. That's the limited value Mr. Hikvision offers us.

(2)
(3)
UI
Undisclosed Integrator #3
Dec 09, 2017

UD4, in retrospect I overlooked the entertainment value of it.  If he’s some big shot then I can understand a big ego at work but being that angry I can’t see that being the case?  I’m just glad it’s finally Friday! 

(1)
(3)
JH
John Honovich
Dec 27, 2017
IPVM

Update: And just 3 weeks later, another 'limited time offer' from Hikvision:

How many price cuts do the dwindling Hikvision loyalists need to see to realize that Hikvision USA is actually struggling? Companies who are doing great need not run such sales multiple times per month.

(1)
(1)
U
Undisclosed #2
Dec 27, 2017
IPVMU Certified

...realize that Hikvision USA is actually struggling?

But struggling in what way?  To meet some internal sales goal?  To turn a profit?

Hik USA must be one of the biggest suppliers already in the US, no?

JH
John Honovich
Dec 27, 2017
IPVM

But struggling in what way? To meet some internal sales goal? To turn a profit?

Yes and yes. 

Keep in mind, Hikvision's stock trades at ~10x revenue, compared to Avigilon's ~2x revenue so Hikvision needs incredible growth and profits to hold its valuation.

Hikvision USA doing ~20% growth and no profits is a negative for the company's valuation.

Hik USA must be one of the biggest suppliers already in the US, no?

Yes, they are but when you sell at half of Axis prices while spending more on sales and market, they should be dwarfing and crippling Axis. But they are not and need to resort to these all out sales to prop themselves up.

(2)
U
Undisclosed #2
Dec 27, 2017
IPVMU Certified

Hikvision USA doing ~20% growth and no profits is a negative for the company's valuation.

Ok, but if their strategy was truly to dominate the US market and cripple/shutdown competitors here as a first order of business, this would be consistent with these actions, no?

(1)
JH
John Honovich
Dec 28, 2017
IPVM

if their strategy was truly to dominate the US market and cripple/shutdown competitors

That might have been their strategy entering 2017 but exciting 2017, it has become obvious that the only companies they are likely to cripple are their own and Dahua's OEMs. The more upscale players are increasingly immune given Hikvision's various issues.

Also, these ongoing sales only reinforce those issues and fears among medium to higher-end buyers. It's contradictory too because Hikvision clearly wants to move upmarket but they cling to tactics (like cutting prices) that not only are ineffective upmarket, they are brand damaging since those buyers are not simply choosing the thing on sale, in stock, on any given day.

(2)
SS
Stephen Schulz
Dec 28, 2017
IPVMU Certified

My primary business is IT related.
I have used HikVision or OEM made by products.

I have noticed a lot of shots taken at HikVision.

It is very similar to those taken at Microsoft for the most part even though Apple and others too have problems.

Most all of the time the issue is made worse by the lack of user/customer discipline or lack of security policies.

I am sure that when your market share increases or is large you will be a target.

Even so there are some legitimate concerns but don't overestimate the efforts of those in competition.

So what am I saying?  Just look at all the facts and consider accordingly.

 

(2)
(1)
MM
Michael Miller
Dec 28, 2017

But Microsoft and Apple are not owned by any government unlike Hikivsion which IS owned by the Chinese government. 

(1)
(2)
(1)
DR
Dennis Ruban
Dec 29, 2017

they like to blame Hikvision here. Even when the most of the issues are only exist just because a typical CCTV installer knows almost nothing about network security. People stuck in the last century when they think about IoT, computer networks, etc.

(1)
(2)
(2)
JH
John Honovich
Dec 29, 2017
IPVM

Dennis,

Hikvision has only itself to blame for things like this:

And that's just this month.

I encourage Hikvision to improve and we'd be happy to positively cover that as they do.

DR
Dennis Ruban
Dec 29, 2017

I don't use those cloud services and I'd never recommend to a client to use it. If you go with an unsafe network solution, you have to understand the risks. If you're not qualified, you can educate yourself (long way) or pay to a professional installer (expensive way). Pick one, there're no easy ways available with IoT and cyber-security

(1)
JH
John Honovich
Dec 29, 2017
IPVM

Dennis, I understand you do not and I respect your abilities. I also agree that many installers "know almost nothing about network security" but Hikvision has to take blame when it keeps telling people to do insecure things. It's not fair to simply blame the installers when Hikvision is targeting unknowledgeable installers and directing them in such fashion.

UI
Undisclosed Integrator #6
Dec 29, 2017

It's my experience if someone is looking for the most inexpensive camera, they're not going to look for the most qualified or expert installer to do the job.  If they're shopping on price, then they're going to look at install cost as well.  And if you, while qualified, are 25-50% more expensive to do the install, chances are they're not going to go with you and rather some inexperienced installer who's happy about the high margin on Hikvision cameras.  Is that installer notifying the customer about the risks?

(2)
(1)
(1)
Avatar
Brian Karas
Dec 28, 2017
IPVM

Most all of the time the issue is made worse by the lack of user/customer discipline or lack of security policies.

The vulnerabilities in Hikvision's mobile app and cloud platform left users with little practical way to utilize those products in a secure way, since the vulnerabilities were primarily on platforms out of their control.

The Hikvision backdoor exposed any one who connected their Hikvision (or OEM) camera to the internet, regardless of discipline around things like strong passwords.

I am sure that when your market share increases or is large you will be a target.

This may be true, but a vendor of any size can avoid such obvious mistakes as hard-coding backdoors into their products.

So what am I saying? Just look at all the facts and consider accordingly.

Are you saying that Hikvision's ongoing history of vulnerabilities and poor approach to securing their products should be overlooked? Or are you saying these factual, proven vulnerabilities should be considered as a caution against using the products?

 

 
(1)
JH
John Honovich
Jan 12, 2018
IPVM

Less than 2 weeks from Hikvision's previous across the board sale, Hikvision is back at:

This time though they are limiting to Value and Value Plus series while excluding H.265, making it a far more restricted offering to lower end / older products.