Hikvision Europe Warns Of "A Wave of Cyberattacks"By: John Honovich, Published on Sep 28, 2017
Hikvision Europe has issued a "Hikvision Security Advisory" press release [link no longer available] and emailed an e-newsletter with the advisory at the very top:
Hikvision Europe also urged users to upgrade their IP camera firmware to remove the Hikvision backdoor.
They are certainly correct to refer to it as a 'wave of cyberattacks' as the hacks on video surveillance products this month have been far more broad and severe than ever before.
Dahua Mostly Hit
Ironically, this wave has overwhelmingly hit Dahua recorders (see Hackers Globally Attacking Dahua Recorders), not Hikvision devices, as Dahua has numerous cybersecurity vulnerabilities (e.g., Dahua's backdoor) of their own, including issues with their recorders that are more commonly made publicly accessible than IP cameras.
Hikvision IP Cameras Certainly At Risk
At the same time, Hikvision IP cameras (and their numerous OEMs who we have verified), face risk as well. In September 2017, full disclosure was made to the Hikvision backdoor, showing how easy it was for hackers to attack vulnerable Hikvision IP cameras.
Right Thing To Do
To that end, Hikvision Europe is certainly doing the right thing to make it clear to their customers and partners that this is a real risk and real attacks are occurring. Moreover, Hikvision Europe deserves respect for prominently sending out notice, rather than obscuring it.
Hikvision Better Response Than Dahua
Hikvision Europe's response to the Dahua driven wave of cyber attacks has been better than Dahua's own. Dahua's only public communication to date was a press release that buried the hacks in spin about launching latest cybersecurity initiatives [link no longer available]. This is a positive for Hikvision but only reinforces how poor Dahua's response has been.
Hikvision USA Failing So Far
Unlike Hikvision Europe that addressed the issue head on and professionally communicated the risks publicly, Hikvision USA is ignoring the risks and failing to warn their customers of this wave and the recent disclosure of Hikvision's backdoor. Instead, Hikvision USA blogged arguing that they only had 8 CVE cyber vulnerabilities and bemoaning an 'online blogger'. [Update: now, Hikvision USA Misleads Dealers On Backdoor]
Communicating Risks Clearly Is Critical
Manufacturers not only have a responsibility to clearly and prominently communicate risks but they also will benefit by rebuilding trust by being more forthright.