Hikvision Removed From US Army Base, Congressional Hearing Called

Published Jan 12, 2018 14:15 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Hikvision has been removed from a US Army Base and a US congressional committee is planning a hearing on cybersecurity risks and specifically, Hikvision, reports the WSJ in a follow up to their (WSJ) Investigation Into Hikvision.

IPVM Image

This is a major trend within the industry, with a growing list of organizations removing or barring Hikvision products, including:

IPVM Image

Two main causes of these concerns exist. First, the Chinese government's controlling share of Hikvision, something Hikvision denies in the West but which they readily admit inside of China, Hikvision CEO Admits Hikvision China State-Owned Company.

Secondly, Hikvision's cybersecurity problems, most notably Hikvision's IP camera backdoor shipped in tens of millions of cameras but also including:

As the WSJ reported:

Rep. Steve Chabot, an Ohio Republican and chairman of the House Committee on Small Business, said he expects the committee to focus closely on potential cybersecurity vulnerabilities in security cameras. A spokeswoman for the committee said Hikvision will be examined as part of a hearing scheduled for Jan. 30 on the topic of “foreign cybersecurity threats to small businesses.” The hearing will discuss the security-camera industry generally, but Hikvision will be the only company about which specific questions will be raised, she said. [Emphasis Added]

The challenge for Hikvision is simply what to do now. A company created by the Chinese government and controlled by the Chinese government has vast advantages inside of China and with $6 billion in Chinese government loans, vast resources to spend on International expansion. But money is unlikely to be enough to win over an increasingly aware and skeptical International market. Hikvision's price cuts and sales campaigns continue and that certainly will help with some buyers but if Congressional hearings and more large users remove or ban their products, Hikvision faces difficult decisions about its International future.

Update: Hikvision Fires Back

Hikvision is striking back at the WSJ, labeling the story 'filled with bias and conjecture', and 'misleading to readers and use deceitful headlines'. Fascinatingly, Hikvision claims that the US Army base cameras were removed 'following unfounded and unsubstantiated media reports' but DHS ICS-CERT report gave Hikvision a worse 10.0 score for their IP camera backdoor, clearly a critical factor in worldwide concern about Hikvision products. Interestingly, Hikvision did not comment about the upcoming US Congressional hearings or what they plan to do about them.

Comments (66)
Avatar
Ross Vander Klok
Jan 12, 2018
IPVMU Certified

Refreshing to see that the government is only 16 or so months behind on this issue instead of the normal three or four years.....

(18)
(13)
UI
Undisclosed Integrator #1
Jan 12, 2018

IPVM was calling out cyber security concerns at least 2 1/2 years ago, before we even knew about the government ownership.  Personally I ignored them and defended Hik (they’re so cheap!) until the mobile client hack happened and embarrassed me greatly before our company owner.  Nothing is worse than scrambling to steal someone’s smartphone to uninstall useful apps 2 days after you put them on.  Thankfully, that was my first and only Hik install.

While many complain about it, IPVM has been at the forefront putting cyber security concerns in front of integrators beyond just Hik/Dahua/China.  Ignore the risk at your own peril.

(10)
(3)
Avatar
Ross Vander Klok
Jan 12, 2018
IPVMU Certified

Notice I said Government and not IPVM.  We are all well aware how long IPVM has been championing this issue. 

Unfortunately MANY are ignoring the risks and will continue to do so no matter what evidence IPVM, WSJ or anyone else puts forth.  I worry that will continue until they are forced to stop which means some sort of government intervention which will no doubt overreach in its scope.  

(8)
UI
Undisclosed Integrator #1
Jan 12, 2018

which will no doubt overreach in its scope.

Too true...

(2)
UM
Undisclosed Manufacturer #2
Jan 12, 2018

This is great news!

(8)
(1)
UE
Undisclosed End User #3
Jan 12, 2018

I have often theorized the perfect land invasion plan would be to sell IoT devices below cost that would enable your troops to see in real time the status of your enemies assets...

 

Living through the era in the 80's when there was a common theme of Japan taking over, I have since perceived Eastern countries and company's of having longer term plans then America, so I have always been leery of these low cost electronics from Asia...

 

Will we end up paying the true cost of these devices with our Liberty and "freedoms" in the end?

(5)
(1)
(5)
(2)
UI
Undisclosed Integrator #11
Jan 15, 2018

You need to stop playing Call of Duty.

What benefit would it be for anyone to invade a country that does trillions of dollars in trade with you?

(4)
Avatar
Brian Karas
Jan 15, 2018
IPVM

Invade? Probably very little. Though, a benefit of having nefarious devices on an enemy's network is that you do not have to physically invade to gain access to their national secrets. Instead, you can do it remotely (almost) undetected.

(4)
UE
Undisclosed End User #3
Jan 16, 2018

When we (US) defaults. Do you know how much US is in debt to China?

I don't play Call of Duty.

You need to grow up.

(1)
UI
Undisclosed Integrator #11
Jan 16, 2018

You need to grow up.

You're conspiracy theorizing about China invading the US and relying on their state-owned budget-camera company to be their early warning system, but I'm the one that needs to grow up?

(2)
(1)
(1)
JH
John Honovich
Jan 16, 2018
IPVM

#3 please don't tell anyone on IPVM that they 'need to grow up'. We can disagree on things without engaging in such personal attacks.

(3)
(1)
UI
Undisclosed Integrator #11
Jan 16, 2018

#3 my Call of Duty remark was in reference to one of their games whose storyline is based around a "surprise" Russian invasion of the mainland US (I don't play it either so I don't remember which). Sorry that it was offensive to you.

(1)
UE
Undisclosed End User #3
Jan 16, 2018

Telling me not to play Call of duty was not a personal attack?

(1)
(2)
JH
John Honovich
Jan 16, 2018
IPVM

Yes, that was personal as well. So please let's leave 'call of duty' and 'growing up' off the discussion. Thanks.

(1)
(1)
UI
Undisclosed Integrator #11
Jan 16, 2018

I'm cool if you just want to nuke this sub-thread that I started John. I didn't intend for this to appear to #3 as a personal attack.

UE
Undisclosed End User #3
Jan 16, 2018

And I apologize for telling you to grow up. I have no idea how old you are, and telling me to not play Call of Duty is good advice....  :)

 

EDIT:

I am not biased about any video game, they all are too time consuming for my busy schedule, I honestly wish I had the time. Last video game I indulged in was SOCOM on PS2.

(3)
Avatar
Steve Beck
Jan 17, 2018

Outside of a few emergency installs where all we had were TVI-SD cameras on the shelf where we had to install on analog DVRs (not connected to the network), we have never used any Hikvision products in any government facilities. It's been all Axis, Samsung Wisenet analog, Milestone, Exacq or some Pelco repair. Even on repairs of old analog systems it's been all Wisenet+ lately.

 

There was a govt. office install which was out of our territory where we recommended to the lessor of the building not to use any Hikvision products at all when they were creating the RFQ for security.

SOCOM shout-out 

P.S. Get the Nintendo Switch. You can jump and out of games really quickly. Saves so much time

(1)
(3)
UI
Undisclosed Integrator #12
Jan 16, 2018

I think we can all agree that the current Call of Duty is about Nazi's, not China. I am a grown up, but do enjoy playing :) 

(2)
RS
Robert Shih
Jan 16, 2018
Independent

Because imperialism, which isn't just perpetrated by European nations or the USA. What goes around can come around and the USA is a prime target.

Even if it weren't for the purpose of invasion, the potential to steal information and technology has much further reaching implications. Not to mention that every single accessible product of theirs that is online is an additional potential bot in a large scale cyber-attack when activated.

 

(2)
UI
Undisclosed Integrator #4
Jan 12, 2018

This will do nothing if it doesn't follow through to also include all of the OEM's that have also sold Hik products into the government sector.  You can't exclude Hikvision but then allow all of their OEM's with the same cameras to remain.

(15)
UI
Undisclosed Integrator #1
Jan 17, 2018

UD#4 - I feel your statement about OEMs is the one that goes unaddressed.  It is impossible not to wonder about the OEM reactions to these type of posts.  Of course we know where at least one smaller OEM stands due to postings here.  What about those larger companies who are swapping in Hikvision product as their own - Panasonic/Advidia, Honeywell, ADI, Interlogix, etc?

Are these larger manufacturers taking steps to address these types of concerns or are they hiding behind their painted on label?

(3)
JH
John Honovich
Jan 17, 2018
IPVM

One of the more fascinating (and somewhat crazy) comments I've heard recently was about a dealer who was happy using LTS - the reasoning being that it is Hikvision but is less expensive than Hikvision and does not have the tarnished Hikvision brand....

(4)
(2)
UI
Undisclosed Integrator #14
Jan 22, 2018

I heard about the cyber security issues via a LinkedIn post a year or so ago.

I was working for a super regional provider that sold almost all Hikvision.

They were all about RMR contracts but cyber weaknesses were never discussed.

When I left that company, my new employer had frequently installed LTS.   

We are now trying to shift to an affordable vendor and IPVM has been helpful.

People who are serious about security will practice due diligence and be informed.

 

(1)
UI
Undisclosed Integrator #4
Jan 17, 2018

UD#1 ... thanks for noticing ... It's almost as if all the attention directly on Hikvision is supposed to nullify the same risk imposed on all of the users of the OEM-private branded products made by same.  

Short answer >>> They are hiding behind their painted on label.

I guess that's how capitalism is supposed to work?!???!!?

 

(2)
U
Undisclosed #5
Jan 12, 2018
IPVMU Certified

Army Rips Out Chinese-Made Surveillance Cameras...

after American Manufacturer offers Dump Hikvision, Arecont Will Pay You ;)

(1)
Avatar
Will Van Wickler
Jan 12, 2018

Very interesting article. I am surprised they installed Hik Vision in the first place.. Pretty embarrassing to have a Chinese government owned secuirty camera company devices at a US Army base. Hik Vision is starting to fall apart! 

(6)
(1)
RS
Robert Shih
Jan 12, 2018
Independent

I'm totally waiting on an entertaining and salty response from Hikvision and family.

(6)
(2)
U
Undisclosed #5
Jan 12, 2018
IPVMU Certified

Me too, but on the other hand I wouldn’t be too smug Robert, I doubt Dahua is going to be the replacement vendor :)

(7)
(5)
RS
Robert Shih
Jan 12, 2018
Independent

Anything's better than having the Chinese government watching our military bases.

(5)
UI
Undisclosed Integrator #6
Jan 12, 2018

This article said they removed 5 cameras that were looking at parking lots and a roadway. Also states that they have over 180 cameras deployed on the base on a CLOSED network. Looks more like media grandstanding to me.

(6)
(2)
(1)
JH
John Honovich
Jan 12, 2018
IPVM

#6, thanks for the response. To quote the WSJ:

The base has 187 security cameras in all and the Hikvision devices were used to monitor roads and a parking lot....

A Defense Department spokesman said the Hikvision cameras at Fort Leonard Wood weren’t connected to the military network.

The article does not say explicitly if all security cameras were on a closed network. They likely are but it's not stated directly.

Adding to your point, there is a 2014 Hikvision press release stating the base was using "Hikvision's 9000 series Hybrid DVRs, 6701 / 6704 encoder modules and IVMS-4200 software". We have sent inquiries to Hikvision, the DoD and the WSJ about the status of this equipment.

(2)
(1)
(6)
UI
Undisclosed Integrator #6
Jan 12, 2018

John this was what I was referring to from the same WSJ article:

Fort Leonard Wood, an Army base in Missouri’s Ozarks, replaced five cameras on the base branded and made by Hangzhou Hikvision Digital Technology Co. , said Col. Christopher Beck, the base’s chief of staff. He said officials at the base acted after reading media reports about the company.

“We never believed [the cameras] were a security risk. They were always on a closed network,” Col. Beck said. The decision to replace the cameras was meant to “remove any negative perception” surrounding them following media reports, he added, without elaborating.

(2)
(4)
U
Undisclosed #10
Jan 13, 2018

"Closed Network" probably mean Dedicated Micros, LOL, not kidding.  I'm currently working with a government agency that only has DM as their only approved video surveillance system.  With analog cameras and hybrid DVRs from 2005.

Explanation: DM's sales pitch to gov is their "Closed IPTV" bs.

(1)
(1)
(2)
Avatar
Ari Erenthal
Jan 15, 2018
Chesapeake & Midlantic

How do I vote "horrified"?

(10)
UI
Undisclosed Integrator #1
Jan 12, 2018

From from this article:

The company has also said that it does not have access to cameras that have been sold to customers

Unfortunately, everyone else in the world does.

 

(2)
(7)
U
Undisclosed #7
Jan 12, 2018

Where's Chuck??

 

(1)
(1)
(5)
JH
John Honovich
Jan 12, 2018
IPVM

For others, Chuck refers to Chuck Davis, Hikvision North America Director of Cybersecurity.

It is an interesting question. Clearly, this issue is within his domain/responsibility. The questions are: (1) Will Hikvision allow him to comment on such a sensitive matter? So far, he's been reduced to giving generic cybersecurity advice and has stayed away from addressing Hikvision specific issues. (2) Is he comfortable getting involved here? This is now a national political issue, not just a technical one. I am curious to see how far he will go to defend Hikvision to Congress, etc.

(2)
U
Undisclosed #8
Jan 12, 2018

For that matter, where’s Marty?!

(3)
(7)
U
Undisclosed #5
Jan 13, 2018
IPVMU Certified

If this be him, the 50+ unhelpfuls there alone may have shortened his membership by more than a month, which may be a factor:

(50 unhelpfuls * $0.35) / ($199 / 365 days) = ~32 days

(1)
(3)
Avatar
Brad Peterson
Jan 12, 2018

Now  wait and see.  The Chinese Government will establish a shell corporation unrelated to the government...on paper and start all over.  It will take our government another 5 years to figure that out.  Im sure IPVM will uncover this idea much quicker.

(1)
(4)
JH
John Honovich
Jan 12, 2018
IPVM

The story has now made Gizmodo: Army Base Ditches Chinese-Made Surveillance Cameras Just So No One Gets the Wrong Idea. Gizmodo is a large mainstream site so it will bring more attention to it.

(5)
U
Undisclosed #7
Jan 13, 2018

What do you think about the clarifier from the Colonel though?  He only mentions the 5 cameras that were allegedly 'on a closed network'.

i.e. they weren't concerned about cyber security, they were more concerned about media reports that members of their team had read?

If this 2014 press release by Hik that you linked to above is to be believed, then I would think that this might be evidence that the Colonel is full of shit.

 

(3)
JH
John Honovich
Jan 13, 2018
IPVM

I am not sure what the Colonel is thinking or even what he knows. My experience with Colonels is that they are generally way above the level of military personnel who know the details of video surveillance systems. Also keep in mind that this system was installed before there was any Western public discussion of Hikvision's Chinese government ownership and before Hikvision's wave of cybersecurity issues.

(2)
(1)
U
Undisclosed #5
Jan 13, 2018
IPVMU Certified

My experience with Colonels is that they are generally way above the level of military personnel who know the details of video surveillance systems.

Excluding Colonel Swindell, of course.

(1)
(1)
U
Undisclosed #7
Jan 13, 2018

agreed.  I think the Colonel is just issuing damage control due to bad press - at the behest of those with stars on their shoulder epaulettes.

i.e. he doesn't know what he is talking about.

question:  why haven't any of the media outlets running this story (WSJ, Gizmodo, et al) asked the Colonel about the Hik press release from 2014?

(1)
U
Undisclosed #7
Jan 13, 2018

From that 2014 presser:

Note that the co-owner of the local Missouri integration company admits that the Hikvision equipment is 'riding on the government network'

 

Funny thing, Security Sales and Integration posted their own story on the Fort Leonard Wood/Hik deal back in 2014... except they left out that line:

 

 

(5)
U
Undisclosed #7
Jan 13, 2018

...and the Daily Mail in the UK

...and The Hill

...and Sputnik News

...and American Military News

...and if you like your news in video format - with a hipster back beat - you can check out the clip below

 

(2)
(2)
UI
Undisclosed Integrator #9
Jan 13, 2018

These cameras are also not allowed on the GSA Advantage government purchasing website and should not have been sold to any Federal entity to start with.  We receive calls occasionally from military personnel requesting such cameras (sometimes at less consequential buildings such as an on-base Army fitness center) who simply have no idea what they are buying and are simply seeking to meet a budget.  

When we informed the last military person requesting this product of the truth, and asked how he was purchasing them previously, he said he was purchasing them online with his credit card.

Zero oversight, very little instruction, low level facility management transaction, little care for reality.

(2)
(4)
JH
John Honovich
Jan 13, 2018
IPVM

The US House Committee on Small Business has shared the WSJ article and their upcoming hearing on Twitter:

(4)
U
Undisclosed #13
Jan 17, 2018

Need to record this on C-Span they air it.

 

JH
John Honovich
Jan 14, 2018
IPVM

Update: Hikvision has posted an Update on January 12 2018 WSJ Article, firing back at the WSJ:

Recent media reports about Hikvision and our products have inaccurately characterized our company, our products and our services. These opinions are filled with bias and conjecture. Some of these reports are misleading to readers and use deceitful headlines to attract attention. [Emphasis addded]

In fairness, Hikvision knows deceit. They call their magic string backdoor a 'privilege escalating vulnerability'. They call their controlling shareholder just a part of their "diverse set of private and public shareholders", etc.

So far, they have posted the update on Twitter and now on LinkedIn.

(2)
(2)
JH
John Honovich
Jan 14, 2018
IPVM

Securitas Director using the WSJ coverage to solicit business:

(3)
JH
John Honovich
Jan 14, 2018
IPVM

Fox's Lou Dobb's has picked up the WSJ / Hikvision story calling for procurement people to be fired:

(2)
(3)
(2)
U
Undisclosed #8
Jan 14, 2018

Took them long enough! Then again, given what I know about Hikvision and their attempts to obscure facts, I don’t agree that anyone should be fired over this.

(1)
UI
Undisclosed Integrator #11
Jan 15, 2018

I'm a big fan of Hik products. Their prices are aggressive, their products are attractive, and the performance (depending on the model) is very good.

Having said that, they REALLY need to get their sh*t together on this already. The more they deny government ownership the worse it gets for them. They need a remedy to that ASAP. It's like they're victims of their own blinders, the censors within China duping Hikvision into thinking no one outside their inner circle knows the facts.

Hik's cybersecurity concerns are also another valid point and far more effort needs to be devoted to it, not just with Hik but any technology manufacturer that makes addressable electronic devices.

(3)
(2)
JH
John Honovich
Jan 15, 2018
IPVM

The more they deny government ownership the worse it gets for them.

To play devil's advocate, if they admit the government ownership, things would likely get even worse. The Chinese government (i.e., the PRC / Communist Party of China) is seriously bad news - from large scale cyber espionage to human rights violation to unfair trade practices, etc.)

While I agree with you that their denying it in the face of a mountain of evidence (e.g., 1, 2, 3, 4) is a serious problem, it does have the benefit of allowing those who want to be duped, to be duped. I suspect the practical problem for them would be far worse if they publicly admitted their government ownership and control in the West.

(3)
UI
Undisclosed Integrator #11
Jan 15, 2018

I think the Chinese need to figure out what they want out of Hikvision. Is it a revenue tool or some sort of secret intelligence gathering apparatus?

The only way forward I see for them, IF they want to continue being a large scale and high profile provider, is diversification of their ownership away from a state-owned entity to a public entity with state investment.

(1)
U
Undisclosed #7
Jan 15, 2018

"it does have the benefit of allowing those who want to be duped, to be duped."

exactly right... the Rockman Principle.

(1)
U
Undisclosed #13
Jan 17, 2018

Did anyone else have a Nelly's banner when they visited the WSJ article? Aren't they a Hik OEM?

U
Undisclosed #5
Jan 17, 2018
IPVMU Certified

Did anyone else have a Nelly's banner when they visited the WSJ article? 

Been to Nelly’s site lately?

UI
Undisclosed Integrator #4
Jan 17, 2018

I went to the Nelly's site once and afterwards, I had so many Nelly's banners at both the top and bottom of my browser screen that it was crowding out the actual content I was trying to view.  It got very annoying at best.  Cleared browsing history and cookies and took care of that.  I guess all e-commerce sites strive for forced-content advertising that bombards the browser with pop-ups given the opportunity, but it does sometimes have the opposite effect.

(1)
Avatar
Ari Erenthal
Jan 17, 2018
Chesapeake & Midlantic

I still get B&H Photo banners everywhere I go.

(1)
(1)
U
Undisclosed #13
Jan 17, 2018

Considering what the military requires and spends to protect SIPRNET and NIPRNET, their indifference to placing a camera, mic, and network appliance anywhere in a military facility has me completely baffled.

(3)
UE
Undisclosed End User #3
Jan 18, 2018

It's not only our industry:

US Threatens Telcos to Avoid Huawei or Lose Government Contracts:

http://www.dslreports.com/shownews/US-Threatens-Telcos-to-Avoid-Huawei-or-Lose-Government-Contracts-141059

 

 

(2)
U
Undisclosed #10
Jan 18, 2018

Interestingly, a couple of years ago I was on a team of technical consultants surveying a fairly sensitive site in the Middle East.  We noted a Huawei cellular head end rack running a tower for the complex.  Our report listed it as a potential security risk, but without hard evidence other than the Snowden leak.  Unfortunately it would have been impossible for them or anyone else to know with certainty whether a US vendor's equipment is any less likely to be used for snooping.

(4)
U
Undisclosed #13
Jan 18, 2018

Meanwhile, contractors on the other side of earth are installing special lockable duct/raceway below the ceiling that costs $150 a foot. This was based on the premise someone could install a snooping device on the fiber if it was concealed above ceiling, behind walls, or in conduit. The lockable duct would let them inspect the entire fiber optic cable visually. If it was above the ceiling or behind walls, no one would see it. I can remember the exact price of that duct, but it was expensive. 

(3)