Hikvision Removed From US Army Base, Congressional Hearing Called

IPVM was calling out cyber security concerns at least 2 1/2 years ago, before we even knew about the government ownership.  Personally I ignored them and defended Hik (they’re so cheap!) until the mobile client hack happened and embarrassed me greatly before our company owner.  Nothing is worse than scrambling to steal someone’s smartphone to uninstall useful apps 2 days after you put them on.  Thankfully, that was my first and only Hik install.

While many complain about it, IPVM has been at the forefront putting cyber security concerns in front of integrators beyond just Hik/Dahua/China.  Ignore the risk at your own peril.

You need to stop playing Call of Duty.

What benefit would it be for anyone to invade a country that does trillions of dollars in trade with you?

UD#4 - I feel your statement about OEMs is the one that goes unaddressed.  It is impossible not to wonder about the OEM reactions to these type of posts.  Of course we know where at least one smaller OEM stands due to postings here.  What about those larger companies who are swapping in Hikvision product as their own - Panasonic/Advidia, Honeywell, ADI, Interlogix, etc?

Are these larger manufacturers taking steps to address these types of concerns or are they hiding behind their painted on label?

Me too, but on the other hand I wouldn’t be too smug Robert, I doubt Dahua is going to be the replacement vendor :)

#6, thanks for the response. To quote the WSJ:

The base has 187 security cameras in all and the Hikvision devices were used to monitor roads and a parking lot....

A Defense Department spokesman said the Hikvision cameras at Fort Leonard Wood weren’t connected to the military network.

The article does not say explicitly if all security cameras were on a closed network. They likely are but it's not stated directly.

Adding to your point, there is a 2014 Hikvision press release stating the base was using "Hikvision's 9000 series Hybrid DVRs, 6701 / 6704 encoder modules and IVMS-4200 software". We have sent inquiries to Hikvision, the DoD and the WSJ about the status of this equipment.

"Closed Network" probably mean Dedicated Micros, LOL, not kidding.  I'm currently working with a government agency that only has DM as their only approved video surveillance system.  With analog cameras and hybrid DVRs from 2005.

Explanation: DM's sales pitch to gov is their "Closed IPTV" bs.

For others, Chuck refers to Chuck Davis, Hikvision North America Director of Cybersecurity.

It is an interesting question. Clearly, this issue is within his domain/responsibility. The questions are: (1) Will Hikvision allow him to comment on such a sensitive matter? So far, he's been reduced to giving generic cybersecurity advice and has stayed away from addressing Hikvision specific issues. (2) Is he comfortable getting involved here? This is now a national political issue, not just a technical one. I am curious to see how far he will go to defend Hikvision to Congress, etc.

For that matter, where’s Marty?!

What do you think about the clarifier from the Colonel though?  He only mentions the 5 cameras that were allegedly 'on a closed network'.

i.e. they weren't concerned about cyber security, they were more concerned about media reports that members of their team had read?

If this 2014 press release by Hik that you linked to above is to be believed, then I would think that this might be evidence that the Colonel is full of shit.

...and the Daily Mail in the UK

...and The Hill

...and Sputnik News

...and American Military News

...and if you like your news in video format - with a hipster back beat - you can check out the clip below

Need to record this on C-Span they air it.

Took them long enough! Then again, given what I know about Hikvision and their attempts to obscure facts, I don’t agree that anyone should be fired over this.

The more they deny government ownership the worse it gets for them.

To play devil's advocate, if they admit the government ownership, things would likely get even worse. The Chinese government (i.e., the PRC / Communist Party of China) is seriously bad news - from large scale cyber espionage to human rights violation to unfair trade practices, etc.)

While I agree with you that their denying it in the face of a mountain of evidence (e.g., 1, 2, 3, 4) is a serious problem, it does have the benefit of allowing those who want to be duped, to be duped. I suspect the practical problem for them would be far worse if they publicly admitted their government ownership and control in the West.

Did anyone else have a Nelly's banner when they visited the WSJ article? 

Been to Nelly’s site lately?

I went to the Nelly's site once and afterwards, I had so many Nelly's banners at both the top and bottom of my browser screen that it was crowding out the actual content I was trying to view.  It got very annoying at best.  Cleared browsing history and cookies and took care of that.  I guess all e-commerce sites strive for forced-content advertising that bombards the browser with pop-ups given the opportunity, but it does sometimes have the opposite effect.

Interestingly, a couple of years ago I was on a team of technical consultants surveying a fairly sensitive site in the Middle East.  We noted a Huawei cellular head end rack running a tower for the complex.  Our report listed it as a potential security risk, but without hard evidence other than the Snowden leak.  Unfortunately it would have been impossible for them or anyone else to know with certainty whether a US vendor's equipment is any less likely to be used for snooping.