Hikvision Removed From US Army Base, Congressional Hearing Called
By IPVM Team, Published Jan 12, 2018, 09:15am ESTHikvision has been removed from a US Army Base and a US congressional committee is planning a hearing on cybersecurity risks and specifically, Hikvision, reports the WSJ in a follow up to their (WSJ) Investigation Into Hikvision.
This is a major trend within the industry, with a growing list of organizations removing or barring Hikvision products, including:
- Hikvision Removed From US Embassy
- Hikvision Removed From US GSA Sales
- US Air Force Cancels Hikvision RFQ
- Hikvision Barred From US City Housing Authority Bid
- Fortune 500 Company Bars Dahua and Hikvision
Two main causes of these concerns exist. First, the Chinese government's controlling share of Hikvision, something Hikvision denies in the West but which they readily admit inside of China, Hikvision CEO Admits Hikvision China State-Owned Company.
Secondly, Hikvision's cybersecurity problems, most notably Hikvision's IP camera backdoor shipped in tens of millions of cameras but also including:
- 80+ OEMs Verified Vulnerable To Hikvision Backdoor
- Hikvision Security Code Cracked
- Hikvision Vulnerability Permits Wi-Fi Attack (hard-coded Wifi connection set)
- Hikvision Cloud Security Vulnerability Uncovered
- Hikvision VMS Password Recovery Vulnerability (Admin Passwords Sent In Plain Text)
- Hikvision Trojan Mobile App
- Hikvision Hardening Guide Recommends Port Forwarding
- Hikvision UPnP Hacking Risk
As the WSJ reported:
Rep. Steve Chabot, an Ohio Republican and chairman of the House Committee on Small Business, said he expects the committee to focus closely on potential cybersecurity vulnerabilities in security cameras. A spokeswoman for the committee said Hikvision will be examined as part of a hearing scheduled for Jan. 30 on the topic of “foreign cybersecurity threats to small businesses.” The hearing will discuss the security-camera industry generally, but Hikvision will be the only company about which specific questions will be raised, she said. [Emphasis Added]
The challenge for Hikvision is simply what to do now. A company created by the Chinese government and controlled by the Chinese government has vast advantages inside of China and with $6 billion in Chinese government loans, vast resources to spend on International expansion. But money is unlikely to be enough to win over an increasingly aware and skeptical International market. Hikvision's price cuts and sales campaigns continue and that certainly will help with some buyers but if Congressional hearings and more large users remove or ban their products, Hikvision faces difficult decisions about its International future.
Update: Hikvision Fires Back
Hikvision is striking back at the WSJ, labeling the story 'filled with bias and conjecture', and 'misleading to readers and use deceitful headlines'. Fascinatingly, Hikvision claims that the US Army base cameras were removed 'following unfounded and unsubstantiated media reports' but DHS ICS-CERT report gave Hikvision a worse 10.0 score for their IP camera backdoor, clearly a critical factor in worldwide concern about Hikvision products. Interestingly, Hikvision did not comment about the upcoming US Congressional hearings or what they plan to do about them.
7 reports cite this report:
Comments (66)
Refreshing to see that the government is only 16 or so months behind on this issue instead of the normal three or four years.....
IPVM was calling out cyber security concerns at least 2 1/2 years ago, before we even knew about the government ownership. Personally I ignored them and defended Hik (they’re so cheap!) until the mobile client hack happened and embarrassed me greatly before our company owner. Nothing is worse than scrambling to steal someone’s smartphone to uninstall useful apps 2 days after you put them on. Thankfully, that was my first and only Hik install.
While many complain about it, IPVM has been at the forefront putting cyber security concerns in front of integrators beyond just Hik/Dahua/China. Ignore the risk at your own peril.
Notice I said Government and not IPVM. We are all well aware how long IPVM has been championing this issue.
Unfortunately MANY are ignoring the risks and will continue to do so no matter what evidence IPVM, WSJ or anyone else puts forth. I worry that will continue until they are forced to stop which means some sort of government intervention which will no doubt overreach in its scope.
This is great news!
I have often theorized the perfect land invasion plan would be to sell IoT devices below cost that would enable your troops to see in real time the status of your enemies assets...
Living through the era in the 80's when there was a common theme of Japan taking over, I have since perceived Eastern countries and company's of having longer term plans then America, so I have always been leery of these low cost electronics from Asia...
Will we end up paying the true cost of these devices with our Liberty and "freedoms" in the end?
You need to stop playing Call of Duty.
What benefit would it be for anyone to invade a country that does trillions of dollars in trade with you?
Invade? Probably very little. Though, a benefit of having nefarious devices on an enemy's network is that you do not have to physically invade to gain access to their national secrets. Instead, you can do it remotely (almost) undetected.
When we (US) defaults. Do you know how much US is in debt to China?
I don't play Call of Duty.
You need to grow up.
You need to grow up.
You're conspiracy theorizing about China invading the US and relying on their state-owned budget-camera company to be their early warning system, but I'm the one that needs to grow up?
#3 please don't tell anyone on IPVM that they 'need to grow up'. We can disagree on things without engaging in such personal attacks.
#3 my Call of Duty remark was in reference to one of their games whose storyline is based around a "surprise" Russian invasion of the mainland US (I don't play it either so I don't remember which). Sorry that it was offensive to you.
Telling me not to play Call of duty was not a personal attack?
Yes, that was personal as well. So please let's leave 'call of duty' and 'growing up' off the discussion. Thanks.
I'm cool if you just want to nuke this sub-thread that I started John. I didn't intend for this to appear to #3 as a personal attack.
And I apologize for telling you to grow up. I have no idea how old you are, and telling me to not play Call of Duty is good advice.... :)
EDIT:
I am not biased about any video game, they all are too time consuming for my busy schedule, I honestly wish I had the time. Last video game I indulged in was SOCOM on PS2.
Outside of a few emergency installs where all we had were TVI-SD cameras on the shelf where we had to install on analog DVRs (not connected to the network), we have never used any Hikvision products in any government facilities. It's been all Axis, Samsung Wisenet analog, Milestone, Exacq or some Pelco repair. Even on repairs of old analog systems it's been all Wisenet+ lately.
There was a govt. office install which was out of our territory where we recommended to the lessor of the building not to use any Hikvision products at all when they were creating the RFQ for security.
SOCOM shout-out
P.S. Get the Nintendo Switch. You can jump and out of games really quickly. Saves so much time
I think we can all agree that the current Call of Duty is about Nazi's, not China. I am a grown up, but do enjoy playing :)
Because imperialism, which isn't just perpetrated by European nations or the USA. What goes around can come around and the USA is a prime target.
Even if it weren't for the purpose of invasion, the potential to steal information and technology has much further reaching implications. Not to mention that every single accessible product of theirs that is online is an additional potential bot in a large scale cyber-attack when activated.
This will do nothing if it doesn't follow through to also include all of the OEM's that have also sold Hik products into the government sector. You can't exclude Hikvision but then allow all of their OEM's with the same cameras to remain.
UD#4 - I feel your statement about OEMs is the one that goes unaddressed. It is impossible not to wonder about the OEM reactions to these type of posts. Of course we know where at least one smaller OEM stands due to postings here. What about those larger companies who are swapping in Hikvision product as their own - Panasonic/Advidia, Honeywell, ADI, Interlogix, etc?
Are these larger manufacturers taking steps to address these types of concerns or are they hiding behind their painted on label?
One of the more fascinating (and somewhat crazy) comments I've heard recently was about a dealer who was happy using LTS - the reasoning being that it is Hikvision but is less expensive than Hikvision and does not have the tarnished Hikvision brand....
UD#1 ... thanks for noticing ... It's almost as if all the attention directly on Hikvision is supposed to nullify the same risk imposed on all of the users of the OEM-private branded products made by same.
Short answer >>> They are hiding behind their painted on label.
I guess that's how capitalism is supposed to work?!???!!?
Army Rips Out Chinese-Made Surveillance Cameras...
after American Manufacturer offers Dump Hikvision, Arecont Will Pay You ;)
Very interesting article. I am surprised they installed Hik Vision in the first place.. Pretty embarrassing to have a Chinese government owned secuirty camera company devices at a US Army base. Hik Vision is starting to fall apart!
I'm totally waiting on an entertaining and salty response from Hikvision and family.
Me too, but on the other hand I wouldn’t be too smug Robert, I doubt Dahua is going to be the replacement vendor :)
This article said they removed 5 cameras that were looking at parking lots and a roadway. Also states that they have over 180 cameras deployed on the base on a CLOSED network. Looks more like media grandstanding to me.
#6, thanks for the response. To quote the WSJ:
The base has 187 security cameras in all and the Hikvision devices were used to monitor roads and a parking lot....
A Defense Department spokesman said the Hikvision cameras at Fort Leonard Wood weren’t connected to the military network.
The article does not say explicitly if all security cameras were on a closed network. They likely are but it's not stated directly.
Adding to your point, there is a 2014 Hikvision press release stating the base was using "Hikvision's 9000 series Hybrid DVRs, 6701 / 6704 encoder modules and IVMS-4200 software". We have sent inquiries to Hikvision, the DoD and the WSJ about the status of this equipment.
"Closed Network" probably mean Dedicated Micros, LOL, not kidding. I'm currently working with a government agency that only has DM as their only approved video surveillance system. With analog cameras and hybrid DVRs from 2005.
Explanation: DM's sales pitch to gov is their "Closed IPTV" bs.
From from this article:
The company has also said that it does not have access to cameras that have been sold to customers
Unfortunately, everyone else in the world does.
Where's Chuck??
For others, Chuck refers to Chuck Davis, Hikvision North America Director of Cybersecurity.
It is an interesting question. Clearly, this issue is within his domain/responsibility. The questions are: (1) Will Hikvision allow him to comment on such a sensitive matter? So far, he's been reduced to giving generic cybersecurity advice and has stayed away from addressing Hikvision specific issues. (2) Is he comfortable getting involved here? This is now a national political issue, not just a technical one. I am curious to see how far he will go to defend Hikvision to Congress, etc.
For that matter, where’s Marty?!
Now wait and see. The Chinese Government will establish a shell corporation unrelated to the government...on paper and start all over. It will take our government another 5 years to figure that out. Im sure IPVM will uncover this idea much quicker.
The story has now made Gizmodo: Army Base Ditches Chinese-Made Surveillance Cameras Just So No One Gets the Wrong Idea. Gizmodo is a large mainstream site so it will bring more attention to it.
What do you think about the clarifier from the Colonel though? He only mentions the 5 cameras that were allegedly 'on a closed network'.
i.e. they weren't concerned about cyber security, they were more concerned about media reports that members of their team had read?
If this 2014 press release by Hik that you linked to above is to be believed, then I would think that this might be evidence that the Colonel is full of shit.
I am not sure what the Colonel is thinking or even what he knows. My experience with Colonels is that they are generally way above the level of military personnel who know the details of video surveillance systems. Also keep in mind that this system was installed before there was any Western public discussion of Hikvision's Chinese government ownership and before Hikvision's wave of cybersecurity issues.
My experience with Colonels is that they are generally way above the level of military personnel who know the details of video surveillance systems.
Excluding Colonel Swindell, of course.
agreed. I think the Colonel is just issuing damage control due to bad press - at the behest of those with stars on their shoulder epaulettes.
i.e. he doesn't know what he is talking about.
question: why haven't any of the media outlets running this story (WSJ, Gizmodo, et al) asked the Colonel about the Hik press release from 2014?
From that 2014 presser:
Note that the co-owner of the local Missouri integration company admits that the Hikvision equipment is 'riding on the government network'
Funny thing, Security Sales and Integration posted their own story on the Fort Leonard Wood/Hik deal back in 2014... except they left out that line:
...and the Daily Mail in the UK
...and The Hill
...and Sputnik News
...and American Military News
...and if you like your news in video format - with a hipster back beat - you can check out the clip below
These cameras are also not allowed on the GSA Advantage government purchasing website and should not have been sold to any Federal entity to start with. We receive calls occasionally from military personnel requesting such cameras (sometimes at less consequential buildings such as an on-base Army fitness center) who simply have no idea what they are buying and are simply seeking to meet a budget.
When we informed the last military person requesting this product of the truth, and asked how he was purchasing them previously, he said he was purchasing them online with his credit card.
Zero oversight, very little instruction, low level facility management transaction, little care for reality.
The US House Committee on Small Business has shared the WSJ article and their upcoming hearing on Twitter:
Update: Hikvision has posted an Update on January 12 2018 WSJ Article, firing back at the WSJ:
Recent media reports about Hikvision and our products have inaccurately characterized our company, our products and our services. These opinions are filled with bias and conjecture. Some of these reports are misleading to readers and use deceitful headlines to attract attention. [Emphasis addded]
In fairness, Hikvision knows deceit. They call their magic string backdoor a 'privilege escalating vulnerability'. They call their controlling shareholder just a part of their "diverse set of private and public shareholders", etc.
So far, they have posted the update on Twitter and now on LinkedIn.
Securitas Director using the WSJ coverage to solicit business:
Fox's Lou Dobb's has picked up the WSJ / Hikvision story calling for procurement people to be fired:
Moronic: DOD needs to "rip out" procurement personnel who bought CHINESE equipment--Army rips out Chinese-made surveillance cameras overlooking U.S. base https://t.co/6kHcAmey5Z via @WSJ
— Lou Dobbs (@LouDobbs) January 13, 2018
I'm a big fan of Hik products. Their prices are aggressive, their products are attractive, and the performance (depending on the model) is very good.
Having said that, they REALLY need to get their sh*t together on this already. The more they deny government ownership the worse it gets for them. They need a remedy to that ASAP. It's like they're victims of their own blinders, the censors within China duping Hikvision into thinking no one outside their inner circle knows the facts.
Hik's cybersecurity concerns are also another valid point and far more effort needs to be devoted to it, not just with Hik but any technology manufacturer that makes addressable electronic devices.
The more they deny government ownership the worse it gets for them.
To play devil's advocate, if they admit the government ownership, things would likely get even worse. The Chinese government (i.e., the PRC / Communist Party of China) is seriously bad news - from large scale cyber espionage to human rights violation to unfair trade practices, etc.)
While I agree with you that their denying it in the face of a mountain of evidence (e.g., 1, 2, 3, 4) is a serious problem, it does have the benefit of allowing those who want to be duped, to be duped. I suspect the practical problem for them would be far worse if they publicly admitted their government ownership and control in the West.
Did anyone else have a Nelly's banner when they visited the WSJ article? Aren't they a Hik OEM?
Did anyone else have a Nelly's banner when they visited the WSJ article?
Been to Nelly’s site lately?
I went to the Nelly's site once and afterwards, I had so many Nelly's banners at both the top and bottom of my browser screen that it was crowding out the actual content I was trying to view. It got very annoying at best. Cleared browsing history and cookies and took care of that. I guess all e-commerce sites strive for forced-content advertising that bombards the browser with pop-ups given the opportunity, but it does sometimes have the opposite effect.
Considering what the military requires and spends to protect SIPRNET and NIPRNET, their indifference to placing a camera, mic, and network appliance anywhere in a military facility has me completely baffled.
It's not only our industry:
US Threatens Telcos to Avoid Huawei or Lose Government Contracts:
