Hikvision HQ Contradicts Cybersecurity Director

Author: John Honovich, Published on Mar 07, 2018

Hikvision HQ has contradicted Hikvision USA's Director of Cybersecurity, Chuck Davis.

Davis - Don't Put Cameras On The Internet

Davis made a very good point in a recent SP&T interview:

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

And Hikvision knows about bad ideas. The combination of their IP camera backdoor, their defaulting UPnP on for years and regularly recommending port forwarding, including in their hardening guide, resulted in widespread hacking of Hikvision IP cameras.

So it is refreshing and commendable that Davis would publicly come out against the practice of putting cameras directly on the Internet.

HQ - Do Put Cameras On The Internet

Unfortunately, Hikvision HQ does not care. Their, new for 2018, 'Network Camera Security Guide' still endorses putting cameras directly on the Internet.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

The port forwarding section:

The problems are: (1) any open port is a path to being attacked. (2) The strength of the password is irrelevant when a vulnerability is found since, like the Hikvision backdoor, vulnerabilities regularly allow getting admin access without a password. (3) Finally, using a custom port is a weak security by obscurity tactic which, given the ability to scan the Internet (e.g., Shodan), can be overcome.

Reduce Support Costs - Why Put Devices On The Internet

Why Hikvision recommends this is simple. It is the same reason why Hikvision USA tech support regularly tells users reporting problems to port forward and why Hikvision's own app at the end of last year told users to port forward. It is expensive and difficult to make secure remote access work well and, given how low Hikvision sells its products for and how many challenges Hikvision has had developing HikConnect, security loses out to expediency.

Give Davis Real Power

Hikvision needs to give Chuck Davis real power to make changes. If Hikvision HQ is really committed to cybersecurity, stop treating Davis like a white monkey, parading him around, and prove to critics that Hikvision is serious about cybersecurity by letting Davis implement sensible and secure policies.

Comments (16)

Only IPVM PRO Members may comment. Login or Join.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

I would recommend to setup and use own VPN, that would not involve any cloud 'solution' from the manufacture.

I tend to agree with you in terms of Hikvision and Dahua, but are you saying we shouldn't trust ANY cloud based options? My concern is specifically with Network Optix / DW Spectrum / Hanwha Wave.

Correct, do not trust ANY, and don't get caught on Hik and/or Dahua alone.

There is already examples 'out there' why you should not, and I will personally give you additional examples.

Bashis, thanks for the feedback.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

To clarify, my reference to cloud was not to endorse it but to emphasize that despite Hikvision having a 'cloud solution' that they still regularly tell users to port forward, which is both bad practice and embarrassing.

I call this a Hydra Management Policy. HMP occurs when different portions of the company are contradicting each other and heading in different directions. It is not a Hikvision exclusive phenomenon. Hikvision just seems to be one of the few companies that refuse to acknowledge and address the failing.

Unfortunately, with limited financial impact to Hikvision it is unlikely to get addressed. I still see entire forums on integrators on Facebook where one would think Hik and their OEMs is the only product being deployed into the world. I am not entirely certain what it would take for DIY and small integrators to break their addiction to low cost.

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

Why does he say camera, though?

It would seem he either

1) hasn’t considered NVR’s

2) thinks that cameras are different than NVR’s

3) is being sloppy in his use of terms and means to refer to any device

#2, it is a good question. Considering an NVR is literally a collection of camera feeds plus recordings, the same logic should apply at least as strong, if not more.

Davis' position on that is unclear and he is banned from speaking to IPVM so it is unlikely we will find out. Related, Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

In my opinion, I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding. Mr Davis' suggestion also applies, don't put anything on the Internet without some type of firewall device in front of it, basically, it must have an IFC1918 based private address.

Port forwarding will allow access to devices through controlled ports, whether or not these ports are properly secured is a different story, putting a device directly on the Internet gives wide open access to anybody to every port that is listening on the device.

I am in total agreement that the ideal way to access these devices on the Internet would be through a VPN, but given the complexity and expense of setting these up and maintaining them, do you really think it's a solution for the targeted market of the chinese manufacturers? When the guy at the local convenient store asks to have a 4-camera surveillance system set up that he can access from home, do you think he's going to go in for all of this? Is there an installer market for being able to install, configure and maintain this type of setup for the entry-level consumer?

Until there is a consumer-friendly VPN solution that is free and simple to set up and maintain then this will always be a problem.

I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding [emphasis added]

In what cases do you have to? As you say, it is less a matter of having to and more a matter of it being cheaper to do so.

In this day and age who can say why people want every single one of their devices to be accessible from the public Internet? But sure enough, as soon as you say that no one would ever want to do this, there will be 5 people raising a stink because you didn't make it available for them.

why people want every single one of their devices to be accessible from the public Internet

People want their devices to be accessible to themselves, not the public Internet. Vendors, like Hikvision, tell them to make it accessible to the public Internet because it is the cheapest and easiest path to accomplishing this, even though it is less secure.

Agreed, they want something to be available to only themselves but over a public medium, the Internet. It goes back to my statement above, it can be done but would it be available at an acceptable price point?

would it be available at an acceptable price point?

Security or convenience. Pick one. Hikvision says they have picked security. For example:

“Cyber security is Hikvision’s top priority,” said Jeffrey He, president of Hikvision USA Inc. and Hikvision Canada Inc.

It that is Hikvision's top priority than they should be willing to accept the higher cost of providing it.

Playing devils advocate here, but access doesn’t solely mean from the internet. It could mean access from a corporate network perhaps. In this rare instance, both sets of advice mesh (pun intended).

What do other manufacturers say about accessing the devices from outside? Do they suggest VPN, port forwarding or they just ignore this question?

I understand why we see this article (haven't seen any "Hikvision is evil" for a long time, maybe 2 weeks). But just curious to know what the big guys like Avigilon, Axis, Hanwa suggest.

What the undisclosed distrib said above is true. VPN is a great idea for security. However, walking to work instead of driving to work is a great way to avoid a car accident. Convenience or security?

What my extreme example points out that its completely not feasible to recommend all the millions of Hikvision users to setup and use a VPN. Unless they can find a way to do this with one click of a button from their cell phone app, this isn't going to work and really isn't a great suggestion. Your security suggestions are great, but you also have to understand the business side of things.

I will agree on one thing though, the recommendation of port forwarding also needs to stop. Port Forwarding is so "2015 and before" This is probably more complicated to the typical end user than setting up a VPN would be.

What needs to happen is the continual development of the P2P servers with intense focus on making them secure and reliable. This is how most all IoT devices operate these days.

Related Reports on Hacking

New Whole Foods Installs Hackable Access Control (Upgraded) on Feb 21, 2018
Whole Foods has built a reputation for high quality. And their 2017 Amazon acquisition has increased that, plus added deep pockets for buying...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2018, with more and more users relying on mobile apps as their main way of operating the system....
IP Cameras Default Passwords Directory on Feb 09, 2018
Below is a directory of 50+ manufacturer's default passwords. Note: Change Default Passwords Leaving default passwords is dangerous and makes it...
Simplisafe 'All New' Generation 3 Tested on Feb 08, 2018
Feared by the traditional alarm industry, Simplisafe has launched its 'all new' Generation 3 platform that they declare is "Stronger. Faster....
Geovision Unprecedented Security Vulnerabilities And Backdoor on Feb 06, 2018
Cybersecurity vulnerabilities have plagued the video surveillance market. Now, Bashis, discover of the Dahua backdoor, has discovered 15...
US Congressional Hearing Features Hikvision on Jan 31, 2018
A US Congressional hearing asked questions about Hikvision's government ownership and cybersecurity issues, following the WSJ's investigations into...
Chinese Government Backdoor Spies on African Union Revealed on Jan 29, 2018
For 5 years, a Chinese government backdoor was used to spy on the African Union, according to a Le Monde investigative report. As is their...
Worst NVR / VMS Manufacturers 2018 on Jan 29, 2018
These are the manufacturers who integrators reported the most significant problems with. 220+ integrators answered: In the past year, what...
Hacked Hikvision IP Camera Map USA And Europe on Jan 22, 2018
The interactive map below shows a sample of hacked and vulnerable Hikvision IP cameras across the USA and Europe. Hover over a marker to see an...

Most Recent Industry Reports

May 2018 Camera Course on Mar 16, 2018
Our next course starts on May 8th. Register now for the Spring 2018 Camera Course This is the only independent surveillance camera course, based...
ADT Hammered Again, Loses Another Billion In Market Cap on Mar 16, 2018
ADT's CEO told investors that, 'in baseball terms', ADT was batting 5 for 5. But investors told ADT's CEO, 'in baseball terms', that he was...
Camera Form Factor Guide on Mar 16, 2018
When selecting surveillance cameras, users may choose from a number of different form factors, each with its own unique strengths and weaknesses,...
Free Trip To China - CCTV.Net / Univew on Mar 15, 2018
Pack your bags? 'Closer than you think'? Well, a non-stop flight from NYC to Shanghai is 15 hours plus another 100 miles to Hangzhou...
Access Control - Restricted Keys Guide on Mar 15, 2018
Not all doors, even in larger facilities, can justify using electronic access control. And even for doors that do have electronic access control,...
Rack Mounting NVRs Tutorial on Mar 14, 2018
Rack mounting recorders is common in professional systems, but manufacturers are making it difficult, with simple design failures causing multiple...
Network Addressing for Video Surveillance Guide on Mar 14, 2018
The goal of this guide is to explain addressing devices on IP networks, focusing on how IP cameras and recorders are used in those networks. For...
Panasonic Selling Off Security Camera Factory on Mar 14, 2018
Panasonic is OEMing cameras from Dahua, as IPVM testing confirmed in 2017. Now, Panasonic is selling their security camera factory, according to...
Favorite Electrified Locks 2018 on Mar 14, 2018
Electronic lock manufacturing is dominated by 3 conglomerates (alphabetically) Allegion, Assa and Dormakaba holding numerous electronic lock...
Hikvision Chairman Joins China National Government (NPC) on Mar 13, 2018
Hikvision Chairman and Communist Party Secretary Chen Xongnian has joined the People's Republic of China's government - the National People's...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact