Hikvision HQ Contradicts Cybersecurity Director

Author: John Honovich, Published on Mar 07, 2018

Hikvision HQ has contradicted Hikvision USA's Director of Cybersecurity, Chuck Davis.

Davis - Don't Put Cameras On The Internet

Davis made a very good point in a recent SP&T interview:

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

And Hikvision knows about bad ideas. The combination of their IP camera backdoor, their defaulting UPnP on for years and regularly recommending port forwarding, including in their hardening guide, resulted in widespread hacking of Hikvision IP cameras.

So it is refreshing and commendable that Davis would publicly come out against the practice of putting cameras directly on the Internet.

HQ - Do Put Cameras On The Internet

Unfortunately, Hikvision HQ does not care. Their, new for 2018, 'Network Camera Security Guide' still endorses putting cameras directly on the Internet.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

The port forwarding section:

The problems are: (1) any open port is a path to being attacked. (2) The strength of the password is irrelevant when a vulnerability is found since, like the Hikvision backdoor, vulnerabilities regularly allow getting admin access without a password. (3) Finally, using a custom port is a weak security by obscurity tactic which, given the ability to scan the Internet (e.g., Shodan), can be overcome.

Reduce Support Costs - Why Put Devices On The Internet

Why Hikvision recommends this is simple. It is the same reason why Hikvision USA tech support regularly tells users reporting problems to port forward and why Hikvision's own app at the end of last year told users to port forward. It is expensive and difficult to make secure remote access work well and, given how low Hikvision sells its products for and how many challenges Hikvision has had developing HikConnect, security loses out to expediency.

Give Davis Real Power

Hikvision needs to give Chuck Davis real power to make changes. If Hikvision HQ is really committed to cybersecurity, stop treating Davis like a white monkey, parading him around, and prove to critics that Hikvision is serious about cybersecurity by letting Davis implement sensible and secure policies.

2 reports cite this report:

2018 Mid-Year Surveillance Industry Guide on Jun 28, 2018
2018 has been an explosive year for the video surveillance industry, with the industry becoming a global political issue, with the expansion of...
P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding on Apr 02, 2018
Following criticism of Hikvision's ongoing port forwarding recommendation (e.g., Hikvision Hardening Guide Recommends Port Forwarding and Hikvision...

Comments (16)

Only IPVM PRO Members may comment. Login or Join.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

I would recommend to setup and use own VPN, that would not involve any cloud 'solution' from the manufacture.

I tend to agree with you in terms of Hikvision and Dahua, but are you saying we shouldn't trust ANY cloud based options? My concern is specifically with Network Optix / DW Spectrum / Hanwha Wave.

Correct, do not trust ANY, and don't get caught on Hik and/or Dahua alone.

There is already examples 'out there' why you should not, and I will personally give you additional examples.

Bashis, thanks for the feedback.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

To clarify, my reference to cloud was not to endorse it but to emphasize that despite Hikvision having a 'cloud solution' that they still regularly tell users to port forward, which is both bad practice and embarrassing.

I call this a Hydra Management Policy. HMP occurs when different portions of the company are contradicting each other and heading in different directions. It is not a Hikvision exclusive phenomenon. Hikvision just seems to be one of the few companies that refuse to acknowledge and address the failing.

Unfortunately, with limited financial impact to Hikvision it is unlikely to get addressed. I still see entire forums on integrators on Facebook where one would think Hik and their OEMs is the only product being deployed into the world. I am not entirely certain what it would take for DIY and small integrators to break their addiction to low cost.

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

Why does he say camera, though?

It would seem he either

1) hasn’t considered NVR’s

2) thinks that cameras are different than NVR’s

3) is being sloppy in his use of terms and means to refer to any device

#2, it is a good question. Considering an NVR is literally a collection of camera feeds plus recordings, the same logic should apply at least as strong, if not more.

Davis' position on that is unclear and he is banned from speaking to IPVM so it is unlikely we will find out. Related, Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

In my opinion, I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding. Mr Davis' suggestion also applies, don't put anything on the Internet without some type of firewall device in front of it, basically, it must have an IFC1918 based private address.

Port forwarding will allow access to devices through controlled ports, whether or not these ports are properly secured is a different story, putting a device directly on the Internet gives wide open access to anybody to every port that is listening on the device.

I am in total agreement that the ideal way to access these devices on the Internet would be through a VPN, but given the complexity and expense of setting these up and maintaining them, do you really think it's a solution for the targeted market of the chinese manufacturers? When the guy at the local convenient store asks to have a 4-camera surveillance system set up that he can access from home, do you think he's going to go in for all of this? Is there an installer market for being able to install, configure and maintain this type of setup for the entry-level consumer?

Until there is a consumer-friendly VPN solution that is free and simple to set up and maintain then this will always be a problem.

I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding [emphasis added]

In what cases do you have to? As you say, it is less a matter of having to and more a matter of it being cheaper to do so.

In this day and age who can say why people want every single one of their devices to be accessible from the public Internet? But sure enough, as soon as you say that no one would ever want to do this, there will be 5 people raising a stink because you didn't make it available for them.

why people want every single one of their devices to be accessible from the public Internet

People want their devices to be accessible to themselves, not the public Internet. Vendors, like Hikvision, tell them to make it accessible to the public Internet because it is the cheapest and easiest path to accomplishing this, even though it is less secure.

Agreed, they want something to be available to only themselves but over a public medium, the Internet. It goes back to my statement above, it can be done but would it be available at an acceptable price point?

would it be available at an acceptable price point?

Security or convenience. Pick one. Hikvision says they have picked security. For example:

“Cyber security is Hikvision’s top priority,” said Jeffrey He, president of Hikvision USA Inc. and Hikvision Canada Inc.

It that is Hikvision's top priority than they should be willing to accept the higher cost of providing it.

Playing devils advocate here, but access doesn’t solely mean from the internet. It could mean access from a corporate network perhaps. In this rare instance, both sets of advice mesh (pun intended).

What do other manufacturers say about accessing the devices from outside? Do they suggest VPN, port forwarding or they just ignore this question?

I understand why we see this article (haven't seen any "Hikvision is evil" for a long time, maybe 2 weeks). But just curious to know what the big guys like Avigilon, Axis, Hanwa suggest.

What the undisclosed distrib said above is true. VPN is a great idea for security. However, walking to work instead of driving to work is a great way to avoid a car accident. Convenience or security?

What my extreme example points out that its completely not feasible to recommend all the millions of Hikvision users to setup and use a VPN. Unless they can find a way to do this with one click of a button from their cell phone app, this isn't going to work and really isn't a great suggestion. Your security suggestions are great, but you also have to understand the business side of things.

I will agree on one thing though, the recommendation of port forwarding also needs to stop. Port Forwarding is so "2015 and before" This is probably more complicated to the typical end user than setting up a VPN would be.

What needs to happen is the continual development of the P2P servers with intense focus on making them secure and reliable. This is how most all IoT devices operate these days.

Related Reports on Hacking

"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...
China Hacks Video Servers Causing Uproar on Oct 05, 2018
An incident causing an international uproar is hitting home in the video surveillance industry as a Bloomberg report, "The Big Hack: How China...
Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
Hikvision FIPS 140-2 Cybersecurity Certification Examined on Aug 27, 2018
A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US...
Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance devices. Now Talos researchers have discovered multiple vulnerabilities in...
July 2018 IP Networking Course on Jul 12, 2018
Registration is closed. This is the only networking course designed specifically for video surveillance professionals.  Lots of network training...
Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring (now US government banned) Dahua as a...
Debating Relevance of China Hacking US Navy Plans on Jun 11, 2018
"Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to...
Remove Dahua and Hikvision Gov Installs Required By US House Bill Ban on Jun 06, 2018
The final released US House Bill HR 5515 verifies that it not only prohibits the purchasing of Dahua and Hikvision products, it requires removing...

Most Recent Industry Reports

Hanwha Dual Imager Dome Camera Tested (PNM-7000VD) on Oct 18, 2018
Hanwha has introduced their first dual-imager model, the PNM-7000VD, a twin 1080p model featuring independently positionable sensors and a snap-in...
Camera Height / Blind Spot Added to IPVM Camera Calculator on Oct 18, 2018
IPVM has added camera height and blind spot estimation to the Camera Calculator. This is especially helpful for those who need to mount cameras up...
Axis Strong US Growth, Flat EMEA - Q3 2018 Financials on Oct 18, 2018
This spring, Axis had its best financials in many years (see Axis Strong Q2 2018 Results). However, over the summer, Axis had many products sold...
Best Alternatives to Banned Dahua and Hikvision on Oct 17, 2018
With the US government ban and a growing number of users banning Dahua and Hikvision, one key question is what to use for low cost? While Dahua and...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Knightscope Winning Investors, Struggling With Growth on Oct 16, 2018
While Knightscope's new financials show the company only winning 11 new customers in the past 12 months, the company continues to win new...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Huawei Admits AI "Bubble" on Oct 16, 2018
A fascinating article from the Chinese government's Global Times: Huawei’s AI ambition to reshape industries. While the Global Times talks about...
ADI's Financials Revealed + W-Box Growth Priority on Oct 15, 2018
  ADI is one of the most powerful distributors in the security industry but how big are they? How much profit do they make? How much do they sell...
Dahua Face Recognition Camera Tested on Oct 15, 2018
Dahua has been one of the industry's most vocal proponents of the value that AI creates: As part of this, Dahua has released a facial...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact