Hikvision HQ Contradicts Cybersecurity Director

By John Honovich, Published Mar 07, 2018, 12:05pm EST

Hikvision HQ has contradicted Hikvision USA's Director of Cybersecurity, Chuck Davis [link no longer available].

Davis - Don't Put Cameras On The Internet

[link no longer available]

Davis made a very good point in a recent SP&T interview:

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

And Hikvision knows about bad ideas. The combination of their IP camera backdoor, their defaulting UPnP on for years and regularly recommending port forwarding, including in their hardening guide, resulted in widespread hacking of Hikvision IP cameras.

So it is refreshing and commendable that Davis would publicly come out against the practice of putting cameras directly on the Internet.

HQ - Do Put Cameras On The Internet

Unfortunately, Hikvision HQ does not care. Their, new for 2018, 'Network Camera Security Guide' still endorses putting cameras directly on the Internet.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

The port forwarding section:

The problems are: (1) any open port is a path to being attacked. (2) The strength of the password is irrelevant when a vulnerability is found since, like the Hikvision backdoor, vulnerabilities regularly allow getting admin access without a password. (3) Finally, using a custom port is a weak security by obscurity tactic which, given the ability to scan the Internet (e.g., Shodan), can be overcome.

Reduce Support Costs - Why Put Devices On The Internet

Why Hikvision recommends this is simple. It is the same reason why Hikvision USA tech support regularly tells users reporting problems to port forward and why Hikvision's own app at the end of last year told users to port forward. It is expensive and difficult to make secure remote access work well and, given how low Hikvision sells its products for and how many challenges Hikvision has had developing HikConnect, security loses out to expediency.

Give Davis Real Power

Hikvision needs to give Chuck Davis real power to make changes. If Hikvision HQ is really committed to cybersecurity, stop treating Davis like a white monkey, parading him around, and prove to critics that Hikvision is serious about cybersecurity by letting Davis implement sensible and secure policies.

2 reports cite this report:

2018 Mid-Year Surveillance Industry Guide on Jun 28, 2018
2018 has been an explosive year for the video surveillance industry, with...
P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding on Apr 02, 2018
Following criticism of Hikvision's ongoing port forwarding recommendation...

Comments (16)

Only IPVM Members may comment. Login or Join.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

I would recommend to setup and use own VPN, that would not involve any cloud 'solution' from the manufacture.

 

I tend to agree with you in terms of Hikvision and Dahua, but are you saying we shouldn't trust ANY cloud based options? My concern is specifically with Network Optix / DW Spectrum / Hanwha Wave.

Correct, do not trust ANY, and don't get caught on Hik and/or Dahua alone.

There is already examples 'out there' why you should not, and I will personally give you additional examples.

 

Bashis, thanks for the feedback.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

To clarify, my reference to cloud was not to endorse it but to emphasize that despite Hikvision having a 'cloud solution' that they still regularly tell users to port forward, which is both bad practice and embarrassing.

I call this a Hydra Management Policy.  HMP occurs when different portions of the company are contradicting each other and heading in different directions.  It is not a Hikvision exclusive phenomenon.  Hikvision just seems to be one of the few companies that refuse to acknowledge and address the failing. 

Unfortunately, with limited financial impact to Hikvision it is unlikely to get addressed.  I still see entire forums on integrators on Facebook where one would think Hik and their OEMs is the only product being deployed into the world.  I am not entirely certain what it would take for DIY and small integrators to break their addiction to low cost.

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

Why does he say camera, though?

It would seem he either 

1) hasn’t considered NVR’s

2) thinks that cameras are different than NVR’s

3) is being sloppy in his use of terms and means to refer to any device

 

 

#2, it is a good question. Considering an NVR is literally a collection of camera feeds plus recordings, the same logic should apply at least as strong, if not more.

Davis' position on that is unclear and he is banned from speaking to IPVM so it is unlikely we will find out. Related, Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

In my opinion, I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding.  Mr Davis' suggestion also applies, don't put anything on the Internet without some type of firewall device in front of it, basically, it must have an IFC1918 based private address.

Port forwarding will allow access to devices through controlled ports, whether or not these ports are properly secured is a different story, putting a device directly on the Internet gives wide open access to anybody to every port that is listening on the device.

I am in total agreement that the ideal way to access these devices on the Internet would be through a VPN, but given the complexity and expense of setting these up and maintaining them, do you really think it's a solution for the targeted market of the chinese manufacturers?  When the guy at the local convenient store asks to have a 4-camera surveillance system set up that he can access from home, do you think he's going to go in for all of this?  Is there an installer market for being able to install, configure and maintain this type of setup for the entry-level consumer?

Until there is a consumer-friendly VPN solution that is free and simple to set up and maintain then this will always be a problem.

I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding [emphasis added]

In what cases do you have to? As you say, it is less a matter of having to and more a matter of it being cheaper to do so.

In this day and age who can say why people want every single one of their devices to be accessible from the public Internet?  But sure enough, as soon as you say that no one would ever want to do this, there will be 5 people raising a stink because you didn't make it available for them.

why people want every single one of their devices to be accessible from the public Internet

People want their devices to be accessible to themselves, not the public Internet. Vendors, like Hikvision, tell them to make it accessible to the public Internet because it is the cheapest and easiest path to accomplishing this, even though it is less secure.

Agreed, they want something to be available to only themselves but over a public medium, the Internet.  It goes back to my statement above, it can be done but would it be available at an acceptable price point?

 

would it be available at an acceptable price point?

Security or convenience. Pick one. Hikvision says they have picked security. For example:

“Cyber security is Hikvision’s top priority,” said Jeffrey He, president of Hikvision USA Inc. and Hikvision Canada Inc.

It that is Hikvision's top priority than they should be willing to accept the higher cost of providing it.

Playing devils advocate here, but access doesn’t solely mean from the internet. It could mean access from a corporate network perhaps. In this rare instance, both sets of advice mesh (pun intended). 

What do other manufacturers say about accessing the devices from outside? Do they suggest VPN, port forwarding or they just ignore this question?

I understand why we see this article (haven't seen any "Hikvision is evil" for a long time, maybe 2 weeks). But just curious to know what the big guys like Avigilon, Axis, Hanwa suggest.

What the undisclosed distrib said above is true. VPN is a great idea for security. However, walking to work instead of driving to work is a great way to avoid a car accident. Convenience or security? 

What my extreme example points out that its completely not feasible to recommend all the millions of Hikvision users to setup and use a VPN. Unless they can find a way to do this with one click of a button from their cell phone app, this isn't going to work and really isn't a great suggestion. Your security suggestions are great, but you also have to understand the business side of things. 

I will agree on one thing though, the recommendation of port forwarding also needs to stop. Port Forwarding is so "2015 and before" This is probably more complicated to the typical end user than setting up a VPN would be.

What needs to happen is the continual development of the P2P servers with intense focus on making them secure and reliable. This is how most all IoT devices operate these days.

Loading Related Reports