Hikvision HQ Contradicts Cybersecurity Director

By: John Honovich, Published on Mar 07, 2018

Hikvision HQ has contradicted Hikvision USA's Director of Cybersecurity, Chuck Davis.

Davis - Don't Put Cameras On The Internet

Davis made a very good point in a recent SP&T interview:

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

And Hikvision knows about bad ideas. The combination of their IP camera backdoor, their defaulting UPnP on for years and regularly recommending port forwarding, including in their hardening guide, resulted in widespread hacking of Hikvision IP cameras.

So it is refreshing and commendable that Davis would publicly come out against the practice of putting cameras directly on the Internet.

HQ - Do Put Cameras On The Internet

Unfortunately, Hikvision HQ does not care. Their, new for 2018, 'Network Camera Security Guide' still endorses putting cameras directly on the Internet.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

The port forwarding section:

The problems are: (1) any open port is a path to being attacked. (2) The strength of the password is irrelevant when a vulnerability is found since, like the Hikvision backdoor, vulnerabilities regularly allow getting admin access without a password. (3) Finally, using a custom port is a weak security by obscurity tactic which, given the ability to scan the Internet (e.g., Shodan), can be overcome.

Reduce Support Costs - Why Put Devices On The Internet

Why Hikvision recommends this is simple. It is the same reason why Hikvision USA tech support regularly tells users reporting problems to port forward and why Hikvision's own app at the end of last year told users to port forward. It is expensive and difficult to make secure remote access work well and, given how low Hikvision sells its products for and how many challenges Hikvision has had developing HikConnect, security loses out to expediency.

Give Davis Real Power

Hikvision needs to give Chuck Davis real power to make changes. If Hikvision HQ is really committed to cybersecurity, stop treating Davis like a white monkey, parading him around, and prove to critics that Hikvision is serious about cybersecurity by letting Davis implement sensible and secure policies.

2 reports cite this report:

2018 Mid-Year Surveillance Industry Guide on Jun 28, 2018
2018 has been an explosive year for the video surveillance industry, with the industry becoming a global political issue, with the expansion of...
P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding on Apr 02, 2018
Following criticism of Hikvision's ongoing port forwarding recommendation (e.g., Hikvision Hardening Guide Recommends Port Forwarding and Hikvision...

Comments (16)

Only IPVM PRO Members may comment. Login or Join.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

I would recommend to setup and use own VPN, that would not involve any cloud 'solution' from the manufacture.

I tend to agree with you in terms of Hikvision and Dahua, but are you saying we shouldn't trust ANY cloud based options? My concern is specifically with Network Optix / DW Spectrum / Hanwha Wave.

Correct, do not trust ANY, and don't get caught on Hik and/or Dahua alone.

There is already examples 'out there' why you should not, and I will personally give you additional examples.

Bashis, thanks for the feedback.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

To clarify, my reference to cloud was not to endorse it but to emphasize that despite Hikvision having a 'cloud solution' that they still regularly tell users to port forward, which is both bad practice and embarrassing.

I call this a Hydra Management Policy. HMP occurs when different portions of the company are contradicting each other and heading in different directions. It is not a Hikvision exclusive phenomenon. Hikvision just seems to be one of the few companies that refuse to acknowledge and address the failing.

Unfortunately, with limited financial impact to Hikvision it is unlikely to get addressed. I still see entire forums on integrators on Facebook where one would think Hik and their OEMs is the only product being deployed into the world. I am not entirely certain what it would take for DIY and small integrators to break their addiction to low cost.

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

Why does he say camera, though?

It would seem he either

1) hasn’t considered NVR’s

2) thinks that cameras are different than NVR’s

3) is being sloppy in his use of terms and means to refer to any device

#2, it is a good question. Considering an NVR is literally a collection of camera feeds plus recordings, the same logic should apply at least as strong, if not more.

Davis' position on that is unclear and he is banned from speaking to IPVM so it is unlikely we will find out. Related, Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

In my opinion, I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding. Mr Davis' suggestion also applies, don't put anything on the Internet without some type of firewall device in front of it, basically, it must have an IFC1918 based private address.

Port forwarding will allow access to devices through controlled ports, whether or not these ports are properly secured is a different story, putting a device directly on the Internet gives wide open access to anybody to every port that is listening on the device.

I am in total agreement that the ideal way to access these devices on the Internet would be through a VPN, but given the complexity and expense of setting these up and maintaining them, do you really think it's a solution for the targeted market of the chinese manufacturers? When the guy at the local convenient store asks to have a 4-camera surveillance system set up that he can access from home, do you think he's going to go in for all of this? Is there an installer market for being able to install, configure and maintain this type of setup for the entry-level consumer?

Until there is a consumer-friendly VPN solution that is free and simple to set up and maintain then this will always be a problem.

I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding [emphasis added]

In what cases do you have to? As you say, it is less a matter of having to and more a matter of it being cheaper to do so.

In this day and age who can say why people want every single one of their devices to be accessible from the public Internet? But sure enough, as soon as you say that no one would ever want to do this, there will be 5 people raising a stink because you didn't make it available for them.

why people want every single one of their devices to be accessible from the public Internet

People want their devices to be accessible to themselves, not the public Internet. Vendors, like Hikvision, tell them to make it accessible to the public Internet because it is the cheapest and easiest path to accomplishing this, even though it is less secure.

Agreed, they want something to be available to only themselves but over a public medium, the Internet. It goes back to my statement above, it can be done but would it be available at an acceptable price point?

would it be available at an acceptable price point?

Security or convenience. Pick one. Hikvision says they have picked security. For example:

“Cyber security is Hikvision’s top priority,” said Jeffrey He, president of Hikvision USA Inc. and Hikvision Canada Inc.

It that is Hikvision's top priority than they should be willing to accept the higher cost of providing it.

Playing devils advocate here, but access doesn’t solely mean from the internet. It could mean access from a corporate network perhaps. In this rare instance, both sets of advice mesh (pun intended).

What do other manufacturers say about accessing the devices from outside? Do they suggest VPN, port forwarding or they just ignore this question?

I understand why we see this article (haven't seen any "Hikvision is evil" for a long time, maybe 2 weeks). But just curious to know what the big guys like Avigilon, Axis, Hanwa suggest.

What the undisclosed distrib said above is true. VPN is a great idea for security. However, walking to work instead of driving to work is a great way to avoid a car accident. Convenience or security?

What my extreme example points out that its completely not feasible to recommend all the millions of Hikvision users to setup and use a VPN. Unless they can find a way to do this with one click of a button from their cell phone app, this isn't going to work and really isn't a great suggestion. Your security suggestions are great, but you also have to understand the business side of things.

I will agree on one thing though, the recommendation of port forwarding also needs to stop. Port Forwarding is so "2015 and before" This is probably more complicated to the typical end user than setting up a VPN would be.

What needs to happen is the continual development of the P2P servers with intense focus on making them secure and reliable. This is how most all IoT devices operate these days.

Related Reports

Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Registration Closed - Spring 2019 IP Networking Course on May 02, 2019
Register now for the Spring 2019 IP Networking course here - Closed. Last chance now.   This is the only networking course designed specifically...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Pole Mount Camera Installation Guide on Apr 11, 2019
Poles are a popular but challenging choice for deploying surveillance cameras outdoors. Poles are indispensable for putting cameras at the right...
Bezos-Funded Deep Sentinel Tested on Mar 28, 2019
Backed by Jeff Bezos, the Silicon Valley startup, Deep Sentinel, has declared: No One Does Home Security Like We Do Our Surveillance Team has...
Outdoor Camera Installation Guide on Mar 25, 2019
Outdoor camera installation can be fraught with problems. Creating a sturdy and weather tight mount is key for camera performance and longevity,...

Most Recent Industry Reports

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019
Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
Verkada Video Quality Problems Tested on May 23, 2019
Verkada suffers from numerous video quality problems, not found in commercial IP cameras, new IPVM testing of Verkada vs Axis and Hikvision...
Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
ASCMA / Monitronics Declares Chapter 11 Bankruptcy Plan on May 22, 2019
Monitronics is entering into Chapter 11 bankruptcy. The company, also called Ascent Capital Group Inc., aka ASCMA, aka Brinks Home Security,...
US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact