Hikvision HQ Contradicts Cybersecurity Director

Author: John Honovich, Published on Mar 07, 2018

Hikvision HQ has contradicted Hikvision USA's Director of Cybersecurity, Chuck Davis.

Davis - Don't Put Cameras On The Internet

Davis made a very good point in a recent SP&T interview:

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

And Hikvision knows about bad ideas. The combination of their IP camera backdoor, their defaulting UPnP on for years and regularly recommending port forwarding, including in their hardening guide, resulted in widespread hacking of Hikvision IP cameras.

So it is refreshing and commendable that Davis would publicly come out against the practice of putting cameras directly on the Internet.

HQ - Do Put Cameras On The Internet

Unfortunately, Hikvision HQ does not care. Their, new for 2018, 'Network Camera Security Guide' still endorses putting cameras directly on the Internet.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

The port forwarding section:

The problems are: (1) any open port is a path to being attacked. (2) The strength of the password is irrelevant when a vulnerability is found since, like the Hikvision backdoor, vulnerabilities regularly allow getting admin access without a password. (3) Finally, using a custom port is a weak security by obscurity tactic which, given the ability to scan the Internet (e.g., Shodan), can be overcome.

Reduce Support Costs - Why Put Devices On The Internet

Why Hikvision recommends this is simple. It is the same reason why Hikvision USA tech support regularly tells users reporting problems to port forward and why Hikvision's own app at the end of last year told users to port forward. It is expensive and difficult to make secure remote access work well and, given how low Hikvision sells its products for and how many challenges Hikvision has had developing HikConnect, security loses out to expediency.

Give Davis Real Power

Hikvision needs to give Chuck Davis real power to make changes. If Hikvision HQ is really committed to cybersecurity, stop treating Davis like a white monkey, parading him around, and prove to critics that Hikvision is serious about cybersecurity by letting Davis implement sensible and secure policies.

1 report cite this report:

P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding on Apr 02, 2018
Following criticism of Hikvision's ongoing port forwarding recommendation (e.g., Hikvision Hardening Guide Recommends Port Forwarding and Hikvision...

Comments (16)

Only IPVM PRO Members may comment. Login or Join.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

I would recommend to setup and use own VPN, that would not involve any cloud 'solution' from the manufacture.

I tend to agree with you in terms of Hikvision and Dahua, but are you saying we shouldn't trust ANY cloud based options? My concern is specifically with Network Optix / DW Spectrum / Hanwha Wave.

Correct, do not trust ANY, and don't get caught on Hik and/or Dahua alone.

There is already examples 'out there' why you should not, and I will personally give you additional examples.

Bashis, thanks for the feedback.

Port forwarding is bad practise, but I frankly think the 'cloud solution' is worse...

To clarify, my reference to cloud was not to endorse it but to emphasize that despite Hikvision having a 'cloud solution' that they still regularly tell users to port forward, which is both bad practice and embarrassing.

I call this a Hydra Management Policy. HMP occurs when different portions of the company are contradicting each other and heading in different directions. It is not a Hikvision exclusive phenomenon. Hikvision just seems to be one of the few companies that refuse to acknowledge and address the failing.

Unfortunately, with limited financial impact to Hikvision it is unlikely to get addressed. I still see entire forums on integrators on Facebook where one would think Hik and their OEMs is the only product being deployed into the world. I am not entirely certain what it would take for DIY and small integrators to break their addiction to low cost.

according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

Why does he say camera, though?

It would seem he either

1) hasn’t considered NVR’s

2) thinks that cameras are different than NVR’s

3) is being sloppy in his use of terms and means to refer to any device

#2, it is a good question. Considering an NVR is literally a collection of camera feeds plus recordings, the same logic should apply at least as strong, if not more.

Davis' position on that is unclear and he is banned from speaking to IPVM so it is unlikely we will find out. Related, Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

In my opinion, I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding. Mr Davis' suggestion also applies, don't put anything on the Internet without some type of firewall device in front of it, basically, it must have an IFC1918 based private address.

Port forwarding will allow access to devices through controlled ports, whether or not these ports are properly secured is a different story, putting a device directly on the Internet gives wide open access to anybody to every port that is listening on the device.

I am in total agreement that the ideal way to access these devices on the Internet would be through a VPN, but given the complexity and expense of setting these up and maintaining them, do you really think it's a solution for the targeted market of the chinese manufacturers? When the guy at the local convenient store asks to have a 4-camera surveillance system set up that he can access from home, do you think he's going to go in for all of this? Is there an installer market for being able to install, configure and maintain this type of setup for the entry-level consumer?

Until there is a consumer-friendly VPN solution that is free and simple to set up and maintain then this will always be a problem.

I think the excerpt from the Hikvision security guide does not amount to putting a device on the Internet, it advises that if you have to make a device accessible, that you should use port forwarding [emphasis added]

In what cases do you have to? As you say, it is less a matter of having to and more a matter of it being cheaper to do so.

In this day and age who can say why people want every single one of their devices to be accessible from the public Internet? But sure enough, as soon as you say that no one would ever want to do this, there will be 5 people raising a stink because you didn't make it available for them.

why people want every single one of their devices to be accessible from the public Internet

People want their devices to be accessible to themselves, not the public Internet. Vendors, like Hikvision, tell them to make it accessible to the public Internet because it is the cheapest and easiest path to accomplishing this, even though it is less secure.

Agreed, they want something to be available to only themselves but over a public medium, the Internet. It goes back to my statement above, it can be done but would it be available at an acceptable price point?

would it be available at an acceptable price point?

Security or convenience. Pick one. Hikvision says they have picked security. For example:

“Cyber security is Hikvision’s top priority,” said Jeffrey He, president of Hikvision USA Inc. and Hikvision Canada Inc.

It that is Hikvision's top priority than they should be willing to accept the higher cost of providing it.

Playing devils advocate here, but access doesn’t solely mean from the internet. It could mean access from a corporate network perhaps. In this rare instance, both sets of advice mesh (pun intended).

What do other manufacturers say about accessing the devices from outside? Do they suggest VPN, port forwarding or they just ignore this question?

I understand why we see this article (haven't seen any "Hikvision is evil" for a long time, maybe 2 weeks). But just curious to know what the big guys like Avigilon, Axis, Hanwa suggest.

What the undisclosed distrib said above is true. VPN is a great idea for security. However, walking to work instead of driving to work is a great way to avoid a car accident. Convenience or security?

What my extreme example points out that its completely not feasible to recommend all the millions of Hikvision users to setup and use a VPN. Unless they can find a way to do this with one click of a button from their cell phone app, this isn't going to work and really isn't a great suggestion. Your security suggestions are great, but you also have to understand the business side of things.

I will agree on one thing though, the recommendation of port forwarding also needs to stop. Port Forwarding is so "2015 and before" This is probably more complicated to the typical end user than setting up a VPN would be.

What needs to happen is the continual development of the P2P servers with intense focus on making them secure and reliable. This is how most all IoT devices operate these days.

Related Reports on Hacking

Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of...
July 2018 IP Networking Course on Jun 16, 2018
The last chance to save $50 on registration is this Thursday, June 21st. Register now and save. This is the only networking course designed...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring Dahua as a 'cyber responsible partner',...
Debating Relevance of China Hacking US Navy Plans on Jun 11, 2018
"Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to...
Remove Dahua and Hikvision Gov Installs Required By US House Bill Ban on Jun 06, 2018
The final released US House Bill HR 5515 verifies that it not only prohibits the purchasing of Dahua and Hikvision products, it requires removing...
Dahua's Terrible Cybersecurity, Buys Credibility From PSA And SIA on Jun 04, 2018
Dahua has a terrible cybersecurity track record. But American organizations, like the Security Industry Association (SIA) and the PSA Security...
Canon Responds To IP Camera Hacks on May 30, 2018
Canon cameras made international news earlier this month, with reports of them being hacked in Japan (e.g., Hackers disable scores of Canon-made...
Corruption Alleged Against Hikvision Procurement In India on May 28, 2018
Over the past month, allegations of corruption and national security risk have made the news in India over the planned purchase of 150,000...
Cybersecurity for IP Video Surveillance Guide on May 18, 2018
Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...
Hikvision Source Code Transparency Center Examined on May 14, 2018
Following criticism of Hikvision's Chinese government ownership and Hikvision's IP camera backdoor, the company has responded with a series of...

Most Recent Industry Reports

IPVM Vulnerability Scanner Released on Jun 18, 2018
IPVM is proud to announce video surveillance's first and only cybersecurity vulnerability scanner. This tool allows quickly and simply...
Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of...
July 2018 IP Networking Course on Jun 16, 2018
The last chance to save $50 on registration is this Thursday, June 21st. Register now and save. This is the only networking course designed...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring Dahua as a 'cyber responsible partner',...
Amazon Ring Launches $10 Monthly Professional Alarm Monitoring on Jun 15, 2018
Amazon's Ring has announced an alarm system with 24/7 professional alarm monitoring for $10 per month, a fraction of the $30+ per month traditional...
Axis Releases First New Access Controller In 5 Years (A1601) on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test). Now, Axis has released its second...
Hikvision 12MP Fisheye Camera Tested (DS-2CD63C2F-IV) on Jun 14, 2018
Hikvision's DS-2CD63C2F-IV is their flagship panoramic camera, with a 12MP imager, 15m integrated IR, smart codec, and more. We tested the 63C2 in...
Four Major Outdoor Camera Install Problems on Jun 14, 2018
Over 140 integrators told us the top four camera installation mistakes that lead to unexpected problems and failures. Their comments often...
Security Sales Course Summer 2018 on Jun 14, 2018
Based on member's interest, IPVM is offering a security sales course this summer. Register Now - IPVM Security Sales Course Summer...
China Public Video Surveillance Guide: From Skynet to Sharp Eyes on Jun 14, 2018
China is expanding its video surveillance network to achieve “100%” nationwide coverage by 2020, including facial recognition capabilities and a...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact