Hikvision HQ Contradicts Cybersecurity DirectorBy John Honovich, Published on Mar 07, 2018
Hikvision HQ has contradicted Hikvision USA's Director of Cybersecurity, Chuck Davis [link no longer available].
Davis - Don't Put Cameras On The Internet
[link no longer available]
Davis made a very good point in a recent SP&T interview:
according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”
And Hikvision knows about bad ideas. The combination of their IP camera backdoor, their defaulting UPnP on for years and regularly recommending port forwarding, including in their hardening guide, resulted in widespread hacking of Hikvision IP cameras.
So it is refreshing and commendable that Davis would publicly come out against the practice of putting cameras directly on the Internet.
HQ - Do Put Cameras On The Internet
Unfortunately, Hikvision HQ does not care. Their, new for 2018, 'Network Camera Security Guide' still endorses putting cameras directly on the Internet.
The port forwarding section:
The problems are: (1) any open port is a path to being attacked. (2) The strength of the password is irrelevant when a vulnerability is found since, like the Hikvision backdoor, vulnerabilities regularly allow getting admin access without a password. (3) Finally, using a custom port is a weak security by obscurity tactic which, given the ability to scan the Internet (e.g., Shodan), can be overcome.
Reduce Support Costs - Why Put Devices On The Internet
Why Hikvision recommends this is simple. It is the same reason why Hikvision USA tech support regularly tells users reporting problems to port forward and why Hikvision's own app at the end of last year told users to port forward. It is expensive and difficult to make secure remote access work well and, given how low Hikvision sells its products for and how many challenges Hikvision has had developing HikConnect, security loses out to expediency.
Give Davis Real Power
Hikvision needs to give Chuck Davis real power to make changes. If Hikvision HQ is really committed to cybersecurity, stop treating Davis like a white monkey, parading him around, and prove to critics that Hikvision is serious about cybersecurity by letting Davis implement sensible and secure policies.