Hikvision CSO Declares "Devices with Backdoors Can’t Be Used To Spy"

By Robert Wren Gordon, Published Nov 11, 2021, 08:10am EST

Hikvision's CSO/DSO Fred Streefland declared "devices with backdoors can’t be used to spy" though Cybersecurity legend Bruce Schneier responded to IPVM on Hikvision's declaration saying that "only someone who doesn't understand cybersecurity at all would say something like that". Watch the 2 minute 40 second video below overviewing this:

Inside this note, we examine what Hikvision's CSO said, Schneier's response, and our analysis on why this is such an ignorant and dangerous assertion from Hikvision.

"Backdoors Can't Be Used To Spy"

Hikvision's Streefland, in an interview with Benchmark Magazine declared:

even devices with backdoors can’t be used to spy on companies, individuals, or nations. The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.

IPVM Image

Hikvision went on to emphasize that only if the end user gives "consent" can "secret access" be achieved since end users are responsible:

the end-users who buy these cameras are responsible for the data/video footage they generate. In other words, they’re the data custodians who process the data and control the video footage, which is legally required to be kept private. Secret access to video footage on these devices is impossible without the consent of the end-user.

Hikvision's Streefland made similar claims in Hikvision's own blog this September declaring:

Join IPVM Newsletter?

IPVM is the authority on physical security technology including video surveillance, access control, weapons detection and more. Refusing to accept advertising or sponsorships, over 15,000 subscribers globally trust and pay for IPVM's independent reporting and research.

Enter your email to get notified of new shootouts, tests, investigations, online shows and more.

So bearing in mind that even devices with backdoors cannot be used to spy on companies, individuals, or nations, the myth instantly crumbles. It's plain to see, in fact, that the security features built into devices, networks, and data centers – combined with end-users' data-protection responsibilities – make espionage and other misuse of backdoors literally impossible.

IPVM Image

Schneier Response

Bruce Schneier responded to IPVM's request for comment on these claims, declaring:

I would say that only someone who doesn't understand cybersecurity at all would say something like that. But he's a CSO, so he's probably deliberately saying something that stupid in order to sell you something.

Hikvision HQ No Comment

We previewed our concerns and Schneier's comment to Hikvision HQ but they did not reply.

All Responsibility Forced On End-User

IPVM's founder John Honovich commented:

Whether Hikvision is being "stupid" or just "doesn't understand cybersecurity", Hikvision's tactics of putting all responsibility on the end user and none on device manufacturers like itself should make clear to users the risk of choosing Hikvision, a PRC-state controlled organization. Hikvision is like a safe manufacturing saying "Don't worry if my safe can be easily cracked, you should have good walls, doors and locks anyway." Fundamental to defense in depth is strong security at multiple levels, rather than ignoring backdoors, as Hikvision does, because they place the blame on the end user. Though, in a way, Hikvision is making clear that if you choose Hikvision devices, it is your fault.

Hikvision Backdoor

Underlying this debate is Hikvision's 2017 backdoor, demonstrated below:

Last month, Hikvision's Streefland denied Hikvision had a backdoor, saying:

IPVM Image

Notably, in the same Benchmark interview where Hikvision's Streefland said "backdoors cannot be used to spy on companies", he offered a scenario of where a backdoor might be accidentally left in, saying:

On rare occasions, backdoors are added temporarily to products by manufacturers to support development, testing, or maintenance processes – and these backdoors are not removed by accident.

Hikvision has never publicly addressed why they added the backdoor that was found in 2017.

5 reports cite this report:

Out: Hikvision CSO/DSO EMEA Streefland Exits on Jul 05, 2022
Hikvision's most prominent cybersecurity spokesperson, Fred Streefland, has...
Axis NDAA Warning: Any Dahua and Hikvision Device Should Be Immediately Marked For Replacement on Mar 25, 2022
Axis published an article in a security end-user magazine warning that NDAA...
Hikvision Falsely Alleges PRC Government Ownership 'Exactly the Same As" Apple or Google on Feb 22, 2022
Hikvision's CSO falsely and publicly said Hikvision's PRC China government...
Hikvision CSO Asks "How Can China Watch???" on Feb 16, 2022
Hikvision's CSO debated a Dutch politician who decried the country's...
Botnet Leverages Hikvision Critical Vulnerability For DDoS Attacks And "Extracting Sensitive Data From Victims" on Dec 09, 2021
A Mirai-based botnet, Moobot, is targeting devices left vulnerable following...
Comments (19) : Subscribers only. Login. or Join.
Loading Related Reports