Hikvision CSO Declares "Devices with Backdoors Can’t Be Used To Spy"
Hikvision's CSO/DSO Fred Streefland declared "devices with backdoors can’t be used to spy" though Cybersecurity legend Bruce Schneier responded to IPVM on Hikvision's declaration saying that "only someone who doesn't understand cybersecurity at all would say something like that". Watch the 2 minute 40 second video below overviewing this:
Inside this note, we examine what Hikvision's CSO said, Schneier's response, and our analysis on why this is such an ignorant and dangerous assertion from Hikvision.
"Backdoors Can't Be Used To Spy"
Hikvision's Streefland, in an interview with Benchmark Magazine declared:
even devices with backdoors can’t be used to spy on companies, individuals, or nations. The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.
Hikvision went on to emphasize that only if the end user gives "consent" can "secret access" be achieved since end users are responsible:
the end-users who buy these cameras are responsible for the data/video footage they generate. In other words, they’re the data custodians who process the data and control the video footage, which is legally required to be kept private. Secret access to video footage on these devices is impossible without the consent of the end-user.
Hikvision's Streefland made similar claims in Hikvision's own blog this September declaring:
So bearing in mind that even devices with backdoors cannot be used to spy on companies, individuals, or nations, the myth instantly crumbles. It's plain to see, in fact, that the security features built into devices, networks, and data centers – combined with end-users' data-protection responsibilities – make espionage and other misuse of backdoors literally impossible.
Schneier Response
Bruce Schneier responded to IPVM's request for comment on these claims, declaring:
I would say that only someone who doesn't understand cybersecurity at all would say something like that. But he's a CSO, so he's probably deliberately saying something that stupid in order to sell you something.
Hikvision HQ No Comment
We previewed our concerns and Schneier's comment to Hikvision HQ but they did not reply.
All Responsibility Forced On End-User
IPVM's founder John Honovich commented:
Whether Hikvision is being "stupid" or just "doesn't understand cybersecurity", Hikvision's tactics of putting all responsibility on the end user and none on device manufacturers like itself should make clear to users the risk of choosing Hikvision, a PRC-state controlled organization. Hikvision is like a safe manufacturing saying "Don't worry if my safe can be easily cracked, you should have good walls, doors and locks anyway." Fundamental to defense in depth is strong security at multiple levels, rather than ignoring backdoors, as Hikvision does, because they place the blame on the end user. Though, in a way, Hikvision is making clear that if you choose Hikvision devices, it is your fault.
Hikvision Backdoor
Underlying this debate is Hikvision's 2017 backdoor, demonstrated below:
Last month, Hikvision's Streefland denied Hikvision had a backdoor, saying:
Notably, in the same Benchmark interview where Hikvision's Streefland said "backdoors cannot be used to spy on companies", he offered a scenario of where a backdoor might be accidentally left in, saying:
On rare occasions, backdoors are added temporarily to products by manufacturers to support development, testing, or maintenance processes – and these backdoors are not removed by accident.
Hikvision has never publicly addressed why they added the backdoor that was found in 2017.