Hikvision (Stops) Lying About Ezviz Security

By John Honovich, Published Mar 18, 2016, 12:00am EDT (Info+)

Hikvision promoted the security of their directly sold Ezviz consumer line to Americans in a March 9, 2016 release.

False

** ******** **** ***** *********:

"*** ******** ******* **** ************* *****'* security ******** **** ****** ** **** there ** ** ** ******* *** EZVIZ *******"

*******, ***** *******, **** *** '****' they ********* ** *** *******, *** IP ******* **** ** *********. **** is ***** ** ********** ***** **** ** Hikvision's *** ********:

**************

******** **** ****** ** ******. ** ******, such * ***** ***** ** * ******** traded *******'* ***** ******* **** ***** competency ********. ***********, ** ** *** simply * *******, ** ****** ** ******** fixed. 

No *** * **** *****

** ********* ********* * **** ****** ********** this **** *** ***** * *** days ***** ** ***** **** ** this, ** *** **** **** **** would *** ** *** ***** * correction. *************, **** **** ***.

********* ***** **** ** ***** *** has ****** *** ** **** ******.

UPDATE: *** *****

***** ****, ** *** *** **** changed **:

"*** ******** ******* **** **** *****'* security ******** **** **** ****** ** that ***** **** *** ***** ********* to ****** *** ****** **** *** Internet ** ******** *** ******’* ** address ** *** ********"

Lying ***** ********

** ** *** ***** ** ********* ****** to *** **** **** ***** ******** this ***, **** ** ** *** then * *******, ***** ****** ** leave ** **, ***** ******* **** it *** * ***** ********* ******* in ********* ***** ** *** ******** public ***** ***** *******'* ********.

Adapting ** ******** *** *** ***

*********'* ******* ********** ************ ***** ** ** ** ***** the *** ** *****.

** *******, ********* ***** ** ****** American ***. *** ** *** ********* ***** advertising, ****** * *** ***** *** they******** ** ** ****** *************** ***** ******** *********. ****** ***** statements ******** ************** **** ***** ******** ***** ******** * ********* ***********.

** ********* ****** ***** ** ** the ***** ***** *** ******** ********* of ***** *******'* ********, **** ****** at ***** ***** ** ********** ********* falsehoods. *** ** **** *******, ** would ** ***** ** ***** ** update ** ****.

Comments (27)

Avatar

John Bazyk

Command Corporation
IPVMU Certified | 03/18/16 01:18pm

I am curious, could they be referring to the public IP address? Everything has a public address, but is it possible it isn't stored in their system?

Agree: 1
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to John Bazyk | 03/18/16 01:30pm

Hikvision / Ezviz should explain what they mean.

As published and remains, it is clearly wrong.

But let's try out your suggestion:

"One critical element that distinguishes EZVIZ's security measures from others is that there is no [public] IP address for EZVIZ cameras"

That does not distinguish Ezviz from other network devices. Most IP cameras, my laptop in my house, etc. do not have a public IP address assigned either, as the devices are typically behind a router using NAT.

And any IP device, including Ezviz IP cameras, connected directly to a public network, will get a public IP address assigned to them.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to John Honovich | 03/18/16 02:20pm

"One critical element that distinguishes EZVIZ's security measures from others is that there is no [public] [inbound] IP address for EZVIZ cameras"

Most IP cameras, my laptop in my house, etc. do not have a public IP address assigned either, as the devices are typically behind a router using NAT.

However, to function properly, they need a hole in the firewall opened to allow inbound traffic. EZVIZ does not require this.

Which, terminology aside, IS far more secure.

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed #1 | 03/18/16 02:30pm

If Hikvision wants to emphasize that they do not need a hole in the firewall, then they should feel free to say that rather than "there is no IP address for EZVIZ cameras".

Also, to their claim of:

"One critical element that distinguishes"

The no hole punching approach is widespread - everything from the $30 Walmart camera to the $50 Xiamoi camera to Dropcam/Nestcam to Axis one click, etc. does this.

Agree
Disagree
Informative
Unhelpful
Funny

Chase Whitten

In reply to John Honovich | 03/18/16 03:35pm

Anything connecting to the www (WAN, internet, external network) for any reason requires a "hole" in the firewall (router). The difference is if this hole stays open or not after the connection is complete and the software on either side. When your personal PC is surfing the internet, you're creating holes in the firewall for the connection to work. The other difference is who starts the connection. When you surf the internet, your browser starts the connection. In most security IP cameras, when you remotely view the cameras, the remote app starts the connection so it has to know where to send that request, hence the "hole" has to already be open in the firewall. The way a dropcam/netcam camera works is that it connects only to their cloud server which means the camera can start the connection. When you connect remotely, you're connecting to their cloud, not your own network or camera. This is what needs to be tested with the EZViz system to see how it really works.

Is EZviz remote connections going to the cloud servers, or going straight to your network?

Agree
Disagree
Informative
Unhelpful
Funny

Chase Whitten

03/18/16 01:51pm

Updated: comment....

My original comment has been deleted as I have now read the actual press release. IPVM has left off the rest of Hikvision's/EZViz statement:

One critical element that distinguishes EZVIZ's security measures from others is that there is no IP address for EZVIZ cameras -- meaning no direct web connection to EZVIZ products

It clarifies it right there that they mean web connections. So "IP address" is misleading because of course it has an IP address but I feel readers should see the whole comment including:

Images and videos captured by EZVIZ cameras can only be accessed through the proprietary EZVIZ app. Videos and data are transmitted via HTTPS and SSL, and encrypted using the Advanced Encryption Standard (AES).

That is a key difference for most professional IP cameras. Might not be for cameras like dropcam/nestcam. (if this is true, I have not tested this to see if the video feed is indeed encrypted).

The thing that I think is important though is that this says the video is actually encrypted too. Most professional security cameras don't even do that yet, do any? (and many integrators don't even realize that). Most people don't realize with most IP cameras someone can capture the video feed of a camera if they recognize the stream and reconstruct it to see what's going on. They might not be able to capture the password but once the stream has been started, it's just a matter of putting it back together.

I don't want to defend EZViz but the more important part about EZViz to me is that this cheap solution provides higher security than some of the highest end professional cameras out of the box.

Agree: 4
Disagree
Informative: 1
Unhelpful
Funny

John Honovich

IPVM | In reply to Chase Whitten | 03/18/16 04:15pm

"The thing that I think is important though is that this says the video is actually encrypted too. Most professional security cameras don't even do that yet, do any?"

Hi Chase, most professional security cameras support HTTPS and allow the video to be encrypted. Generally they do not do this as the default, including Hikvision (without Ezviz), since the cameras are designed typically to stream to VMSes within private or dedicated networks.

That they have "no direct web connection to EZVIZ products" has nothing to do with them not having an IP address, which is what they center the claim on.

Hikvision could eliminate the issue by simply omitting the IP address claim entirely, i.e., "One critical element that distinguishes EZVIZ's security measures from others is that there is no IP address for EZVIZ cameras -- meaning no direct web connection to EZVIZ products."

Agree
Disagree
Informative
Unhelpful
Funny

Chase Whitten

In reply to John Honovich | 03/18/16 05:16pm

"most professional security cameras support HTTPS and allow the video to be encrypted."

Most professional cameras do have HTTPS but that doesn't mean the video is encrypted. HTTPS (SSL) just means the initial authentication to request the video stream is encrypted but the video stream that fallows is not. Even if you have HTTPS enabled the video stream can be intercepted and reconstructed though it's not easy or common today (doesn't mean it won't be common tomorrow).

A lot of CCTV companies don't like to admit this and they don't make this clear. I would like to know though, do you guys have a list of manufactures that do allow the video stream to be encrypted today, not just the initial authentication step with HTTPS?

I do agree that their statement is poorly written and shouldn't include the "no IP address". I felt a reason to comment though because after reading the actual press release and initial comments some key information was missing which made me think this article was more propaganda driven.

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

John Honovich

IPVM | In reply to Chase Whitten | 03/18/16 06:05pm

Chase, we covered the entire Ezviz release including the points you note last week, just in case you had not seen that. This post is a follow up to that as the IP address point came out of it.

As for manufacturers encrypting video feeds, there is a material difference in design / usage between cloud systems and typical 'cctv companies'. Cloud systems, like Ezviz and Dropcam/Nestcam are made to stream over the public Internet. By contrast, traditional manufacturers are designed to be used in internal or dedicated networks. As a practical matter, this is why the issue is more acute in cloud systems.

A number of VMSes can enable the video stream to be encrypted by tunneling RTSP/RTP Inside HTTPS. Undisclosed 1 did an excellent job demonstrating this with Milestone and Axis here.

I am happy to talk about other security issues or aspects but please start a new discussion so we can keep it orderly.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | 03/18/16 04:30pm

Though they are technically wrong, insofar as their IP cameras must have some internal, private IP address, do you feel that the are really misleading anyone?

The typical consumer most likely cares only that there is no shodan style IP address that hackers can probe their cameras with.

Agree: 1
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | 03/18/16 04:45pm

Yes, by definition, they are misleading people because Ezviz IP cameras do, in fact, have an IP address, contrary to their claim.

The fact that you, as a technologist, understand that all IP cameras must have IP addresses, does not mean that consumers understand what an IP address even means or whether or not Hikvision / Ezviz has developed some technological breakthrough that could eliminate the need for an IP address.

What the consumer does know is that this vendor is marketing that having 'no IP address" is a "critical element that distinguishes EZVIZ's security measures from others". It creates a false sense of security for consumers.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #3

03/20/16 06:03pm

They do this all the time even about IR where they claim their PTZ has a rage of 300 to 1000 meters. I guess they have redefined the laws of Physics. We tested and tried their claims and found out the max the range is 80 to 120 meters When we asked them for a answer they just refused to answer not unusual.. !!

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to Undisclosed Manufacturer #3 | 03/20/16 06:12pm

They do this all the time even about IR where they claim their PTZ has a rage of 300 to 1000 meters.

1000M? Where do they claim that?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #3

In reply to Undisclosed #1 | 03/20/16 06:27pm

for a tender in Hyderabad India

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to Undisclosed Manufacturer #3 | 03/21/16 02:11am

At least a tender can be blamed on a rogue RSM...

Agree: 1
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | 03/22/16 03:24pm

Update, It has now been changed to:

"One critical element that sets EZVIZ's security measures from many others is that EZVIZ does not allow customers to access the camera over the Internet by entering the camera’s IP address in web browsers"

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to John Honovich | 03/22/16 05:29pm

"One critical element that sets EZVIZ's security measures from many others is that EZVIZ does not allow customers to access the camera over the Internet by entering the camera’s IP address in web browsers"

Of course almost no one ever enters a camera's IP address over the Internet, even if it is "allowed".

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #5

In reply to Undisclosed #1 | 03/23/16 04:32pm

'allowed' is being used to describe 'accessing the camera' - which no others allow anyway - so this new statement is no more correct than the old one.

Before, the 'doesn't use IP addresses' part was wrong.... now, the 'critical element that sets EZVIZ's security measures from many others' part is factually inaccurate.

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed #5 | 03/23/16 04:47pm

Now, it is just technically muddy / awkwardly phrased. That's a step up, no?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #5

In reply to John Honovich | 03/23/16 04:57pm

disagree.

even if something is 'less' wrong than something else - they are both still wrong.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to Undisclosed #5 | 03/23/16 06:31pm

Sorry, but disagree.

It's now "technically correct", though it's, IMHO, less helpful than the originally "technically incorrect" one. (But that's a seperate issue)

Here's the statement:

"One critical element that sets EZVIZ's security measures from many others is that EZVIZ does not allow customers to access the camera over the Internet by entering the camera’s IP address in web browsers"

So EZVIZ forces you to use propreitery apps, no web browsers.

With "many others" you are allowed to set your camera's IP to your public IP without NAT.

Then you could "access the camera over the Internet by entering the camera's IP address in web browsers."

Of course no one except for a few public cameras and a few idiots do this, and that was my point.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #5

In reply to Undisclosed #1 | 03/23/16 08:53pm

their claim is still quite vague.... it can be read many ways. Please clarify:

what happens if you are on an internal machine (same subnet as the hikEZVIZ cameras) and type in the cameras internal IP in a browser?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #5

In reply to Undisclosed #1 | 03/23/16 09:05pm

I stand corrected (I think) RE: connection methods. :)

According to the Hik/EZVIZ manual, you can not manage them via anything other than the EZVIZ P2P connection....

Which still does not make them any different than many others who do this in the very same way - making their new statement just as factually incorrect as their first.

cross? ;)

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to Undisclosed #5 | 03/23/16 09:10pm

Again the redaction is:

One critical element that sets EZVIZ's security measures from many others is that EZVIZ does not allow customers to access the camera over the Internet by entering the camera’s IP address in web browsers"

They don't deny "many others" do this, only that "many others" don't.

rest. ;)

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #5

In reply to Undisclosed #1 | 03/23/16 09:35pm

I withdraw my objection.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to Undisclosed #5 | 03/23/16 09:41pm

I must re-instate your objection...

pending more information, since Ethan shows here a EZVIZ dvr working from a web interface on the local network at least.

Maybe the ez mini is not accessible, but the slammer kind may well be.

There is some equivocation perhaps in how Hik uses the term EZVIZ to mean the cameras or the service.

I thought I saw Ethan say that some EZVIZ DVR or camera was not accessible thru 4200 or the web, but I haven't found it yet...

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Ethan Ace

IPVM | In reply to Undisclosed #1 | 03/23/16 09:48pm

EZVIZ DVRs have an accessible web interface. The mini does not. I haven't been able to connect to either on the LAN via 4500, but you can add your EZVIZ account to 4500 and see them that way. It seems to work fine, but I haven't tried it with the Mini at length.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports