Hikvision Audit Admits iVMS-4200 Auto Connects to China

By Conor Healy, Published Feb 10, 2022, 10:21am EST (Info+)

Hikvision submitted a cybersecurity audit to the FCC revealing the widely used iVMS-4200 application automatically connects to servers in China.

IPVM Image

The audit found that these "connections [were] associated with identifying software updates" and that "corrections will be included in a future update of iVMS-4200." Neither the auditor nor Hikvision commented on when these connections to China will be corrected.

iVMS-4200 is a free client widely used for Hikvision customers to view and manage video, which connects to and has access to many cameras in systems.

**********

********* ******** ************* ** "********* ************* ********** ******," which *** ***** **** *** *** in ********. **** ** ******** **** their******** *** ****** ********* ** *******, ***** ********* ****** **************.

********* ********* ********* "************ *********" *** the ******** *******, ***** ***** *******, its ******** "*** **** ** ******** the ********** ** * ********** *********** on ********* *********."

*** ******** **** *** ******* **** information ********* *** *** **** ** be ******. *** * ******* ** Hik-Connect, ********'* ***** ************ ***, *** heavily ********.

*** ********** ********* **** ********* ******* "present ** ********* ********." *******, **** identified ****-**** ******** ** ******* ** China, ********* ******* **** ***-*******'* ************** hashing *********, ********** ******* ****** **** Hikvision ****, *** ******* "******** *************** that ********* ***** ********* ** ******* enhance ***[**] ************* *******."

iVMS-4200 ************* ******** ** *****

*********'* ****-****, * ******-**** ******, ******* "multiple *********** ** ******* ******* ** China" **** *******:

**** ******* ****-****,FTI ********** ******** *********** ** ******* ******* ** *****. These connections occur at time the application is started by the user. [emphasis added]

**** ******** **** *** **** "******" causing ************* "** ********* ******* ******* of *** ******** ************ ******":

***’* ****** **** ****** ** *********’* supporting ******** ********two ****** ** **** that caused communication to an outdated feature and to Hikvision ******* ******* ** *** ******** ************ ******. [emphasis added]

*** **** *** ****-**** *********** **** "caused ** ****** ********** ** ******** functions **** *** *** **** ***** removed," ***** **** "********** **** *********** software *******."

US ** ******** **********

*** ** ********** ** ******* ******* raised ******* ******** ***** ****-****,*********:

**** ********** ******** *****-***** ************* ***** has ********* *********** ******** *****.

**** ********** *** ******** **** **** the ** **** **** ******* (***)

*** *********** ******* ****-**** ** "**********. **** ***** is *** (*********) ********* ** ** used ***** *** *************."

PRC ***** ******* ********* *** ** ***-*******

************, *** ***** ***** **** ** Hik-Connect ******* **** *** ********* *******, Chinanet, *** *******:

IPVM Image

*** ****** ***** ****, ****** *** iVMS-4200, ***** *** ********* *** ***** non *** ***** *******, ****** ** this ** *** ********, **** ** video ***** ** ******* **** *** of ***** ******* ** ******** ********.

Hik-Connect ******** ********, ************** *************

********* ***** ** ******** **** ** the ******'* ******** ********* ***-*******, ***** cloud ******** ***:

IPVM Image

********* *** *** ******* ** *** request *** ********** ***********. *******, *********'* request *** ************ ********* ** *********** in *** ****** ********** ****** *** reason ** *************. *** *******:

IPVM Image

** *** *** ** *** ******, FTI **** ***-******* **** ** ************** protocol "***** ** **** *************** *** is *** ***********":

*) ***-******* **************: ****** *** ****** code ******, *** ********** **** *** MD520 ************* ******* ********* ** ***** used ** ************ ********.MD5 ** ***** ** **** *************** *** ** *** *********** ** ** **** *** ************** **********. FTI ********** ************ * ********* ******* *********, such as SHA-256 with salt as a replacement to the current MD5 hashing algorithm. [emphasis added]

"Outdated", "****-******" ********

*** ***** ********* **** "******** ****-****** packages **** ******** ******** ** **** devices" ***** *** ********** **** "******** publicly ***** ***************." **** *** ***** are *** ***** ** ***** *************** ********** ** ********* ******** by *** ********** ******** ************* ******** ******** ****.

*******, *** ****** ********* **** **** they **** ******** ** ***** ** mitigate ***** ***************, *** **** *** validated *********'* *********:

********* ********* **** *** ****-****** ******** packages ** ********** **** *** ****** software *** ******** *** *********** ** a “****** *****” *** *********** ************ controls ** ******* *** ********* *** mitigate *** ******** ***** ***************. ***’* vulnerability ********** ***** ********* **** **** of *** *************** ******* ** *** outdated ******** **** ******* ** *** devices ******* ********** *********’* ********* *** contradicting *** *********** **** ******* ********* in *** *****-***** *** **** *********.

*** **** ***** ***** ****** **** "use ** ******** ********** *********" *** "IP-forwarding *******".

Cybersecurity ***************

*** ******* ******* *************** *** ********* to ******* *** *************. **** *******, that ********* ****** *** ************** ******* algorithm *** ***-******* ** ********* ******* known ***************.

***** *************** **** ** ****** ********* software ******* *** *** *******, ****** than **** ******** ****, *** **** Hikvision ******* ************* **-****** ***** ************** in ******* *********.

Hikvision ** ********

********* *** *** ******* ** ****'* request *** *******.

Update (**/**/**): Hikvision ******* ****-**** ******* ********** ** *****

********* *** **** **** ******* *** iVMS-4200 ******** ******* *********** ** ***** in ** ****** ******** *** *, 2021 ****** ********** *** *** ****** on *** **, ****.

*** *** ******, ***** ********* ********** submitted, **** ** *** ******** **** "corrections **** ** ******** ** * future ****** ** ****-****." ** ***** Hikvision *** ******* * ***** ***** to *** *********** ** **** ******, and **** *** *** ******* **** any ************** ** *******:

IPVM Image

Comments (15)

**** ***** **********?

********** ** *********'* ********** ***** *** that ** $**,*** ****.

Agree: 3
Disagree
Informative: 3
Unhelpful
Funny: 4

*** ***** **** *** ******* **********, and *'* *** ***** ** **** has **** ****** *** ******* *********** to *****.

Agree
Disagree
Informative
Unhelpful
Funny

*******: *****'* ** ********* **** ** the "***-******* ******** ********, ************** *************" section:

** *** *** ** *** ******, FTI **** ***-******* **** ** ************** protocol "***** ** **** *************** *** is *** ***********":

*** ** * ******* *********, *** an ************** ********.

---

*** *** ***** ******** ***** **** is ******** *******, *** * ******** FTI's ***********.

*) ***-******* **************: ****** *** ****** code ******, *** ********** **** *** MD520 ************* ******* ********* ** ***** used ** ************ ********.MD5 ** ***** ** **** *************** *** ** *** *********** ** ** **** *** ************** **********. FTI ********** ************ * ********* ******* *********, such as SHA-256 with salt as a replacement to the current MD5 hashing algorithm. [emphasis added]

***-***??? ****'* * **** ******** **** over ** ***** ***. ***'** ******** to *** ****** ** ******** ********. Even ** ****, ****** **** ********* to ******. ** *** ***** **** practice ******** **** ****? ****** **** changed ********* ****.

*** **** **** * *** ***** of ***** ***-*** ***'* ***** *** idea ** ** **'* *** **** to **** *********... ** ***** **** why ***** **** ** ******* ***** salting? *** *** **** *** ***? If ***'** ******* * ******, *** bcrypt/Argon2id. ** ***'** ***, **** ** makes ** ***** ** **** ***** salting ** ********* **** ***. ****** way, ***'* ************** ** *** *****.

** *** ********* ****, "*** ** not ***********" ** ** **************. ***-*** is ******** *** ******** *******. *** is *****. ******** *** ** ********* worse. **'* *** **** **'* *** recommended, **'* ** ******** ******** ****.

Agree: 4
Disagree
Informative: 9
Unhelpful
Funny

**** ****-**** ** *** ******* **** Active ********* *********** **** ***** ** used ** * ****** ******?

Agree
Disagree
Informative
Unhelpful
Funny

*** ****** ******* *** ******** *****-*** to ***-**** ******* **** ********* ** cameras ** ********* **** ******* ***** up *** ********** ** * *******, or ************ ** ******** ****** *******?

******* *** **** ** ******* *****-** protocol **** ** ******* ******** ** code ** ********** ****** *** *** or ********?

Agree
Disagree
Informative
Unhelpful
Funny

***** *** ***************** ** ******* ***** ***** ***.**** **** ****** ** ******* *** found ********* *********** ** ******* ** China.

Agree
Disagree
Informative: 2
Unhelpful
Funny

*** ******** **** ** ** ** that ********* ****** ** **** **,*** R&D ********* ***** ****** **** ********** loudly *** ***** ***** *********** **** to ***** *** *** ** ** still ** ****-**** *** **** ********* this ** *** ***. **** **** this *** ***** *********'* ******* ** execute?

Agree: 6
Disagree
Informative: 1
Unhelpful
Funny: 1

"***** *****..... **. *****. *****."

(******)

"***** ******** ********* ******... *****. *****."

Agree
Disagree
Informative
Unhelpful
Funny

***** ***** ***** ***** ** ********* but *** ****** ******* ** *************** of **** ** **** ****.

*** *******,**'* ****** ** ********** ** **** *** ******* ** works ** *********:

IPVM Image

*** *** **** ****** ******* *** **** ************ ****** * ***** *** (****** the **** ***):

IPVM Image

*** ******** ********* *******:

IPVM Image

** ****** ******** ** ********* ** his ******** ***** *** ** ***** there ** **** ******** ** ***** at *********, **** * ******* **** of ******* ***************:

IPVM Image

***** ***** ** ***** ******* ** Hikvision, *.*., * *** ****** ***, Davis *** *********'* ************ **** *** ***:

IPVM Image

Agree
Disagree
Informative: 1
Unhelpful
Funny

** ** *** ********** ******* ******* and ***********. **** **** * ***** market *****, *** *** ***** *****, why ** ****.

Agree: 2
Disagree
Informative
Unhelpful
Funny

****, **** ** *** **** ** change *** ****-****. ** *** *** of *** ***, ******** ********** **** HikVision ** *******. *** ***** *** of *** ***** ** ****** ****-**** when **** ********** **** *** ** 2020. * ***** **** *** ***** to **** *** *** ** **** can ******* *** **** ***** **** the ****-****, *** ** ******'* ******** me ** **** *** ******* ** a *** *** ********.

Agree
Disagree
Informative
Unhelpful
Funny

* ***'* ****. ** **** ****** don't **** ****-**** ** ******* ** China, ** ****** ** ****** ******, from ** *********** **********, ** ** so. * ** ********* *******, **** is *** **** ************* *********** **** to ****** **** **** ***** ** be **** **** ** *** **** anyway.

Agree
Disagree
Informative
Unhelpful
Funny

********* ********* **** *** ****-****** ******** packages ** ********** **** *** ****** software *** ******** *** *********** ** a “****** *****” *** *********** ************ controls ** ******* *** ********* *** mitigate *** ******** ***** ***************. ***’* vulnerability ********** ***** ********* **** **** of *** *************** ******* ** *** outdated ******** **** ******* ** *** devices ******* ********** *********’* ********* *** contradicting *** *********** **** ******* ********* in *** *****-***** *** **** *********.

* ***'* **** *** ****** ** respond ** ****. * ** **** that *** *** *********** * ****** shell **** ********* *** ********* ********* with *** ********** ****-****** ********. ********* their ****** ***** ***'* **** ****** and **********.

Agree: 1
Disagree
Informative
Unhelpful
Funny

IPVM Image

Agree
Disagree
Informative
Unhelpful
Funny

******:Hikvision ******* ****-**** ******* ********** ** *****

********* *** **** **** ******* *** iVMS-4200 ******** ******* *********** ** ***** in ** ****** ******** *** *, 2021 ****** ********** *** *** ****** on *** **, ****.

*** *** ******, ***** ********* ********** submitted, **** ** *** ******** **** "corrections **** ** ******** ** * future ****** ** ****-****." ** ***** Hikvision *** ******* * ***** ***** to *** *********** ** **** ******, and **** *** *** ******* **** any ************** ** *******:

IPVM Image

Agree
Disagree
Informative: 1
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports