Hikvision Audit Admits iVMS-4200 Auto Connects to China
Hikvision submitted a cybersecurity audit to the FCC revealing the widely used iVMS-4200 application automatically connects to servers in China.
The audit found that these "connections [were] associated with identifying software updates" and that "corrections will be included in a future update of iVMS-4200." Neither the auditor nor Hikvision commented on when these connections to China will be corrected.
iVMS-4200 is a free client widely used for Hikvision customers to view and manage video, which connects to and has access to many cameras in systems.
**********
********* ******** ************* ** "********* ************* ********** ******," which *** ***** **** *** *** in ********. **** ** ******** **** their******** *** ****** ********* ** *******, ***** ********* ****** **************.
********* ********* ********* "************ *********" *** the ******** *******, ***** ***** *******, its ******** "*** **** ** ******** the ********** ** * ********** *********** on ********* *********."
*** ******** **** *** ******* **** information ********* *** *** **** ** be ******. *** * ******* ** Hik-Connect, ********'* ***** ************ ***, *** heavily ********.
*** ********** ********* **** ********* ******* "present ** ********* ********." *******, **** identified ****-**** ******** ** ******* ** China, ********* ******* **** ***-*******'* ************** hashing *********, ********** ******* ****** **** Hikvision ****, *** ******* "******** *************** that ********* ***** ********* ** ******* enhance ***[**] ************* *******."
iVMS-4200 ************* ******** ** *****
*********'* ****-****, * ******-**** ******, ******* "multiple *********** ** ******* ******* ** China" **** *******:
**** ******* ****-****,FTI ********** ******** *********** ** ******* ******* ** *****. These connections occur at time the application is started by the user. [emphasis added]
**** ******** **** *** **** "******" causing ************* "** ********* ******* ******* of *** ******** ************ ******":
***’* ****** **** ****** ** *********’* supporting ******** ********two ****** ** **** that caused communication to an outdated feature and to Hikvision ******* ******* ** *** ******** ************ ******. [emphasis added]
*** **** *** ****-**** *********** **** "caused ** ****** ********** ** ******** functions **** *** *** **** ***** removed," ***** **** "********** **** *********** software *******."
US ** ******** **********
*** ** ********** ** ******* ******* raised ******* ******** ***** ****-****,*********:
**** ********** ******** *****-***** ************* ***** has ********* *********** ******** *****.
**** ********** *** ******** **** **** the ** **** **** ******* (***)
*** *********** ******* ****-**** ** "**********. **** ***** is *** (*********) ********* ** ** used ***** *** *************."
PRC ***** ******* ********* *** ** ***-*******
************, *** ***** ***** **** ** Hik-Connect ******* **** *** ********* *******, Chinanet, *** *******:
*** ****** ***** ****, ****** *** iVMS-4200, ***** *** ********* *** ***** non *** ***** *******, ****** ** this ** *** ********, **** ** video ***** ** ******* **** *** of ***** ******* ** ******** ********.
Hik-Connect ******** ********, ************** *************
********* ***** ** ******** **** ** the ******'* ******** ********* ***-*******, ***** cloud ******** ***:
********* *** *** ******* ** *** request *** ********** ***********. *******, *********'* request *** ************ ********* ** *********** in *** ****** ********** ****** *** reason ** *************. *** *******:
** *** *** ** *** ******, FTI **** ***-******* **** ** ************** protocol "***** ** **** *************** *** is *** ***********":
*) ***-******* **************: ****** *** ****** code ******, *** ********** **** *** MD520 ************* ******* ********* ** ***** used ** ************ ********.MD5 ** ***** ** **** *************** *** ** *** *********** ** ** **** *** ************** **********. FTI ********** ************ * ********* ******* *********, such as SHA-256 with salt as a replacement to the current MD5 hashing algorithm. [emphasis added]
"Outdated", "****-******" ********
*** ***** ********* **** "******** ****-****** packages **** ******** ******** ** **** devices" ***** *** ********** **** "******** publicly ***** ***************." **** *** ***** are *** ***** ** ***** *************** ********** ** ********* ******** by *** ********** ******** ************* ******** ******** ****.
*******, *** ****** ********* **** **** they **** ******** ** ***** ** mitigate ***** ***************, *** **** *** validated *********'* *********:
********* ********* **** *** ****-****** ******** packages ** ********** **** *** ****** software *** ******** *** *********** ** a “****** *****” *** *********** ************ controls ** ******* *** ********* *** mitigate *** ******** ***** ***************. ***’* vulnerability ********** ***** ********* **** **** of *** *************** ******* ** *** outdated ******** **** ******* ** *** devices ******* ********** *********’* ********* *** contradicting *** *********** **** ******* ********* in *** *****-***** *** **** *********.
*** **** ***** ***** ****** **** "use ** ******** ********** *********" *** "IP-forwarding *******".
Cybersecurity ***************
*** ******* ******* *************** *** ********* to ******* *** *************. **** *******, that ********* ****** *** ************** ******* algorithm *** ***-******* ** ********* ******* known ***************.
***** *************** **** ** ****** ********* software ******* *** *** *******, ****** than **** ******** ****, *** **** Hikvision ******* ************* **-****** ***** ************** in ******* *********.
Hikvision ** ********
********* *** *** ******* ** ****'* request *** *******.
Update (**/**/**): Hikvision ******* ****-**** ******* ********** ** *****
********* *** **** **** ******* *** iVMS-4200 ******** ******* *********** ** ***** in ** ****** ******** *** *, 2021 ****** ********** *** *** ****** on *** **, ****.
*** *** ******, ***** ********* ********** submitted, **** ** *** ******** **** "corrections **** ** ******** ** * future ****** ** ****-****." ** ***** Hikvision *** ******* * ***** ***** to *** *********** ** **** ******, and **** *** *** ******* **** any ************** ** *******:
*** ***** **** *** ******* **********, and *'* *** ***** ** **** has **** ****** *** ******* *********** to *****.
*******: *****'* ** ********* **** ** the "***-******* ******** ********, ************** *************" section:
** *** *** ** *** ******, FTI **** ***-******* **** ** ************** protocol "***** ** **** *************** *** is *** ***********":
*** ** * ******* *********, *** an ************** ********.
---
*** *** ***** ******** ***** **** is ******** *******, *** * ******** FTI's ***********.
*) ***-******* **************: ****** *** ****** code ******, *** ********** **** *** MD520 ************* ******* ********* ** ***** used ** ************ ********.MD5 ** ***** ** **** *************** *** ** *** *********** ** ** **** *** ************** **********. FTI ********** ************ * ********* ******* *********, such as SHA-256 with salt as a replacement to the current MD5 hashing algorithm. [emphasis added]
***-***??? ****'* * **** ******** **** over ** ***** ***. ***'** ******** to *** ****** ** ******** ********. Even ** ****, ****** **** ********* to ******. ** *** ***** **** practice ******** **** ****? ****** **** changed ********* ****.
*** **** **** * *** ***** of ***** ***-*** ***'* ***** *** idea ** ** **'* *** **** to **** *********... ** ***** **** why ***** **** ** ******* ***** salting? *** *** **** *** ***? If ***'** ******* * ******, *** bcrypt/Argon2id. ** ***'** ***, **** ** makes ** ***** ** **** ***** salting ** ********* **** ***. ****** way, ***'* ************** ** *** *****.
** *** ********* ****, "*** ** not ***********" ** ** **************. ***-*** is ******** *** ******** *******. *** is *****. ******** *** ** ********* worse. **'* *** **** **'* *** recommended, **'* ** ******** ******** ****.
**** ****-**** ** *** ******* **** Active ********* *********** **** ***** ** used ** * ****** ******?
*** ****** ******* *** ******** *****-*** to ***-**** ******* **** ********* ** cameras ** ********* **** ******* ***** up *** ********** ** * *******, or ************ ** ******** ****** *******?
******* *** **** ** ******* *****-** protocol **** ** ******* ******** ** code ** ********** ****** *** *** or ********?
***** *** ***************** ** ******* ***** ***** ***.**** **** ****** ** ******* *** found ********* *********** ** ******* ** China.
*** ******** **** ** ** ** that ********* ****** ** **** **,*** R&D ********* ***** ****** **** ********** loudly *** ***** ***** *********** **** to ***** *** *** ** ** still ** ****-**** *** **** ********* this ** *** ***. **** **** this *** ***** *********'* ******* ** execute?
"***** *****..... **. *****. *****."
(******)
"***** ******** ********* ******... *****. *****."
***** ***** ***** ***** ** ********* but *** ****** ******* ** *************** of **** ** **** ****.
*** *******,**'* ****** ** ********** ** **** *** ******* ** works ** *********:
*** *** **** ****** ******* *** **** ************ ****** * ***** *** (****** the **** ***):
*** ******** ********* *******:
** ****** ******** ** ********* ** his ******** ***** *** ** ***** there ** **** ******** ** ***** at *********, **** * ******* **** of ******* ***************:
***** ***** ** ***** ******* ** Hikvision, *.*., * *** ****** ***, Davis *** *********'* ************ **** *** ***:
** ** *** ********** ******* ******* and ***********. **** **** * ***** market *****, *** *** ***** *****, why ** ****.
****, **** ** *** **** ** change *** ****-****. ** *** *** of *** ***, ******** ********** **** HikVision ** *******. *** ***** *** of *** ***** ** ****** ****-**** when **** ********** **** *** ** 2020. * ***** **** *** ***** to **** *** *** ** **** can ******* *** **** ***** **** the ****-****, *** ** ******'* ******** me ** **** *** ******* ** a *** *** ********.
* ***'* ****. ** **** ****** don't **** ****-**** ** ******* ** China, ** ****** ** ****** ******, from ** *********** **********, ** ** so. * ** ********* *******, **** is *** **** ************* *********** **** to ****** **** **** ***** ** be **** **** ** *** **** anyway.
********* ********* **** *** ****-****** ******** packages ** ********** **** *** ****** software *** ******** *** *********** ** a “****** *****” *** *********** ************ controls ** ******* *** ********* *** mitigate *** ******** ***** ***************. ***’* vulnerability ********** ***** ********* **** **** of *** *************** ******* ** *** outdated ******** **** ******* ** *** devices ******* ********** *********’* ********* *** contradicting *** *********** **** ******* ********* in *** *****-***** *** **** *********.
* ***'* **** *** ****** ** respond ** ****. * ** **** that *** *** *********** * ****** shell **** ********* *** ********* ********* with *** ********** ****-****** ********. ********* their ****** ***** ***'* **** ****** and **********.
******:Hikvision ******* ****-**** ******* ********** ** *****
********* *** **** **** ******* *** iVMS-4200 ******** ******* *********** ** ***** in ** ****** ******** *** *, 2021 ****** ********** *** *** ****** on *** **, ****.
*** *** ******, ***** ********* ********** submitted, **** ** *** ******** **** "corrections **** ** ******** ** * future ****** ** ****-****." ** ***** Hikvision *** ******* * ***** ***** to *** *********** ** **** ******, and **** *** *** ******* **** any ************** ** *******:
**** ***** **********?
********** ** *********'* ********** ***** *** that ** $**,*** ****.