Hikvision 'Phone Home' Raises Security Fears

By: John Honovich, Published on Nov 10, 2016

The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has triggered increased scrutiny of Hikvision devices.

Hikvision's 'phone home' feature is raising particular fears as users evaluate Hikvision devices, attempting to understand what is happening and what risks this raise.

In this note, based on our testing, we examine how Hikvision 'phone home' works, its benefits and risks.

'Phone Home' - HikConnect

Many Hikvision devices are defaulted to 'phone home' to HikConnect service (aka Ezviz, though Ezviz is also the name of their consumer offering). For background, see Hikvision Cloud Service (Ezviz / HikConnect) Tested.

This screenshot shows a default setup for a common Hikvision device designed to 'phone home' to hik-connect.com:

Without any user knowledge or choice, these Hikvision devices we have tested reach out / connect to Amazon web services:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

We have found that low end models (Value/Value Plus) support these services, while higher end Smart/Pro models (including Darkfighter, 4K, etc.) do not.

Purpose - Ease Setup / Remote Access

The purpose of this offering, and it being enabled by default, is to simplify setup and enabling users to watch video remotely. This way, the user does not need to login to the device's web interface, do network / router configurations, etc. They simply go to Hikvision's cloud interface to connect to those devices that already phone home to Hikvision. Indeed, initial / remote setup is one of the most common pain points for all network video providers.

Because of the value of this, many offer similar type services, e.g., Google Nestcam. However, for professional / commercial video surveillance use, this is common. For example, Axis and Dahua both have phone home services available but they are defaulted off, unlike Hikvision.

Since Hikvision has enabled this on low to mid end devices but not high end ones, this reinforces that the goal is easier setup / remote access for smaller users. However, many of the Value and Value Plus devices, because of the low price and solid quality, are being used in higher end facilities.

Risk - Hikvision / China Government Access

The risk is Hikvision misusing these connections inside of private networks. Hikvision could potentially look at internal video or use that device to access other devices inside a LAN. This automatic tunnel-out connection could be used to setup a reverse shell or quasi-VPN, letting outsiders tunnel in to the network, using the camera as an ad-hoc router. This is a risk of any provider with such access, though magnified for many due to Hikvision's government ownership. 

For its part, Hikvision emphasizes that the cloud services used for North American users are [link no longer available] "physically located in the United States, so all data and connections remain local." The challenge is that if Hikvision wanted to access these devices from anywhere else in the world, they could easily do so via the global Internet.

Some will certainly not care or find it unrealistic but many users who are ramping up cyber security audits will find the 'phone home' element of this devices to be a risk, by itself, and more so given Hikvision's China government control.

Vote - What Should Be Done?

This is a challenging case. The same feature that is, for many, legitimately a user convenience is also materially a security risk for many.

5 reports cite this report:

US Army Bans Chinese DJI Drones on Aug 08, 2017
The US Army has issued a ban on Chinese-made DJI drones. A US Army memo obtained by sUAS News references a classified document from the Army...
Hikvision Removing Auto 'Phone Home' on Mar 24, 2017
Facing pressure over their cameras auto phoning home and their Chinese government ownership, Hikvision has begun quietly removing automatic...
12 Video Surveillance Poll Results 2016 on Dec 28, 2016
IPVM has conducted more than 100 polls this year. Here are a selection of 12 of the most interesting results, receiving 4,500+ votes: Hikvision vs...
Hikvision Discontinuing Online Service on Dec 12, 2016
Hikvision has declared it will discontinue its Hikvision online service, just days after IPVM's Hikvision Cloud Security Vulnerability...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Comments (31) : PRO Members only. Login. or Join.

Related Reports

Dahua Celebrates PRC 70th Wearing Communist Party Hammer and Sickle on Oct 11, 2019
Dahua celebrated the PRC's 70th anniversary with a video of various Dahua employees wearing China Communist Party Hammer and Sickle pins as shown...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Hikvision And Dahua Sanctioned For Human Rights Abuses on Oct 07, 2019
In a groundbreaking move that will have drastic consequences across the video surveillance market, Dahua and Hikvision have been sanctioned by the...
Crisis At China's Largest VMS Provider, Netposa, Now State-Controlled on Oct 07, 2019
NetPosa, which bills itself as the PRC's largest VMS provider, is in a crisis. The firm is pursuing huge unpaid bills from clients, and its...
US - China Review Commission Cites IPVM on Foreign Provider Threat on Oct 01, 2019
A bipartisan congressional commission cited IPVM twice in its analysis of how the PRC government protects its surveillance firms from foreign...
China Enforces Barriers Against Foreign AI and VSaaS Providers on Sep 30, 2019
While AI and VSaaS is the future of video surveillance, these are obstructed to foreign firms in China (the PRC), where authorities are tightening...
Consumer IP Camera Analytics Shootout - Arlo, Google / Nest, Amazon / Ring, Hikvision / Ezviz, Wyze Cam, Yi Home on Sep 26, 2019
AI analytics are hitting the mainstream in the consumer camera market, with entrants Wyze and Yi Home releasing free people detection on their...
Dahua And Hikvision Accept PRC Government Officials on Sep 26, 2019
Hikvision and Dahua are among the 100 companies accepting PRC government officials as part of a new initiative to boost manufacturing that has...
Critiquing Carnegie's AI Surveillance Paper on Sep 25, 2019
The Carnegie Endowment has issued an ambitious paper on the Global Expansion of AI Surveillance. While its aim is applaudable, the paper has...
US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...

Most Recent Industry Reports

Axis HD Analog Encoder Tested on Oct 11, 2019
Two years after declaring "Everything is IP", Axis has released their first HD analog encoder, the P7304, with support for AHD, CVI, TVI, and SD...
Dahua Celebrates PRC 70th Wearing Communist Party Hammer and Sickle on Oct 11, 2019
Dahua celebrated the PRC's 70th anniversary with a video of various Dahua employees wearing China Communist Party Hammer and Sickle pins as shown...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Network Optix NxWitness 4.0 Tested on Oct 10, 2019
Network Optix released Nx Witness 4.0, proclaiming new features like a deep learning analytics metadata SDK, increased H.265 support, and UX...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...
ONVIF Suspends Dahua and Hikvision on Oct 09, 2019
Dahua and Hikvision have been 'suspended', and effectively expelled, from ONVIF, immediately following US sanctions being placed on the 2 mega...
Hikvision And Dahua Sanctioned For Human Rights Abuses on Oct 07, 2019
In a groundbreaking move that will have drastic consequences across the video surveillance market, Dahua and Hikvision have been sanctioned by the...
Avigilon H5A Analytic Cameras Tested on Oct 07, 2019
Avigilon has released its H5A analytic cameras, claiming to "detect more objects with greater accuracy even in crowded scenes." We tested the...
Crisis At China's Largest VMS Provider, Netposa, Now State-Controlled on Oct 07, 2019
NetPosa, which bills itself as the PRC's largest VMS provider, is in a crisis. The firm is pursuing huge unpaid bills from clients, and its...
Knightscope Sells Just 1 Net New Robot In 6 Months on Oct 04, 2019
For the first half of 2019, US government records show that Knightscope has sold just 1 net new robots ('machines-in-network'), inching up from 52...