Hikvision 'Phone Home' Raises Security FearsBy John Honovich, Published on Nov 10, 2016
Hikvision's 'phone home' feature is raising particular fears as users evaluate Hikvision devices, attempting to understand what is happening and what risks this raise.
In this note, based on our testing, we examine how Hikvision 'phone home' works, its benefits and risks.
'Phone Home' - HikConnect
Many Hikvision devices are defaulted to 'phone home' to HikConnect service (aka Ezviz, though Ezviz is also the name of their consumer offering). For background, see Hikvision Cloud Service (Ezviz / HikConnect) Tested.
This screenshot shows a default setup for a common Hikvision device designed to 'phone home' to hik-connect.com:
Without any user knowledge or choice, these Hikvision devices we have tested reach out / connect to Amazon web services:
Purpose - Ease Setup / Remote Access
The purpose of this offering, and it being enabled by default, is to simplify setup and enabling users to watch video remotely. This way, the user does not need to login to the device's web interface, do network / router configurations, etc. They simply go to Hikvision's cloud interface to connect to those devices that already phone home to Hikvision. Indeed, initial / remote setup is one of the most common pain points for all network video providers.
Because of the value of this, many offer similar type services, e.g., Google Nestcam. However, for professional / commercial video surveillance use, this is common. For example, Axis and Dahua both have phone home services available but they are defaulted off, unlike Hikvision.
Since Hikvision has enabled this on low to mid end devices but not high end ones, this reinforces that the goal is easier setup / remote access for smaller users. However, many of the Value and Value Plus devices, because of the low price and solid quality, are being used in higher end facilities.
Risk - Hikvision / China Government Access
The risk is Hikvision misusing these connections inside of private networks. Hikvision could potentially look at internal video or use that device to access other devices inside a LAN. This automatic tunnel-out connection could be used to setup a reverse shell or quasi-VPN, letting outsiders tunnel in to the network, using the camera as an ad-hoc router. This is a risk of any provider with such access, though magnified for many due to Hikvision's government ownership.
For its part, Hikvision emphasizes that the cloud services used for North American users are [link no longer available] "physically located in the United States, so all data and connections remain local." The challenge is that if Hikvision wanted to access these devices from anywhere else in the world, they could easily do so via the global Internet.
Some will certainly not care or find it unrealistic but many users who are ramping up cyber security audits will find the 'phone home' element of this devices to be a risk, by itself, and more so given Hikvision's China government control.
This is a challenging case. The same feature that is, for many, legitimately a user convenience is also materially a security risk for many.