Hikvision 'Phone Home' Raises Security Fears

By: John Honovich, Published on Nov 10, 2016

The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has triggered increased scrutiny of Hikvision devices.

Hikvision's 'phone home' feature is raising particular fears as users evaluate Hikvision devices, attempting to understand what is happening and what risks this raise.

In this note, based on our testing, we examine how Hikvision 'phone home' works, its benefits and risks.

'Phone Home' - HikConnect

Many Hikvision devices are defaulted to 'phone home' to HikConnect service (aka Ezviz, though Ezviz is also the name of their consumer offering). For background, see Hikvision Cloud Service (Ezviz / HikConnect) Tested.

This screenshot shows a default setup for a common Hikvision device designed to 'phone home' to hik-connect.com:

Without any user knowledge or choice, these Hikvision devices we have tested reach out / connect to Amazon web services:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

We have found that low end models (Value/Value Plus) support these services, while higher end Smart/Pro models (including Darkfighter, 4K, etc.) do not.

Purpose - Ease Setup / Remote Access

The purpose of this offering, and it being enabled by default, is to simplify setup and enabling users to watch video remotely. This way, the user does not need to login to the device's web interface, do network / router configurations, etc. They simply go to Hikvision's cloud interface to connect to those devices that already phone home to Hikvision. Indeed, initial / remote setup is one of the most common pain points for all network video providers.

Because of the value of this, many offer similar type services, e.g., Google Nestcam. However, for professional / commercial video surveillance use, this is common. For example, Axis and Dahua both have phone home services available but they are defaulted off, unlike Hikvision.

Since Hikvision has enabled this on low to mid end devices but not high end ones, this reinforces that the goal is easier setup / remote access for smaller users. However, many of the Value and Value Plus devices, because of the low price and solid quality, are being used in higher end facilities.

Risk - Hikvision / China Government Access

The risk is Hikvision misusing these connections inside of private networks. Hikvision could potentially look at internal video or use that device to access other devices inside a LAN. This automatic tunnel-out connection could be used to setup a reverse shell or quasi-VPN, letting outsiders tunnel in to the network, using the camera as an ad-hoc router. This is a risk of any provider with such access, though magnified for many due to Hikvision's government ownership. 

For its part, Hikvision emphasizes that the cloud services used for North American users are [link no longer available] "physically located in the United States, so all data and connections remain local." The challenge is that if Hikvision wanted to access these devices from anywhere else in the world, they could easily do so via the global Internet.

Some will certainly not care or find it unrealistic but many users who are ramping up cyber security audits will find the 'phone home' element of this devices to be a risk, by itself, and more so given Hikvision's China government control.

Vote - What Should Be Done?

This is a challenging case. The same feature that is, for many, legitimately a user convenience is also materially a security risk for many.

5 reports cite this report:

US Army Bans Chinese DJI Drones on Aug 08, 2017
The US Army has issued a ban on Chinese-made DJI drones. A US Army memo obtained by sUAS News references a classified document from the Army...
Hikvision Removing Auto 'Phone Home' on Mar 24, 2017
Facing pressure over their cameras auto phoning home and their Chinese government ownership, Hikvision has begun quietly removing automatic...
12 Video Surveillance Poll Results 2016 on Dec 28, 2016
IPVM has conducted more than 100 polls this year. Here are a selection of 12 of the most interesting results, receiving 4,500+ votes: Hikvision vs...
Hikvision Discontinuing Online Service on Dec 12, 2016
Hikvision has declared it will discontinue its Hikvision online service, just days after IPVM's Hikvision Cloud Security Vulnerability...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Comments (31) : PRO Members only. Login. or Join.

Related Reports

Hikvision Global News Reports Directory on Dec 02, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
China Uyghur Analytic Projects Require Intel And NVIDIA, Intel Condemns, NVIDIA Silent on Dec 02, 2019
At least 8 PRC China police projects require NVIDIA and Intel chips to power their Uyghur-detecting analytics, according to procurement documents...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
China Government Spreads Uyghur Analytics Across China on Nov 25, 2019
IPVM has found 12 recent government projects across China (PRC) that require Uyghur analytics and a general government guideline requiring such...
ISC East 2019 Show Report on Nov 21, 2019
IPVM has finished in New York City covering both days of the ISC East 2019 show. Here is a 6+ minute general walkthrough: Inside this report,...
The Cowardly, Greedy "Leaders" of Video Surveillance - SIA on Nov 19, 2019
The video surveillance industry suffers from cowardly, greedy 'leaders' focused on maximizing easy money while undermining public trust. The...
Top Manufacturers Gaining and Losing 2019 on Nov 18, 2019
2019 has been an explosive year for video surveillance, with the world's two largest manufacturers, Dahua and Hikvision, being sanctioned for human...
Hikvision CEO And Vice-Chair Under PRC Government Investigation on Nov 14, 2019
In a surprising and globally covered move, Hikvision CEO Hu Yangzhong and Vice-Chairman Gong Hongjia are being investigated by China's securities...
Hikvision Markets Uyghur Ethnicity Analytics, Now Covers Up on Nov 11, 2019
Hikvision has marketed an AI camera that automatically identifies Uyghurs, on its China website, only covering it up days ago after IPVM questioned...
US Issues Criminal Charges For Fraudulently Selling Hikvision And Other China Products on Nov 07, 2019
The US government has made an unprecedented move on the video surveillance supply chain, charging a US company, Aventura for "having conspired with...

Most Recent Industry Reports

Disruptor Wyze Releases Undisruptive Smartlock on Dec 06, 2019
While Wyze has disrupted the consumer IP camera market with ~$20 cameras, its entrance into smart locks is entirely undisruptive. We have...
Bosch Budget 3000i Cameras Tested on Dec 05, 2019
Bosch has long had a hole in its lineup for, as it describes, "competitively-priced cameras". Now, Bosch has released its 3000i series cameras...
Anixter Resisting Takeover From Competitor on Dec 05, 2019
Mega distributor Anixter is going to be acquired but by whom? Initially, Anixter planned to go private, being bought by a private equity firm....
Security Sales Course 2020 - Last Chance Save $50 on Dec 05, 2019
This sales course is customized for the current needs and challenges specific to professionals selling video surveillance and access control...
Ireland National Children's Hospital Chooses Hikvision End-to-End With Facial Recognition on Dec 05, 2019
The world's most expensive hospital project ever, the New Children's Hospital in Ireland, has chosen an all-Hikvision surveillance system including...
AVTech ~$70 IP Cameras Tested Vs Dahua and Hikvision on Dec 04, 2019
Taiwanese manufacturer Avtech is taking direct aim at low cost leaders Dahua and Hikvision with ~$70 starlight and white light illuminator...
Ultinous European Analytics Startup Company Profile on Dec 04, 2019
European analytics-startup Ultinous pitches customers to "Have your own video analysis service!" We spoke to Ultinous to better understand their...
Access Startup Multi-Mount Aims To Streamline Reader Installs on Dec 03, 2019
Startup Multi-Mount claims it makes installing access readers 'Fast', 'Secure,' and fit 'any size frame.' The company states its bracket 'fits most...
Resideo CEO To Step Down on Dec 03, 2019
Resideo's CEO, Mike Nefkins, is stepping down, just 18 months after being brought in to lead the now plagued spin-out. Inside this note, we...
Arcules CEO Retracts False GDPR Claim + Dahua and Milestone Claims Examined on Dec 03, 2019
Arcules CEO has retracted a false claim about his organization being a "fully compliant GDPR company" after IPVM reporting (Arcules CEO Threatens...