Hikvision 'Phone Home' Raises Security Fears

Author: John Honovich, Published on Nov 10, 2016

The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has triggered increased scrutiny of Hikvision devices.

Hikvision's 'phone home' feature is raising particular fears as users evaluate Hikvision devices, attempting to understand what is happening and what risks this raise.

In this note, based on our testing, we examine how Hikvision 'phone home' works, its benefits and risks.

'Phone Home' - HikConnect

Many Hikvision devices are defaulted to 'phone home' to HikConnect service (aka Ezviz, though Ezviz is also the name of their consumer offering). For background, see Hikvision Cloud Service (Ezviz / HikConnect) Tested.

This screenshot shows a default setup for a common Hikvision device designed to 'phone home' to hik-connect.com:

Without any user knowledge or choice, these Hikvision devices we have tested reach out / connect to Amazon web services:

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

We have found that low end models (Value/Value Plus) support these services, while higher end Smart/Pro models (including Darkfighter, 4K, etc.) do not.

Purpose - Ease Setup / Remote Access

The purpose of this offering, and it being enabled by default, is to simplify setup and enabling users to watch video remotely. This way, the user does not need to login to the device's web interface, do network / router configurations, etc. They simply go to Hikvision's cloud interface to connect to those devices that already phone home to Hikvision. Indeed, initial / remote setup is one of the most common pain points for all network video providers.

Because of the value of this, many offer similar type services, e.g., Google Nestcam. However, for professional / commercial video surveillance use, this is common. For example, Axis and Dahua both have phone home services available but they are defaulted off, unlike Hikvision.

Since Hikvision has enabled this on low to mid end devices but not high end ones, this reinforces that the goal is easier setup / remote access for smaller users. However, many of the Value and Value Plus devices, because of the low price and solid quality, are being used in higher end facilities.

Risk - Hikvision / China Government Access

The risk is Hikvision misusing these connections inside of private networks. Hikvision could potentially look at internal video or use that device to access other devices inside a LAN. This automatic tunnel-out connection could be used to setup a reverse shell or quasi-VPN, letting outsiders tunnel in to the network, using the camera as an ad-hoc router. This is a risk of any provider with such access, though magnified for many due to Hikvision's government ownership.

For its part, Hikvision emphasizes that the cloud services used for North American users are "physically located in the United States, so all data and connections remain local." The challenge is that if Hikvision wanted to access these devices from anywhere else in the world, they could easily do so via the global Internet.

Some will certainly not care or find it unrealistic but many users who are ramping up cyber security audits will find the 'phone home' element of this devices to be a risk, by itself, and more so given Hikvision's China government control.

Vote - What Should Be Done?

This is a challenging case. The same feature that is, for many, legitimately a user convenience is also materially a security risk for many.

5 reports cite this report:

US Army Bans Chinese DJI Drones on Aug 08, 2017
The US Army has issued a ban on Chinese-made DJI drones. A US Army memo obtained by sUAS News references a classified document from the Army...
Hikvision Removing Auto 'Phone Home' on Mar 24, 2017
Facing pressure over their cameras auto phoning home and their Chinese government ownership, Hikvision has begun quietly removing automatic...
12 Video Surveillance Poll Results 2016 on Dec 28, 2016
IPVM has conducted more than 100 polls this year. Here are a selection of 12 of the most interesting results, receiving 4,500+ votes: Hikvision vs...
Hikvision Discontinuing Online Service on Dec 12, 2016
Hikvision has declared it will discontinue its Hikvision online service, just days after IPVM's Hikvision Cloud Security Vulnerability...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Comments (31) : PRO Members only. Login. or Join.

Related Reports

Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Chinese Government Increases Hikvision Ownership on Nov 12, 2018
The Chinese government - Hikvision's controlling shareholder - is increasing its ownership of the video surveillance giant amid sharp stock price...
Directory Of Video Doorbells on Nov 06, 2018
Video doorbells are one of the fastest growing categories in video surveillance, especially among residences. The optimal placement of these...
Winter 2019 IP Networking Course on Nov 05, 2018
This is the only networking course designed specifically for video surveillance professionals.  Lots of network training exists but none of it...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
Network Cable Shootout - Belden, Hikvision, Honeywell, NavePoint CCA, Windy City Wire on Nov 05, 2018
Every IP camera install needs UTP cabling. But how much of a difference is there between dirt cheap generic cables found online and the bigger,...
Unisight Company Profile on Nov 01, 2018
Hikvision's largest US OEM, LTS has started to carry Unisight, whose products (shown below) look a lot like Hikvision's rival Dahua: Who is...
Hikvision President Addresses AI and USA Challenges on Oct 31, 2018
In frank recent China interviews, Hikvision's President Hu Yangzhong has addressed challenges impacting the video surveillance industry and...
Wyze Explosive Growth Disrupting Consumer IP Camera Market on Oct 30, 2018
Wyze, a company founded only in 2017, is poised to disrupt the consumer IP camera market by combining American marketing and Chinese manufacturing...
Hikvision Parent Conducts Communist Party Training, Urges Strengthened Party Leadership on Oct 30, 2018
Employees of Hikvision’s parent (CETHIK, for CETC HIKvision) underwent intensive Chinese Communist Party training last month where they came up...

Most Recent Industry Reports

Magos Radar Company Profile on Nov 12, 2018
Magos America General Manager Yaron Zussman admits when he first came across Magos, he asked himself: "What's innovative about radar?" Be that as...
Genetec Privacy Protector Tested on Nov 12, 2018
Genetec has built Kiwi Security's Privacy Protector into Security Center, an analytic which anonymizes individuals in cameras' fields of view...
Chinese Government Increases Hikvision Ownership on Nov 12, 2018
The Chinese government - Hikvision's controlling shareholder - is increasing its ownership of the video surveillance giant amid sharp stock price...
Axis: "No One Wants To Buy A Camera" on Nov 09, 2018
Axis has, in its own description, made a bold declaration: The industry is changing so rapidly that the following statement might seem bold but...
Video Surveillance Hard Drive Size Statistics 2018 on Nov 08, 2018
What is the most common hard drive size for video surveillance? 150+ integrators answered: What size hard drive do you most commonly use? What...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...
Ubiquiti Protect Video Surveillance Profile on Nov 07, 2018
Ubiquiti has now been in the video surveillance market for 7 years (see our first coverage back in 2011). In that time, the company's revenue has...
Kogniz Silicon Valley AI Startup Profile on Nov 07, 2018
Kogniz is a Silicon Valley company that aims to bring AI analytics to security and surveillance, centering on their own smart cameras: We spoke...
Dahua Dual Imager Dome Camera Tested (HDBW4231FN-E2-M) on Nov 07, 2018
Dahua has introduced a dual-imager dome model, the HDBW4231FN-E2-M, with two independently positionable sensors including integrated IR, not found...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact