Hikvision 'Phone Home' Raises Security Fears

Author: John Honovich, Published on Nov 10, 2016

The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has triggered increased scrutiny of Hikvision devices.

Hikvision's 'phone home' feature is raising particular fears as users evaluate Hikvision devices, attempting to understand what is happening and what risks this raise.

In this note, based on our testing, we examine how Hikvision 'phone home' works, its benefits and risks.

'Phone Home' - HikConnect

Many Hikvision devices are defaulted to 'phone home' to HikConnect service (aka Ezviz, though Ezviz is also the name of their consumer offering). For background, see Hikvision Cloud Service (Ezviz / HikConnect) Tested.

This screenshot shows a default setup for a common Hikvision device designed to 'phone home' to hik-connect.com:

Without any user knowledge or choice, these Hikvision devices we have tested reach out / connect to Amazon web services:

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

We have found that low end models (Value/Value Plus) support these services, while higher end Smart/Pro models (including Darkfighter, 4K, etc.) do not.

Purpose - Ease Setup / Remote Access

The purpose of this offering, and it being enabled by default, is to simplify setup and enabling users to watch video remotely. This way, the user does not need to login to the device's web interface, do network / router configurations, etc. They simply go to Hikvision's cloud interface to connect to those devices that already phone home to Hikvision. Indeed, initial / remote setup is one of the most common pain points for all network video providers.

Because of the value of this, many offer similar type services, e.g., Google Nestcam. However, for professional / commercial video surveillance use, this is common. For example, Axis and Dahua both have phone home services available but they are defaulted off, unlike Hikvision.

Since Hikvision has enabled this on low to mid end devices but not high end ones, this reinforces that the goal is easier setup / remote access for smaller users. However, many of the Value and Value Plus devices, because of the low price and solid quality, are being used in higher end facilities.

Risk - Hikvision / China Government Access

The risk is Hikvision misusing these connections inside of private networks. Hikvision could potentially look at internal video or use that device to access other devices inside a LAN. This automatic tunnel-out connection could be used to setup a reverse shell or quasi-VPN, letting outsiders tunnel in to the network, using the camera as an ad-hoc router. This is a risk of any provider with such access, though magnified for many due to Hikvision's government ownership.

For its part, Hikvision emphasizes that the cloud services used for North American users are "physically located in the United States, so all data and connections remain local." The challenge is that if Hikvision wanted to access these devices from anywhere else in the world, they could easily do so via the global Internet.

Some will certainly not care or find it unrealistic but many users who are ramping up cyber security audits will find the 'phone home' element of this devices to be a risk, by itself, and more so given Hikvision's China government control.

Vote - What Should Be Done?

This is a challenging case. The same feature that is, for many, legitimately a user convenience is also materially a security risk for many.

5 reports cite this report:

US Army Bans Chinese DJI Drones on Aug 08, 2017
The US Army has issued a ban on Chinese-made DJI drones. A US Army memo obtained by sUAS News references a classified document from the Army...
Hikvision Removing Auto 'Phone Home' on Mar 24, 2017
Facing pressure over their cameras auto phoning home and their Chinese government ownership, Hikvision has begun quietly removing automatic...
12 Video Surveillance Poll Results 2016 on Dec 28, 2016
IPVM has conducted more than 100 polls this year. Here are a selection of 12 of the most interesting results, receiving 4,500+ votes: Hikvision vs...
Hikvision Discontinuing Online Service on Dec 12, 2016
Hikvision has declared it will discontinue its Hikvision online service, just days after IPVM's Hikvision Cloud Security Vulnerability...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Comments (31) : PRO Members only. Login. or Join.

Related Reports

The False SCMP Story on Hikvision NYC AI on Jan 14, 2019
In the past week, one of Asia's largest publications, the South China Morning Post (SCMP), posted an article about "Chinese [facial recognition]...
Last Chance - Winter 2019 IP Networking Course on Jan 10, 2019
Today is the last day to register for the Winter 2019 IP Networking course. This is the only networking course designed specifically for video...
2019 Video Surveillance Cameras Overview on Jan 07, 2019
Each year, IPVM summarizes the main advances and changes for video surveillance cameras, based on our industry-leading testing and...
Infinova Deletes Xinjiang References, Hiding Evidence on Jan 07, 2019
Infinova has deleted all posts about Xinjiang on its website due to IPVM’s investigation of its business ties there and successfully directed...
"At Hikvision, We Build Trust" on Jan 03, 2019
Hikvision has joined a growing number of video surveillance manufacturers marketing their trustworthiness. In a recent trade magazine full page...
US Gov China Ban Rules Process, SIA Lobbies Against 'Blacklisting', For 'Risk-Based Protocol' on Dec 27, 2018
Details have emerged about when the rules implementing the federal ban on Hikvision, Dahua, Huawei and others will be made public for official...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
Network Cable Shootout - Belden, Commscope, Hikvision, Honeywell, NavePoint CCA, Windy City Wire on Dec 17, 2018
Every IP camera install needs UTP cabling. But how much of a difference is there between dirt cheap generic cables found online and the bigger,...
Hikvision Government Parent Holds Communist Party Congress on Dec 17, 2018
The Communist Party committee of Hikvision’s government parent, CETHIK, held a Party Congress earlier this month where senior executives, including...

Most Recent Industry Reports

Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Gorilla Technology AI Provider, Raises $15 Million, Profiled on Jan 15, 2019
Gorilla Technology is a Taiwanese video analytics manufacturer that recently announced a $15 million investment from SBI Group, saying this...
2019 IP Networking Book Released on Jan 14, 2019
The new IP Networking Book 2019 is a 285 page in-depth guide that teaches you how IT and telecom technologies impact modern security...
Arecont Costar Layoffs on Jan 14, 2019
Arecont Vision, a Costar Company, has laid off more than 10% of their workforce in a move the company described to IPVM as a result of "important...
The False SCMP Story on Hikvision NYC AI on Jan 14, 2019
In the past week, one of Asia's largest publications, the South China Morning Post (SCMP), posted an article about "Chinese [facial recognition]...
WDR Tutorial on Jan 11, 2019
Understanding wide dynamic range (WDR) is critical to capturing high quality images in demanding conditions. However, with no real standards, any...
Pelco Favorability Results 2019 on Jan 11, 2019
Pelco had a significant favorability problem amongst integrators in our previous study (see 2016 Pelco results). Now, in the first edition of our...
Bad: Dahua Villa Video Doorbell Tested on Jan 11, 2019
Doorbells are one of the hottest segments in the residential market but Dahua's Villa Video Doorbell is the worst we have tested.   We bought and...
Last Chance - Winter 2019 IP Networking Course on Jan 10, 2019
Today is the last day to register for the Winter 2019 IP Networking course. This is the only networking course designed specifically for video...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact