Hikvision Rejects Responsibility for Hacked Hikvision Cameras

Author: John Honovich, Published on May 10, 2016

After a massive number of Hikvision cameras were hacked, Hikvision has added new, and questionable legal language, declaring that Hikvision will take no responsibility for hacked Hikvision cameras.

***** ******** ****** ** ********* ******* **** ******, ********* *** ***** ***, *** ************ ***** ********, ********* that ********* **** **** ** ************** *** ****** ********* *******.

[***************]

No **************

*** ******** ** ******** ** * ***** ********** ******* ******** in ********* ************* **** ****** *************** *********** ** *** ***: 

********* ***** *** **** *** *************** *** ******** *********, ******* LEAKAGE ** ***** ******* ********* **** ***** ******, ****** ******, VIRUS **********, ** ***** ******** ******** *****

**** ******** ** *** ***** ** ************* ***** ** *** ***** (such ***** *.* **** ******), *** ** *** *********** ** *** *.* *** ***** documentation, **** *** ******** ***** *********** ******* ******.

Extremely ********

***** ******* ********** **** ******* ********* ***********, ** ** ***** uncommon *** ****** ************* ** **** ******** ******** ********* ***** security. ** ******, **** ** **** **** *********** ***** *********'* poor ***** ******** ***** ****** ************'* ******** ***** ***** ******** ****** **** ***********.

Hikvision ******* ********** *********

****** **** **** **** ***********,********* ** * ******* ***** ***** **********, *** ** *** ******* ********** /***** ********* *****. ***********, *** ******* ********** ** *** ** *** **** ***** hacking ******** ********.

** **, *********, ******, **** ** ************ ** ****** ** cyber ******* ***** **** ** *** *** ************* ***** ****** ** protect ****** **** *** ************ ** ***** *** ******** ***** hacked.

End **** ****

** *** *** ** ********** ********* ********* ** ** *** user **** ********* ******** ********, ** **** *** ** ******* with your ******** ** ********** *** ***** **** *** *** ********* ** remove **** ******.

*** **** ** ** ******** *** *** ******* ** *** Hikvision *** ****** ***** ** ** ******* ************* ** ************ (e.g., *** ********* ******** ****** ****** **** ******* ** ****? Is inserting * ********** ** * ****** ******* *******?).

Buyer ***** ******

** ** **, ** ********* ***** ******* ******** ******* (*.*., ******* ********* **** **** * ******** ***** **** **** *** in ****) ** ** **** ***** ******* ********** ********* ** ***** cameras, ********* ****** **** *** *** ****.

*** ***** *********'* ***** *** ****** *** **********, *** ***** to ********* ****** ** ***** *****.

Comments (150)

I voted not very concerning

Why?

Because no one is going care as long as they see that its the cheapest camera they can get on the market, just like any other product in the world market.

Lead in kids toys..... oh well they don't last very long anyway.....

Cheap can opener broke after opening 3 cans.... no matter i just get another one, they are cheap .......

Cameras don't have adequate software security....... who cares i got a 1080p camera for $20 and it sets it self up after I plug it into my "internet box"

Winning right?

Eddie,

I do think a large segment of the market will not care and that is the core market that has embraced Hikvision to date. However, I also suspect that larger organizations, that really care about cybersecurity, will reject Hikvision over such a clause. This is a practical issue because Hikvision is ramping up its International enterprise sales efforts.

working in an enterprise environment I can say hikvision doesn't have a chance unless there mass incompetence or as a stated before

hey I got a camera for cheap, I saved money, I won/did the right thing.

cyber security will be just like regular security . no one will care till after something bad happens/gets hacked then they will care about this issue.

those that will care about cyber security will get overruled by those who cut the check as it happens in the enterprise environments.

Spoken by someone who is not looking at what's best for the US

Why dong you visit the Cyber Command in San Antonio

why don't you look at the Bipartisan coalition for security in DC . I have been a part of these meetings

there are people here that do care

problem is there are those that ignore the problems

Saying cyber security will be like regular security shows you may need to learn more about the US and our fight against these attacks

So just to be clear, you are saying there is a bipartisan coalition in DC meeting about Hikvision?

I also voted "not very concerning".Because it is life. I hardly believe any camera manufacturer can guarantee 100% protection against cyber security threats. Probably they are the first who have added this item to a legal disclaimer.

I hardly believe any camera manufacturer can guarantee 100% protection against cyber security threats. Probably Hik is the first who have added this item to a legal disclaimer.

And also, the existence of Flame and Stuxnet cyber weapons and revelations of Edward Snowden about Huawei show that probably China is not the best cyber hacking entity globally.

But I definitely agree that camera installers should care about IP cameras network security.

" hardly believe any camera manufacturer can guarantee 100% protection"

I can agree with the point here, but here we have a SPECIFIC warning that Hikvision will not be responsible. What if they know an exploit exists, and they fail to "fix" it, or at least warn integrators. I would strongly agree with John here; this may be an attempt to hold themselves harmless; but if YOU the integrator fail to warn your customers of the issues than guess who's head is on the pike now. In effect, HV seems to be throwing you under the bus. Wonder what insurance carriers would say about this. What does Homeland Security say about this?

I trust manufacturers to stand behind their products and I understand that an unknown exploit can occur. But this statement seems to attempt shirk responsibility for an exploit even if Hikvision themselves created it. And the consequences of an attack vector to your customer's network though a security system that you installed could be substantial..if not an outright threat to national security. (Some of you old guys out there may remember BRK smoke detectors that actually caused fires.)

John. I also have a question for you: what standards or certifications can be brought to bear on this question? Cybersecurity has generated a lot of concern among my customers. Here is an interesting article by CSO that provides 10 things a law firm which i think could apply to any vertical. There are some standards/certifications listed but i have not taken the time to look them up.

So you really believe the following;

1) Hik can hide behind this clause no matter how negligent they are.

2) Without this clause, an integrator has a fair chance at winning a lawsuit against Hik/China gov.

If not, then who cares?

"What if they know an exploit exists, and they fail to "fix" it, or at least warn integrators."

"I trust manufacturers to stand behind their products and I understand that an unknown exploit can occur. But this statement seems to attempt shirk responsibility for an exploit even if Hikvision themselves created it. And the consequences of an attack vector to your customer's network though a security system that you installed could be substantial..if not an outright threat to national security."

I am not a lawyer but am pretty sure regardless of the disclaimer that if Hik knowingly created or failed to patch a security risk or exploit that they would still be held liable. Lawyers or others with this direct knowledge; please feel free to opine.

As mentioned previously, other manufacturers have written conditions (not nearly as specific as this) that essentially provide the same indemnity. Other cameras have also had egregious firmware holes. Have they addressed theirs? Do you use their cameras in enterprise installations?

I think Hik is just a vendor trying to sell cameras. If you believe Hik's track record prohibits usage in Enterprise- great/ speak w/ your dollars and don't use them. You don't like Hik's ownership status- great, don't use them. I read on one of these strings that they are focusing addressing the issues (which is what any vendor would/should do) but if you want to wait and see, I don't blame you. Hopefully all the other camera vendors (who are also susceptible but aren't being focused on) will do the same.

Agreed, you cannot wave liability; that being said, I could just imagine the legal bills having to fight this company over the matter. I could not afford it. More importantly, this is not just bout someone looking into back yards across America. Once an exploit is found, web crawler can be developed to search the internet for such cameras (just look at Shodan) and once discovered, using the camera as an attack vector into the business enterprise. If an exploit is found it will likely be published. Then what?

"I could just imagine the legal bills having to fight this company over the matter. " --That would be the same w/ suing any vendor. If the damages were enough, some law firm would take it on contingency.

"Once an exploit is found, web crawler can be developed to search the internet for such cameras (just look at Shodan)..." --That is no different than with any other vendor either as that video clearly demonstrated.

The point of the IPVM post was to ascertain how concerned readers are that Hik inserted language avoiding responsibility for "abnormal operation" and "damages" from hacking. I think we agreed that they could likely still be found liable in certain situations regardless of this inserted language.

I think the big question is: is Hik going to respond by becoming one of the most secure platforms. Time will tell.

Additionally, I hope that ALL vendors ( Black Hat 2013 - Exploiting Network Surveillance Cameras ) not just those in the video take this seriously.

Anyone in the US that is not concerned about security should never let their opinion be known.

Yes, many integrators will sell anything to make the dollars but there are many reputable integrators that care about the security of their customer and safety in the U.S. Yes, they try to make the most dollars they can and will beat a sales person down but that is expected.

Just because you bought a $20 camera for yourself, we all know it was Chinese made, country security must not enter into your head.

Imagine the following, no one being concerned about what others may see from our cameras installed in the U.S. . Time comes and there is a war with China. Who has the advantage? China because they have back doors into our cameras, sure not our US soldiers that could be fighting on their own land with technology turned against them.

No I didn't put a question mark at the end of the previous sentence. Reason, it wasn't a question.

"So lets review your analysis. "

Buy the cheapest, ( Don't buy a can opener), even cheaper, open your cans with your teeth. Then you cut down on 2-3 cleanings each year, no cavities, no fillings, no tooth paste needed, just break out your teeth, your logic says it is cheaper.

As an FYI

Conspiracy Theory:

do any of you think that the proliferation of sub-$100 IP cameras with virtually no back-end security could be a way for the Communist/Chinese Government to create "backdoors" into their enemy's infrastructures?

It worked for the Trojans....

Good turn of phrase but it actually worked for the Greeks against the Trojans.

One should always be wary of "Geeks bearing gifts".

or Germans bombing Pearl Harbor..

Well, this is pure conspiracy theory, and I'm not accusing anyone... but, if you were the leader of the communist party / government and you wish to have eyes and most important EARS everywhere, especially in USA "the big enemy", what would be the best plan to achieve that?

In my point of view, subsidizing the manufacturing and sale of extremely cheap cameras with "backdoors" so it would be spread everywhere (maybe even inside the government) as a worldwide massive surveillance system would be a very nice way of achieving that...

Your tin foil hat is a little tight... :)

that is why I said it is pure conspiracy theory... although I find it very plausible...

"In my point of view, subsidizing the manufacturing and sale of extremely cheap cameras with "backdoors" so it would be spread everywhere (maybe even inside the government) as a worldwide massive surveillance system would be a very nice way of achieving that..."

Maybe you went a touch too extreme, but it should be a consideration to any true security professional. Clearly we all work in different segments of our business and are exposed to different levels of security, but any reasonable person should know that this is "plausible". Any network device, is susceptible, not just an IP camera, as has been proven repeatedly. Our federal government, has acknowledged the risk with certain laws. Entities, such as DOJ, DOC, NASA, etc. implemented "restrictions on acquiring moderate or high-impact information technology (IT) systems" (includes IP cameras/servers) after some cyber attacks. Their purchases of IT products are scrutinized for any risk of cyber-espionage or sabotage.

As security professionals, our job is to mitigate risk. No network is 100% secure as some on this thread would indicate. No IT product, despite manufacturer, is 100% immune. But injecting a cheap product, with little internal IT protections, has a history of multiple hack attacks, with ties to a communist regime, on to a customers network is irresponsible IMO.

Yeah, we're paranoid, but are we paranoid enough?

Whoever voted "not very concerning" has to be kidding themselves.

I am not sure what the real issue is here. It is every integrator/resellers responsibility to ensure that they setup the cameras in the most secure manner possible. As I see it, this means secure passwords & ensuring only authorised access from the network & internet.

I do not see how Hikvision is any different from other vendors in this ( I may be missing something). They all need a commonly found default password to be changed to a secure password so that access via password is restricted. They all need access to be subject to security to prevent unauthorised access. Whether that be from external or internal sources. This means firewalls, VPN's, secure cloud & a potentially a host of other security processes. It does not mean easily guessed/remembered passwords, public cloud & consumer grade routers that regularly are shown to be hackable.

It seems to me that Hikvision is just the first to articulate a policy to try to minimise their risk. They cannot be held responsible for the failure of installers to take steps necessary to minimise the risk of hacking. It is time we all took responsibilty for ensuring a secure installation.

If Hikvision deliver firmware that is easily hacked then that is a different matter. But I have not seen anything other than weak default passwords reported as a problem. The majority of hacks generally stem from weak access security or unpatched firmware/applications. A vendor cannot force users to use strong security & to patch equipment.

I suspect other vendors will follow suit.

I would bet that HikVision is not the only camera company to ever have a camera hacked. Sure they are the largest and have had some concerns, which in turn as any legitimate company, American or Chinese, would TOOK IMMEDIATE AND CLEAR ACTION TO RECTIFY. Of course that action was mis-construed to mean they were attempting to cover something up. Unless someone can produce definite, concise, clear evidence that HIKVISION manufactured cameras with the intention of surveying someone or something without permission this whole line of discussion that HIKVISION has bad intentions is at best 'guesswork' and unwarranted of any manufacturer. Not just them, Fair is Fair.

Ponder this: Perhaps HIKVISION is taking the lead on something that is more widespread than the assumption it is only their cameras with a 'problem'.

News Flash: IP cameras cannot work without a network and Hikvision does not install networks. HikVison does not install cameras on networks. The camera sitting in the box will not transmit anything. So is it not possible they are being prudent so to speak by informing camera installers: MAKE SURE YOUR NETWORK IS SECURE ITS NOT ON US. There are quite a few (look at your polls) Installation companies that do not completely understand networking and the pitfalls. More training is needed and IPVM is an excellent source. I believe that it is a possibility IPVM is wearing blinders and stating it is not a possibility that a 3rd party could 'use' a Hikvision device for means not intended?

Why do many integrators clearly avoid what would be perceived as a 'professional responsibility' by adding clauses to security alarm monitoring contacts that all but come right out and say if it fails to work its not on them? What is the difference? Does this make HIKVISION a culprit?

There are companies with devious intentions I do agree, but consistently slamming HIKVISION and ignoring the fact, 99% of IP Camera networks never see the internet OR a customer LAN is short sided at best.

HIKVISION is ABSOLUTELY NOT to blame for all camera system hacks world-wide.

Perhaps HIKVISION is taking the lead on something

They are absolutely taking the lead in transferring liability from themselves to partners like you.

So is it not possible they are being prudent so to speak by informing camera installers: MAKE SURE YOUR NETWORK IS SECURE ITS NOT ON US

They went farther than that. They, so to speak, are telling you whatever causes a Hikvision camera to be hacked (their error, their malice, your error, your malice, etc.), it is not Hikvision's fault.

They are dependent on a phone/cable companies to provide the communications link.

If that fails they have a legitimate out.

ANYONE in the IT space knows their devices are subject to hackers and should be proactive in negating the issues or suffer the consequences with their reputation.

The FTC is coming after the cell phone companies in regard to their "proactive" security updates. Ignoring them will not be an option.

http://www.securitymagazine.com/articles/87043-ul-launches-cybersecurity-assurance-program

"HIKVISION is ABSOLUTELY NOT to blame for all camera system hacks world-wide"

No one is blaming them for all of them, just their own.

Infecting DVRs with Bitcoin-mining malware even easier than you suspected

"Even when users move to manually change the passcode, the on-screen keyboard by default is set up to enter only numbers. Given the growing susceptibility of these devices to real-world attacks, DVR designers would do well to make it as easy as possible for owners to choose strong passwords as soon as possible after the devices are unpacked."

This is outdated information. Almost two years old, the latest firmware has a full keyboard and forces an 8-16 character password with upper and lower case, numbers...etc.

3, I believe the point 5 is making is that manufacturers, including Hikvision, can and have been at fault for cyber security risks.

If another issue like that happened in the future (and it can happen to anyone), Hikvision has taken the uncommon manufacturer position of rejecting any responsibility.

How many DVR's do you think can send data without a NETWORK?

There are folks that believe Guns cause Crime as well. They do BUT nothing happens until a human fires the gun. So it is the guns fault?

Fords and Chevy's cause deaths every year on the highways, which one should we run out of town, the car or the road? What about educating the driver?

What about Educating the 'professionals' that install the systems so we can avoid some of the issues related to bit-coin mining and so forth? Malware, Hackers and corrupt software is not going away, period.

WE NEED MORE EDUCATION IN OUR INDUSTRY AND MORE INDIVIDUALS THAT UNDERSTAND NETWORKING AND CYBER SECURITY NO MATTER IF HIKVISION CLOSED TOMORROW THERE WILL STILL BE NVR'S HACKED ON POORLY DESIGNED NETWORKS.

I am allowed a dissenting opinion thanks to John Honovitch being the professional he is offering this wonderful site but quite honestly I believe HIKVISION is being unfairly lambasted TOO OFTEN and all other companies are completely overlooked.

Marty,

Hikvision brought this issue on themselves by adding that disclaimer, especially after their track record. We checked with a number of other prominent video surveillance manufacturers and did not find anything like this. There might be some other video surveillance manufacturer with a similar "NOT TAKE ANY RESPONSIBILITES" clause but it is pretty clearly uncommon.

If there are other video surveillance manufacturers that have this cyber security non-responsibility clause, we will be happy to add them.

It's true, Marty, Hikvision is not the only camera/NVR manufacturer that has had problems and we've seen that before.

I disagree that Hikvision is being unfairly lambasted. I agree more companies need to be looked at with more scrutiny.

THANK YOU

Just to be clear, as stated in the video above, these exploits were only possible because the cameras exploited were accessible via the internet. If they had been safe behind a firewall, these exploits would not have happened. Shodan cannot scan your private network that is secured by a proper firewall.

...nothing happens until a human fires the gun. So it is the guns fault?

If the gun hangfires because of shoddy workmanship, yes.

That is like saying that a Smart TV or cell phone is secure in the box, and it is up to you once you turn it on and plug it into the cable provider or connect to the wireless provider to secure it, even though the manufacturer or provider left vulnerabilities.

What we are seeing change, is that most cameras and NVRs now do NOT have a default password. They did have known vulnerabilities out of the box.

If the product is not secure upon shipping, there are enterprises that will not deploy.

If the device can be reset by a one time password code, it is NOT secure, and an attacker can figure it out and gain access.

Just because cameras are on a segmented network does not ensure security... If someone gains access to a device on and then works their way from the corporate network to the security network via an NVR vulnerability now has access to the insecure cameras.

Advertising cameras and systems as plug and play and easy to setup just perpetuates this...

And, you can't say that Hik is taking the lead on this, when they refuse to update their OEM partners who are selling millions of cameras worldwide. It is CYA for them, but who cares about the other percent of their products. I attended one of they cyber security webinars, where they admitted to lapse after lapse, and vulnerability and vulnerability. They they said how they fixed it after 1-2 days.... However, in the field, or at least in non-China areas, I believe it took months for acknowledgement and firmware updates, if they ever came out...

It's obvious that you dislike Hik. To the point of absurdity. Any given camera can be exploited. That should be your baseline.

If you, mistakenly, assume that a western branded camera is safe and doesn't need to be treated as a vulnerable device, you may find out otherwise. Any single piece of hardware is capable of being exploited.

Now, the good news is that you can isolate these network segments with a layered approach that keeps your vulnerable devices segregated from the rest of your data. With the proper network security and design, these vulnerable devices (all brands) can live their days in quarantine.

Its amazing how easy it is to scare people these days.

Jon,

"layered security" is 100% the answer. And segmenting the network is a huge step in that direction. The point that I was trying to make was that saying to use a segmented network was a 100% fix. Just like "not using Hik" is not 100% secure, or "using Hik" is a 100% change of getting hacked.

And I would agree with you that any western brand or even better, any brand of product of any type on a network can have a vulnerability and get hacked.

So just quick thought if "99% of IP Camera networks never see the internet OR a customer LAN" how is it that the cameras got hacked to begin with?

While I agree with you that it is the integrators responsibility to ensure that the installations of IP cameras is done following all applicable cyber security practices - I really question your statement "99% of IP Camera networks never see the internet OR a customer LAN" Isn't that sort of connectivity the whole point of IP cameras? Sure, we typically try to build private parallel networks for video, which helps with security. But at some point the video network has to intersect a clients LAN or the internet to be of any value to the end user.

"But at some point the video network has to intersect a clients LAN or the internet to be of any value to the end user."

Video network, or camera network? Because the NVR/VMS, yes, will usually connect to the LAN, but the camera network usually does not, or needs to, if there is an NVR/VMS being the intermediary.

So now Hik is not going pay anyone anything when they get hacked?

That should save them 0 dollars.

IMO it is all up to the customers network engineers to protect the camera system, how can Hikvision be responsible for someone else's negligence (including the installing company). If Hikvision embeds malicious code that streams video back to China without the users permission and was the cause of a network breach, that would be very concerning. I don't think that has happened yet...I am not concerned about this statement; I think comments like this will become more common. All of my customers sign a contract saying the same thing.

All of my customers sign a contract saying the same thing.

3, please clarify. What does your contract say? That you cannot be held responsible for any hacking of products you installed, even if it is your company's fault or?

Here's one example from our contract. For obvious reasons, I do not want to copy the whole contract on this forum. I have also removed our company name. Before we begin work we have customers sign our contract. When our techs are finished; we have them sign a second agreement showing the work has been completed, the system is working properly, and their network is secure. When we leave a job site, it's in the hands of the customer to make sure the system is secure and working properly. Several of our manufacturers in the fire and intrusion industry have us sign similar agreements. I cant be held responsbile for something I am not watching over 24/7. Take a look at the recent lawsuit ADT won against the drug company in Connecticut.


Company and Subscriber agree that Company is not an insurer and no insurance coverage is offered herein. The security equipment and Company’S services are designed to reduce certain risks of loss, though Company does not guarantee that no loss will occur. Company is not assuming liability, and, therefore, shall not be liable to Subscriber for any loss, data corruption or inability to retrieve data, network security breaches, personal injury or property damage sustained by Subscriber as a result of intrusion, burglary, theft, hold- up, video surveillance, fire, equipment failure, smoke, or any other cause whatsoever, regardless of whether or not such loss or damage was caused by or contributed to by Company’s negligent performance to any degree in furtherance of this agreement, any extra contractual or legal duty, strict products liability, or negligent failure to perform any obligation pursuant to this agreement or any other legal duty. In the event of any loss or injury to any person or property, Subscriber agrees to look exclusively to Subscriber’s insurer to recover damages. Subscriber releases Company from any claims for contribution, indemnity or subrogation.

3, informative. Thanks.

First think worth mentioning, it appears you have a contract and, I assume, that means the subscriber is reviewing and signing off on the document.

In Hikvision's case, this is not a signed contract but a disclaimer. It is one thing for someone to sign a contract, another to have a legal claim slipped into a box.

As for the contract, very interesting, specifically:

Company is not assuming liability... whether or not such loss or damage was caused by or contributed to by Company’s negligent performance

So people sign off accepting full responsibility even if your company was negligent... If people agree to that contract, more power to you.

I have one or two customers each year who won't sign. I dropped a customer last week who had been with us for 25 years who would not resign. I explain to everyone who asks, which is almost everyone who signs it. That when our technicians leave, we can't be responsible for what you or your employees do with our system. We have seen employees do some crazy stuff and severely compromise the systems we install. When something goes wrong, the first instinct is to blame us or our technicians. I avoid all of these headaches with this agreement.

That being said, we do our best to ensure our systems are as secure as we can make them and leave the rest up to their IT department.

If system has remote access XYZ Company is not responsible for the security or privacy of any wireless network system or router, and it is the Subscriber’s responsibility to secure access to the system with pass codes and lock outs. XYZ Company shall have no liability for unauthorized access to the system through the internet or other communication networks or data corruption or loss for any reason whatsoever.

Above is a very small portion from our agreements with our customers. We have contacted our lawyers regarding this issue and are waiting to hear their response.

Our lawyer has responded to our inquiry and stated another paragraph as well in our agreements that shows our coverage, "XYZ shall have no responsibility for failure of data transmission, corruption or unauthorized access and shall not monitor or view the camera data." It goes on to state, that "XYZ shall have no liability for access to the system by others."

Keefe, that sounds reasonable to me.

The main differences I see are:

(1) It's a contract, so the counterparty can review and must sign to proceed. With Hikvision here, there is no signed contract.

(2) What Hikvision is doing here is not common for video surveillance manufacturers.

For people who do not care about using Hikvision products with this condition known, that is fine, but it is certainly well worth bringing attention to.

HIK created an APP with malicious code on it requiring Apple to remove it from the APP Store for a few weeks while they recompiled it on legitimate source code. Would that suffice? Did you tell your customers to uninstall during that time?

We are the security industry. We should be concerned. While hacking is a cat-and-mouse game, and smart people with enough time and resources will figure out how to hack devices, that does not mean that we should simply accept this. We need to push ourselves to continually improve our products and our installs. Otherwise we are no longer providing value.

I think people trying to defend Hikvision are missing the point.

- Hikvision is the subject of published news articles about back door exploits and malware in the apps and software.

- Product A does not.

When someone takes the time to look, do you think they are just going to say, "We'll, the user should have protected themselves better."

You can have all the disclaimers you want that you're not responsible. Ok, so you can't be successfully sued. So what. What is the reputation of the product you are using versus the other products? What is the ownership of the product you are using versus the ownership of Product A.

You can say all day long it's IT's job to secure the network- and it is. But why is IT going to introduce variables when it doesn't have to just to help you make a sale? Why should someone in IT say, "I should use this product even though it may make my challenge securing the network possibly a little more work."

Why should someone in IT say, "I should use this product even though it may make my challenge securing the network possibly a little more work."

Also, IT will say, "Product H has a bad track record and legal disclaimers forcing us to take all responsibility for hacking. Product A (Axis, Avigilon), D (Dahua), etc. does not."

For those who care about cyber security, those will clearly be selling points for non-Hikvision.

Samsung Smart TV's have the built in ability to allow Samsung to listen to what you say from the privacy of your living room? Many of those same TV's are equipped with cameras. Are they listening/watching...maybe not yet, but Samsung admitted they have the capability...and they admitted to it only after being exposed. The ability for them to listen is enabled from the factory and its up to the consumer to turn them off. Strong parallels to our situation, in my opinion.

The federal government has acknowledged that trojan horses are a concern and that they've been hacked many times. Anyone who thinks they are better at protecting their customers network than our intelligence agencies are fooling themselves. Anyone read Section 515 of the Consolidated and Further Continuing Appropriations?

Look at a college campus...part of your tuition gives you access to the WiFi/campus network. Yes, cameras should be on a private VLAN, but its not that hard. I'm not even sure the colleges know how much their cameras get hacked, but its a lot. Same goes of a work environment, open access.

at the one I am at they dont get hacked because I dont use cameras that are easy to hack and I take precautionary measures to insure that.

the rule is if you can get into it then it can be hacked you just have to know how.

that why unless hikvison goes though some massive changes they wont make in the enterprise level if those places have any kind of IT related security staff on the books because they have so many vulnerabilities out the box like a bunch of other low end cameras .

Just for the record,

  1. intentionally creating a backdoor into your own product for your own use
  2. unintentionally creating vulnerabilities and/or not patching known exploits

are two totally different things.

In fact, if I were Hik and I really had put a backdoor in my product, you better believe everyone else would be shut out, and that the product would appear to be as secure as possible to the outside world.

I won't be specifying this to high security or government jobs following this information.

With 100 votes so far, integrators and manufacturers are split, which is good news for Hikvision.

While nearly 90% of manufacturers find this very concerning, just 55% of integrators do.

Wow, scary. This concept that we can just trust the IT department to ensure the network doesn't allow a hack, is flawed. At ISC West, I was told by one of our partners that a Nuclear facility had just installed $100k in Hik. After some education and a few examples of hacking/spoofing, those Hik cameras are now collecting dust, but this was Nuclear Power and they were rolling the dice.

I understand the integrators concerns but DISAGREE on his conclusions. Again the camera cannot do anything without a network. It is entirely 'possible' again 'possible' that a HIKVISION camera could have been loaded with some sort of devious code. Hell, I do agree AND in my world that is completely UN-acceptable across the board, no question. I just have not had seen anyone that has produced a copy of the actual 'code' that is supposedly written into these cameras causing all of the concern. If someone has it, show it, lets take it to HikVision. But until then I aim to be fair and not jump to conclusions. I understand there are no 'second chances' with Nuclear power so I may have made the same conclusion on that one just because of the UN-warranted 'questions' that have been raised.

While nearly 90% of manufacturers find this very concerning, just 55% of integrators do.

I hope that means that you have more trunkslammers subscribed than I would have thought, and not that there are professional installers that think this kind of thing is okey dokey.

"Oh, well, you should have used security best practices, if you get hacked it's your own fault."

WHAT ABOUT ALL THE ZERO DAY EXPLOITS AND BACKDOORS AND TROJANS, YOU IDIOTS. NOT TO MENTION THE FACT THAT, WHILE LOTS OF MANUFACTURERS HAVE BEEN HACKED, NO MANUFACTURER HAS BEEN HACKED AS OFTEN AS HIKVISION, ESPECIALLY IN SUCH AS SHORT AMOUNT OF TIME?

Anonymous because we sell a literal ton of Hikvision and it's not my decision what we carry.

The only idiot here, from my perspective, is the uninformed, scared people that lack basic networking skills to secure their systems. It really isn't that hard. You simply only allow the traffic on your network that you desire. All other traffic is dropped.

BTW, your all caps rant solidifies this point.

"Anyone who thinks they are better at protecting their customers network than our intelligence agencies are fooling themselves"

While I admit that I rely on trusted vendors to deliver secure products, I think we do follow best practices when it comes to securing our systems. Does that mean that there is zero chance of a hacker getting through a firewall? No. But it would be the firewall he breaches, which allows him much more than a simple camera to exploit.

If you can crack a firewall, your target is likely data held in servers or SANs. I highly doubt your goal as a top .001% hacker is to exploit a camera.

While I voted "Moderately", I get both sides. I think some people by nature are drawn to being scared. I do understand that there are risks involved using Hik/Dahua products. They have been proven to be less secure than other leading brands in the past. I have seen both of them make improvements and recently gotten to the point where I think they are likely secure.

That said, if a client has a concern about the security of their network, we are glad to create a completely separate network for the camera system. If they have a decent firewall, we can restrict all traffic in and out of that segregated network.

It doesn't HAVE to be a risk. The risk can be, and should be, mitigated.

I do understand that there are risks involved using Hik/Dahua products.

Let's be fair to Dahua here. Dahua has a better track record that Hikvision for cyber security. And Dahua does not appear to have any legal disclaimer rejecting responsibility for cyber security risks, like Hikvision does.

if a client has a concern about the security of their network, we are glad to create a completely separate network for the camera system.

Many enterprise customers are not going to accept that. Convergence was certainly overhyped but there are lots of large scale users who deploy fully converged networks and are not going to go back to dedicated application networks simply because a camera manufacturer cannot take responsibility for their own cyber security.

With larger clients, this can be done even easier. They surely have better switches and firewalls that can accommodate a secure VLAN.

Although it took Dahua a few years to update the firmware to allow changing the ONVIF admin password from admin/admin. However, I believe authentication for ONVIF is still off by default and the ONVIF user name and password doesn't follow the admin account credentials. The only way to change the ONVIF password is through the Onvif profile manager. This isn't really a WAN issue necessarily but most users aren't going to know this and someone on their private network could easily use any VMS and access cameras or use the profile manager to change all settings. Plus, Dahua used to have all three accounts present that you couldn't delete.

The only thing I haven't checked on the latest Dahua firmware is if they still left the hard-coded SSH credentials in place that allow quite a few commands to be executed.

Hikvision Onvif credentials do follow the admin credentials. In general Dahua's security flaws aren't as wide open as Hik's, but they aren't necessarily secure by default.

How are you going to provide remote viewing to your customers on this private network? Your customer sitting in the comfort of their office, or remoting in from home are going to be on the main network to be able to view video, right? The IT department is going to bend over backwards for their boss to have this access and make this private network vulnerable.

Simple. The VMS server doesn't need the same level of restrictions as the cameras. Unless, you are suggesting viewing the cameras directly for some reason.

Roughly 90% of the VMS's on the market run on top of Windows. Windows is the most hacked platform in the world. But the VMS doesn't need the same restrictions? Maybe your the smartest IT guy out there and do it right all the time, but it's the guys that don't get it right all the time that I see every day.

If you leave your VMS server open to the world to exploit, it is your fault alone. Can a Windows Server be exploited through a single port? With the VMS we use (DW Spectrum), we only need a single port open for remote viewing (7001). If that is the only port open through my firewall, and all other packets get dropped, how are you going to hack my server?

If that is the only port open through my firewall, and all other packets get dropped, how are you going to hack my server?

Buffer overflow, SQL injection?

Please elaborate on "buffer overflow". We don't use an external SQL server either.

Buffer overflows don't affect just SQL. They affect almost any general program if not written correctly or secured.

And there are buffer overflow issues with DW Spectrum?

Who wrote the firmware?

Buffer overflows are normally the result of some C programmer copying some text string from one memory location to another. Since, C does not enforce any boundary checking, if a a text string that is larger than its destination is copied, without seeing if it will fit first, some part of memory, possible containing executable code will be overwritten, with arbitrary data.

If this code can be executed the system can be compromised.

As an simple example, if you access a system using a URL that has 1000 characters tacked on to the end, the program may just blithely copy the overhang of your oversized URL, (with embedddd malicious code), to an executable area in memory.

That was a great reply. kudos.

Since you bring up DW Spectrum, when we tried DW several years ago, we kept having problems with our demo unit slowing down. And then we started getting warnings from out ISP that we were a source of denial of service attacks and needed to resolve it soon or be cut off from service.

We had a direct port forward of just the ports DW Spectrum uses to the demo server. What we found out is we kept getting thousands of TCP connection attempts to one of the 7000 range ports DW used. We'd take the system offline for a few days and put back up, we changed the WAN IP, but the next day the thousands of connections were back. All passwords were changed from default to strong passwords.

We reported it and DW took note, but they never replied back to what problem.

Point is, don't assume because it's not Windows ports but the VMS specific software ports you are exposing, that they can't be exploited in some way.

Which version of Spectrum were you demoing?

Jon, don't remember exact one, sorry wish I did. Was couple years ago, so maybe somewhere in the low to mid 1.0 series maybe.

Saying "Just secure your network! It's your fault if you get hacked." is silly and it's not the final word in this argument.

Yes, secure your network. Absolutely.

But given the option in cameras between one manufacturer who has historically been subject to multiple high profile hacks, and multiple others who have not, it's silly to pretend that the choice is the same.

Given the choice between a manufacturer who forces a NO LIABILITY clause on you and others who do not, do not pretend the choice is the same.

Everyone makes mistakes, sure, and other manufacturers have no password or leave SSH or Telnet or FTP or a billion other ports open, sure. And I'm sure there are vulnerabilities in other cameras yet to be found.

But Hikvision has not always appeared to be the most concerned or proactive or even apologetic company in this. They had two high profile incidents, and even still, barely a year later (if that), released an app with a trojan in it simply because someone couldn't be bothered to download an official repository. So we are to believe all of these issues have changed now because they release a firmware update that closes some ports and requires strong passwords? That's really poor risk management.

So would you trust (leave your guard down) a western product? That's my point. You should be doing this ANYWAYS. If you have your network secured, it shouldn't matter which camera I buy.

Now, which VMS, apps, etc., that is a different thing entirely. What software you install at the edge of your network is of much greater importance. If you have a thick client installed on a PC with Internet access, and that client software is exploited, you could (potentially) be looking at a much greater risk.

Overall, the risk of a camera being the biggest source of vulnerability in your system is just shortsighted. Should you be aware of that risk, absolutely. Should it preclude you from buying it and shaming the rest of the world for installing them, absolutely not (imho).

Your real vulnerability is at the core of your network; routers, switches, firewalls. If they can be compromised, you are in real trouble. Those are your layers of insulation from exploits.

So would you trust (leave your guard down) a western product? That's my point. You should be doing this ANYWAYS. If you have your network secured, it shouldn't matter which camera I buy.

No, that's why I said "Yes, secure your network. Absolutely."

And it does matter which you buy. One manufacturer stands out as having a history of poor security. Others do not. Therefore, said manufacturer is riskier.

Keep in mind that less than a year ago Hikvision released malicious code in a mobile app because a developer was too lazy to download it from an official repository. Less than a year after their last high profile incident. Which was less than a year after the infamous Bitcoin miners.

Now, which VMS, apps, etc., that is a different thing entirely. What software you install at the edge of your network is of much greater importance. If you have a thick client installed on a PC with Internet access, and that client software is exploited, you could (potentially) be looking at a much greater risk.

Exactly my point. The disclaimer we're talking about is in the QSG for iVMS-4200, as well. So to your point, given Hikvision's history (above), their software is clearly much riskier, as well.

Overall, the risk of a camera being the biggest source of vulnerability in your system is just shortsighted.

That's a straw man argument. I never said it was the biggest source of vulnerability.

I'm not even trying to dissuade people from buying or selling Hikvision. I have nothing at stake here. I'm simply saying that claiming that all things are equal because the network should be secure is untrue.

I'm struggling with this. Build the biggest, baddest network you can...absolutely, always. But then introduce an IT product (camera) that has a history of being compromised and then drop it behind all the firewalls...and you don't see an issue with this?

I can appreciate that you, as a Hik dealer, have their back. What I think is odd is that you seem to be out there all on your own, without a single Hik employee having your back. Either none of them have an IPVM membership...or they know its a losing battle.

What I think is odd is that you seem to be out there all on your own, without a single Hik employee having your back.

In fairness, Hikvision employees have been ordered not to comment, and not simply on this topic but anything about Hikvision on IPVM.

I'm sure you wouldn't know this, but any firewall worth owning doesn't have a secure side and an insecure side. It will restrict or allow all traffic, no matter if it's local or not.

I fully understand a firewall. What I can't understand is your negligent behavior. The Korean government breach, BP's Pipeline Blast were accomplished through an IP camera. Target's credit card breach an IP cash register. But I'm sure that your firewall is better than Target's and the thousands of IT people they employ and your firewall would have prevented their attack. This negligence is a great example of why integrators will be held responsible for the entire install. You install product with a known issue, you should suffer the consequences, not the end user.

You say you understand a firewall, but then forget it's abilities. A true enterprise firewall will restrict or allow any single packet of data. If you don't want any data to be received by, or sent to, the camera, you can restrict that on a camera by camera basis. So if there were exploits in Korea, BP, etc., it was due to unrestricted access. If their networks had tighter restrictions, these exploits could not have happened. Period.

The Target deal wasn't a camera. It was a POS device used to authenticate credit card transactions. A part of this process is to collect all the credit card info and pass this info over the web to a gateway. All the hackers did was also have that same data sent to another web server for their own collection. Had Target restricted the outbound traffic ONLY to their own known gateway, the hackers would have never received that data.

Lesson here is that these hacks and exploits are only possible when your network allows them, which is the default in most cases. You have to be vigilant in securing your systems and networks. This takes time, skill, and planning. And then you should pay a white hat hacking group to test, if you feel that is necessary.

So, if you aren't securing your or your clients networks to this degree, regardless of manufacturers, it is not me being negligent, it's YOU.

Jon, I think reasonable people will agree that the user needs to be responsible. It's unfair to think products somehow need to be cyber 'proof' and the user does nothing.

On the other hand, mistakes can happen anywhere - on the manufacturer and on the end user side.

By adding products that have a poor track record, you increase the chance that something bad happens if you make a mistake.

To that end, you seem to be espousing a position that a device could be filled with malware but that it would be just fine as long as the user does things correctly (i.e., your quote: "these vulnerable devices (all brands) can live their days in quarantine").

The reality, though, is that most large end users are not going to take the risk of putting known vulnerable devices on their network. It would be imprudent to think that one has eliminated / knows every threat that could appear in the future that could magnify the impact of a known vulnerable device. And an IT manager, who after an attack, said, "Yeah, I knew this device was vulnerable before we deployed it but I thought I had quarantined it" would justifiably be fired.

I agree that if I knew the camera had an active, unpatched exploit that was going to risk my client, I would pass on that product until it was addressed. Also, I acknowledge that Hik and Dahua have had a very shady past and are deserving of scrutiny.

My larger point, and maybe my defense of Hik & Dahua has clouded this, is that ANY device COULD have a vulnerability. We don't know for sure that Axis, Bosch, Panasonic, etc are clean as well. I am not aware of any exploits, but it's not my interest to find them. It's much more likely that they are cleaner than Hik & Dahua, mostly due to the fact that exploits haven't been found so far. They have clean track records so far. But so did Hik & Dahua before they didn't.

I just feel that some people here feel like if they use a premium brand, then they can ignore proper network security because they haven't yet been compromised. I think you should secure your networks regardless. Then your butt is covered either way. And, you should find out quickly if and when that rogue device tries to call home and has it's packets dropped by the firewall. If you don't have your network locked down, you would likely never know.

My larger point, and maybe my defense of Hik & Dahua has clouded this, is that ANY device COULD have a vulnerability.

Any device could have a vulnerability, obviously.

But people reasonably make decisions based on historical track records and positions of suppliers (e.g., this legal disclaimer).

If you disagree, that's your prerogative but it's a pretty basic business point that most people follow.

I am curious where you get exact information on how many times one IP Camera has allegedly been hacked over another? What database are these supposed 'hacks' on HikVision products reported to?

Please report your results so they can be examined and scrutinized in public.

Are you saying all hacks or attempted hacks due to 'possible' security issues are reported to IPVM directly?

Please send me the address so I can update my file......

I am curious where you get exact information on how many times one IP Camera has allegedly been hacked over another? What database are these supposed 'hacks' on HikVision products reported to?

Hikvision has a security center page on their website. They list 2 different issues, but if you watch the 2 different archived webinars, they discuss many more.

http://overseas.hikvision.com/us/about_10636.html

Listing of various hacks, etc....

http://bfy.tw/5idK

Can anyone identify when the manufacturer of ANY networkred software/product, was EVER found liable for damages (in excess of the purchase price), due to hackers an exploiting a weakness in their device?

There must be some examples, right?

EVER found liable for damages

You raise a good point. It is likely uncommon for this to happen.

On the other hand, cyber security attacks have gone way up in the last few years, so the risk is increasing.

However, that is still unlikely to happen makes it even more reason not to add a legal disclaimer like this.

If Hikvision wanted to win people over, they would go the other way. Instead of excluding cyber security, they would make a cyber security guarantee, money back, etc.

This is like warranty term length. Even if you never plan to use a warranty, a longer term is a rationale signal of quality. And a cyber security disclaimer is a signal of risk.

Is it possible that their (Hikvision) errors in network security is separate from the disclaimer? Looking at Axis disclaimers in their manual, they make an attempt to hold themselves harmless to a user following anything written in the manual since the manual may have errors in it. You could extend that to mean that the manual could have said open port 80 on your router or turn off your firewall and the user did that based off what the manual said and got hacked. It was a simple error in instruction.

Have you read any liability contracts as a subcontractor written by an attorney? It used to require General liability insurance. Now the attorney is saying they want insurance from the sub contractor to include protection for anything under the sun including hacking and malware. That is relatively new in light of the events with Home Depot and Target, no one wants to be liable even if it ended being their fault.

I feel that Hikvision could simply be clarifying to the nth degree that they aren't liable as most software packages include disclaimers that claim no responsibility.

I feel that Hikvision needs to increase security and have better process control being as large as they are. I also feel that integrators need to possess more basic knowledge of network security. If you install a Linksys firewall, the firewall is closed from the outside in unless you open ports. However, outbound traffic is generally wide open with no way to restrict. A Sonicwall, pfSense, name your flavor of firewall allows outbound traffic filtering.

This is generally not helpful unless you implement VLANS as port 80 and 443 are needed to be open for general internet use. If the cameras are on their own VLAN, you can restrict outbound traffic through the WAN originating from that VLAN but still allow VLAN to VLAN traffic if needed.

The cheapest way to learn firewalls would probably be by using an old PC and putting an extra Intel NIC card in for your WAN and LAN interfaces. Then run pfSense since it's free software. You can setup VLANs and simply practice restricting rules and learning how to not accidentally write a rule that locks you out where you must reset and start again.

I dove into this with the Sonicwall firewalls probably 4 years ago and learned quite a bit. The easy way for me to learn has always been by doing after researching. It's hard to learn about enterprise equipment without owning any. You can read a lot about CLI too, but without a device that you can configure using CLI, you can't learn how to do it. I am by no means a pro at CLI, but I like devices with it so you can prevent complete lockout most times by keeping a USB to serial device and a console cable. I digress.


IMO anyone who is selling a system should have an indemdification clause in their contract. If you are installing security equipment without it, you are vulnerable. Don't leave yourself vulnerable to a lawsuit. All you have to do is look at all of the major breaches over the last year, Target, Home Depot, Anthem, Yahoo, Gmail...,etc. ADT was lucky to win their lawsuit this year. We are a decent sized company with licenses to install fire and security in 13 states. However, we could not survive a trial even if we did win.

If Hikvision was smart, they would set up a dealer program and force dealers to sign an agreement. I have signed agreements like this with several of our vendors and all of our customers sign a similar one.

If these manufacturers commenting on this thread don't have an indemnification clause in their dealer agreement already, they will soon enough.

If these manufacturers commenting on this thread don't have an indemnification clause in their dealer agreement already, they will soon enough.

The opposite is the more rationale approach and I am speaking here just about a clause specific to cyber security, not a general indemnification clause.

Now, Hikvision's no responsibility clause gives every competitor a clear advantage. Why would they surrender this?

If anything, Hikvision would be better off removing the cyber security disclaimer in its entirety and replacing it with just general indemnification.

Im Not sure if anyone has brought this up. If you setup the cameras on closed network and don't give it any gateway and DNS you shouldn't have any risk. right?

Common practice for me is to have the cameras on there own sub-net. The server with duel nic card having one for the clients one for the cameras. So the only way to the cameras is through the VMS or staticly assign yourself onsite.

Or am I missing something?

While not giving the gateway should keep a camera at bay, it probably isn't foolproof. As for DNS, that is easy for them to embed a global DNS server behind the scenes.

I agree that having a serparate subnet or VLAN for the cameras and one server NIC would be a great start, if the client's network allows this. Going further, if it is a VLAN, is having the firewall drop all unneeded packets to and from the cameras.

We are on the same page here and the others (IMHO) are missing it.

If you setup the cameras on closed network and don't give it any gateway and DNS you shouldn't have any risk. right?

If we are talking about backdoors, as opposed to bugs, the risk is the same, as a gateway is easily determined just by listening to the network.

That is scary. Im no network guru but goes against my knowledge how networks work. By listening to the network? Are you talking about having hidden DHCP mode in the camera?

If you Hard coded VLAN port on your switches with separate addressing that will only work internal no internet access. Don't you need to give it Special routing rules to make it talk to other sub-nets for it even get out on the internet?

When comes to hacking and security im sure there other things in play that im not aware. I'm not trying to argue just want to make sure that my security systems are not compromised by a 20 dollar camera.

Lee, DHCP packets are sent as a broadcast, so if any device on the same subnet is using DHCP to get its IP, those broadcasts can be seen by any device. Part of that DHCP response will include the default gateway and, usually, a local DNS server/forwarder.

There may be other ways for the offending host to acquire the default gateway as well. This is just one quick way I imagined it happening.

As far as VLANs go, it is up to you to restrict or allow any inter-VLAN traffic. You can restrict or allow anything you want with a decent firewall. So, even if you did have an exploited device, you could keep it at bay. It may try its best to do some damage, but it would be hard to imagine it getting any of that data out, as long as it didn't in some way compromise the switch or firewall.

By listening to the network?

Possibly the simplest way would just be to listen for the ARP broadcasts, which are not IP packets themselves, but they contain IP addresses and their corresponding MAC addresses.

So when a different device (a legitimate one) in the VLAN needs to talk to the default gateway, it needs the MAC address to do so, so first it broadcasts something like "Who has the MAC address for 192.168.200.1?"

So you'll see lots of those.

If you Hard coded VLAN port on your switches with separate addressing that will only work internal no internet access. Don't you need to give it Special routing rules to make it talk to other sub-nets for it even get out on the internet?

If there is a router interface (with no explicit rules against the rogue camera) on the same VLAN it can get out, if not it can't.

I voted "not very concerning" based on my experience with the sheer volume of HIK dealers I have spoken with. I voted for them.

I think the comments are trending a little off target in that the article as I read focuses on the "why" did they add that language rather than "how can an integrator or end user minimize or mitigate the issue."

What made them "just add it in?" Maybe they have learned something while sponsoring "cyber threats" meetings and conferences about the potential liability?

Maybe it's just a clause someone thought to toss in.

I think Hik needs to do the right thing here and automatically update, at no cost to anyone, all Hik cameras running outdated or vulnerable firmware to the latest and greatest version, the next time they "phone home".

Wouldn't that be impossible if you did all the security precautions people are stating?

Lots of devices, includes IP cameras can phone home, even with a firewall in between. That's basically the point of the feature.

Btw, I do recognize that #2 is trying to be funny here but, on a more fundamental level, that is an issue of the whole "just throw up a firewall' approach to security.

A SOHO firewall, yes. A properly configured enterprise firewall would block the phone home calls, every time.

Jon, it's easy to say 'properly configured', add a firewall, setup a malware VLAN, and call it a day. This ignore the realities of dealing with enterprise security and the demands of various user's needs, legacy network equipment, potential mistakes, etc.

Your philosophy is evidently to tolerate known risks because you can throw up fool proof solutions like properly configured firewalls and malware VLANs.

And I am saying that's not how responsible enterprises function. They understand there is pressure from their various users to allow exceptions, that they have to deal with legacy equipment that increases risk, that they do not know every potentially flaw or threat that may emerge. And because of that they do not take your reductionistic approach.

I am glad you are sharing it so people can understand the mentality that is out there but it is seriously unrealistic for the enterprise.

I'm sorry to go back and forth here, I don't mean to combative. But I fully believe what I am saying here.

My experience with firewall rule sets is rule #1 is drop all traffic. You then allow specific traffic as desired. You do this to make sure all unwanted traffic is dropped and has no chance of getting in or out.

I can completely understand that someone who hasn't been involved with the setup of an enterprise firewall wouldn't know these things.

If a firewall is properly built this way, your network should be more secure than average. That said, it would still be foolish to inject a known vulnerable device. My understanding of Hik today is that there are no currently known vulnerabilities. They have all been patched. If that isn't correct, I would like to know.

My understanding of Hik today is that there are no currently known vulnerabilities.

Jon, no one is saying Hikvision has known current vulnerabilities today. But that is not the point for enterprise security professionals.

The point is (1) track record and (2) the policy of Hikvision.

What you're saying is effectively: "I don't care which products have great track records and which products have poor track records. I don't care what products take responsibilities for issues versus those who put it on me."

Seriously, last question, Jon. Imagine, you are the CISO of a Fortune 500 company or government organization. Would you or would you not put Hikvision cameras on your network?

Probably not, but I'm NOT the CTO of a F/500 Co. They probably could afford to spend more. I don't really know.

All I know is that I have no issues selling or recommending Hik and Dahua. I know the risks and will be sure to mitigate them.

Why do you keep lumping Dahua with Hikvision?

  • Dahua - does not have a no hacking responsibility clause
  • Dahua - much better cyber track record than Hikvision
  • Dahua - not owned by the Chinese government

And, yes, given your typical non-enterprise client base, I get it. They generally do not care about such risks.

Dahua because:

1) They are #2 in the world

2) They have had issues in the past

3) They still have a current exploit

4) They are Chinese too, maybe not gov owned tho

Btw, I do recognize that #2 is trying to be funny here...

Only because trying to be serious didn't work: Should Hikvision Hack Its Own DVR'S?

Somebody take Jon D's spade off him ...before the hole he's digging himself into gets even bigger

...before the hole he's digging himself gets any bigger.

Why bother; he's almost to China now anyway.

so I missed all fun stuff as most of the email updates went to the spam folder butTo give the pot one more good stir.......

there is a huge difference between "you are on your own" and "we want to do everything we can to help you" from a manufacturer stand point.

Prime example

http://www.businesswire.com/news/home/20150928006452/en/Panasonic-Symantec-Partner-Develop-Industry-Standard-Secure

encrypted firmware, SSL,( that are out now) and a few more things that are coming out later this year show they are at least trying.

when you look at the two side by side from an enterprise or large scale with connections over the Internet ( mobile or other wise) it speaks volumes in the large scale markets. the low cost "pump and dump" kit markets not so much.......

not to mention they are rolling this out to some of the their other low end cameras as well

"Malicious software programs, referred to as malware, are wreaking havoc on public and private networks, with more than 375 million such programs occurring in 2015." "317 million new malware variants, with targeted attacks and zero-day threats at an all-time high."

Those statistics add perspective and show that an infected device can easily "wreak havoc" on your customers network.

It looks like this thread as slowed down; I wanted to throw out a few last comments as I have been seriously thinking about this topic for the last year, and we've changed our product offering to address these security concerns in the last three months.

As a business, we survive on cash flow. Many of our SMB customers are in the same position as we are. They need to optimize cash flow. Last week we finished a $20,000 project. Our competitor who was selling Axis cameras and Exacq came in at $36,000. We used Hikvision NVRs and Cameras on their small business campus. This customer needed a cost effect solution that worked to monitor potential workers compensation problems. They did not have the money to spend on a higher end solution. They understood the potential issues with installing hikvision and accepted the risk. Their IT team put in a sonic wall in front of each recorder at each building. They are not concerned about cyber security as they feel they have nothing of value to protect on their network. To customers with this attidude, I have no problem selling hikvision. They sign our agreement and assume the risk. To them, mitigating a potential lawsuit from a fake workers compensation request is more important than protecting their data. Does this attitude make me a non-professional for installing this equipment? No, we sold the customers what they wanted/could afford and covered ourselves the best we could by securing their network with their IT team and our contract. We installed the system with the same care and professionalism we would at the State Department, DOD or any of the power plants of nuclear facilities provide service for. With licenses in 13 states, we are far from truck slammers looking to sell cheap cameras.

On the other end of the spectrum, when we have a customer who has PCI compliance at stake, we will not connect the hikvision cameras to the internet or install something else.

There's a huge market that can not afford Milestone, Axis, Avigilon...etc. They also can not afford not to have video surveillance. Who am I to deny these small businesses access to surveillance systems. If I sell it to them, I can make sure it's installed properly and cameras are posistioned properly.

Would I recommend a high-security facility install Hikvision cameras? No. Would I install Hikvision if they paid me? Yes. In situations where cyber security is critical, we provide multiple quotes. We let the customers know the advantages and disadvantages of each system and let them choose if they decide to have us install hikvision than that is what we will install. Part of our agreement states that we recommended a more advanced security system and the subscriber reject it. If they contract us to install hikvision and they want the system on their network, it's up to them to provide that network security. We are not a network security firm and do not advertise ourselves as such.

All of that being said, as a company we have made the decision to reduce our Hikvision offerings and move in a different direction. When we first started selling hikvision there weren't many alternatives to hikvision in the US through legitimate distributors. We will continue to sell their cameras, but not their recorders. We will reevaluate this decision as more information comes to us. We need more quality lower cost offerings like Dahua, Hikvision and Digital Watchdog.

3, well thought out analysis. I've reposted it in its own discussion to highlight it: How And When We Sell And Don't Sell Hikvision

"pot meet kettle

China Quietly Targets U.S. Tech Companies in Security Reviews (NYTimes)"

HAHA, that is hilarious. And probably more to suppress competition from the outside. We will not be subjugated by bayonet or bullet, we'll be conquered and lessened on the opiate of cheap products.

I have spent the better part of my life in the cyber security and defense security here for the US in DC

China wants to dominate the US in products made in China, and some of the best ways to do it have been and are:

-Keep US companies from competing in China by 1)over taxing US companies, laws in place that hurt US companies when these companies enter into China, selling goods into the U.S, even at a loss for years, so it lowers prices here, which kills US companies because they can't compete, thus increases Chinese products and China eventually lowers prices or finds ways to make their products cheaper but the damage has been done. You don't have to take my word on this. Fact is fact but people with limited intelligence will disagree. Why? they are more interested in the dollar or expressing an opinion which has no basis.

China owns and or finances the security companies selling in the U.S.

Look at the leaders in these security companies in China and see where they are in the Communist Party. Many are high level leaders

If one of these Chinese companies continue losing money,, they support them by offsetting these monies until they turn a profit if sales increase.

In regards to where and when is a good time to sell Chinese products like cameras, or access control, THERE ARE NO GOOD TIMES. There are solutions almost as inexpensive as HIKvison or Dauha, ( integrators that say they cant find these, they just aren't looking but trying to sound like they have tried. ) More manure than what is in a cow pasture.

China wants to cripple our manufacturers and increase their revenue and we allow it.

Last time I will write my 2 cents on this matter.

Fact is fact but people with limited intelligence will disagree.

There's a conversation killer if ever there was one!

agree with that sentiment.

Directly stating that anyone with an opposing view is dumber than you are does not help to support your position.

Worse, these types of statements tacked on to the end of rants tend to diminish any validity that the content of the rant may possess - especially if the reader thinks of themselves as not dumb.

It is bad form, imo.

What is the purpose for doing this? What is the OP seeking? This?:

"Directly stating that anyone with an opposing view is dumber than you are does not help to support your position."

It's sometimes wrong, but it's sometimes right.

"It's sometimes wrong, but it's sometimes right."

goes without saying... :)

A good debater (imo) can make people with opposing views look dumber than they are - which then eliminates the need to state the obvious.

So we shouldnt buy anything made in China?

Look at the leaders on these security companies in China and see where they are in the Communist Party. Many are high level leaders.

Name two

HIK is here and going to stay here

http://overseas.hikvision.com/us/Press-Release-details_10648_i7601.html

Disclaimer or no disclaimer, it is unlikely that any security camera maker will be paying anyone for consequential damages if their product gets hacked.

The camera comes with a lock. Locks can be picked. Everyone knows this.

Does anyone know if any 'bump key' lock manufacturers were successfully sued?

Why not?

Agree. Would need to prove gross negligence or deliberate intent with quantifiable damages... which is why, in a way the language is really a moot point. Bad timing on their part now yielding bad press.

You might be familiar with Ken Kirschenbaum; he is a lawyer who sells contracts to the security industry. Almost every day he sends out emails with legal advice. Someone recently asked him about this statement from Hikvision. Here was his response.

The Standard Form Agreements [Residential All in One, Commercial All in One and the stand alone CCTV agreements] all have sufficient disclaimer regarding the possibility of hacking into the alarm, security or camera systems. If you don't have the All in One agreements with copyright 2014 or later then UPDATE TODAY!

Hacking is only one issue that you need to be concerned with; there are plenty others and they are addressed in the All in One Agreements.

Axis acknowledges that standardized network protocols and services may have weaknesses which may be exploited for attacks. While Axis cannot take responsibility for these services, we are dedicated to providing recommendations on how to reduce and eliminate risks relating to your Axis devices. Axis Vulnerability Policy

So much for those "Western" brands being more accountable than Hik lol

2, thanks for sharing, but unfair to only highlight that one phrase.

Specifically, what services is Axis not taking 'responsibility'?

standardized network protocols and services

So things like TCP, UDP, RTSP, NTP, etc. So Axis is saying if a vulnerability is found in RTSP, they are not responsible for it.

That's pretty limited and less of a risk, compared to all the application software developed on an IP camera (whether Axis, Hikvision or anyone else).

By contrast, here is Hikvision's far broader non responsibility waiver:

HIKVISION SHALL NOT TAKE ANY RESPONSIBILITES FOR ABNORMAL OPERATION, PRIVACY LEAKAGE OR OTHER DAMAGES RESULTING FROM CYBER ATTACK, HACKER ATTACK, VIRUS INSPECTION, OR OTHER INTERNET SECURITY RISKS

So things like TCP, UDP, RTSP, NTP, etc. So Axis is saying if a vulnerability is found in RTSP, they are not responsible for it.

No, IMHO, they mean in the implementation of the protocol, like busybox or ssh, or whatever library they use or modify.

And that is exactly where an attack is likely to come from, because they are widely shared, therefore they make productive use of a hackers time.

Heartbleed (which did not affect Axis), wasn't a vulnerability in the TLS protocol, it was a defect in OpenSSL.

A library, that many used, and some did not.

IMHO, that is what they are talking about.

they mean in the implementation of the protocol

Well they said:

Axis acknowledges that standardized network protocols and services may have weaknesses which may be exploited for attacksYou are welcome to your interpretation but

It says nothing about their implementation, you have inserted that.

I can't stop you from inserting a whole another thing but it is reasonable to conclude (1) not saying that explicitly would make it hard for Axis to later claim that and (2) the onus is on you to explain your inserted / expanded claim.

It says nothing about their implementation, you have inserted that.

Yes, I have. This is my value add. :)

To expand, I think they are being intentionally vague to give the impression that an attack against 'standardized' network protocols are akin to an act of God, and are therefore not their responsibility. But they choose how to implement those protocols. Most often people choose 'standardized protocol libraries', and don't write their own code.

Again, Heartbleed is a perfect example of a standardized protocol library bug. The Hikvision example below is the same.

Another reason why is because the statement makes no sense if they really mean abstract protocols. When is the last time that a vulnerability in TCP or RTSP or UDP as an abstract protocol was discovered? One that was significant enough to do anything about?

That would mean everyone would have to change their code.

So, IMHO, either Axis is talking about implementation or its talking about something that is a non-issue.

Can we ask them if they mean just 'abstract protocols'? Like a logical error in the RFC, I guess.

To wit, the 2013 infamous Hik Hack was described thusly:

A vulnerability in the Real Time Streaming Protocol (RTSP) request parsing code of Hikvision DVR devices running firmware 2.2.10 build 131009, and possibly other versions, could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Yet, this was not a flaw in RTSP per se, just in the library used by Hik.

Are you aware of any unknown vulnerabilities being discovered in TCP, UDP, RTSP, NTP at the abstract protocol level?

The closest thing I can think of would be hash collisions in md5 encryption or something like that.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Axis: "No One Wants To Buy A Camera" on Nov 09, 2018
Axis has, in its own description, made a bold declaration: The industry is changing so rapidly that the following statement might seem bold but...
Winter 2019 IP Networking Course on Nov 05, 2018
This is the only networking course designed specifically for video surveillance professionals.  Lots of network training exists but none of it...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
Former Manufacturer Axcess Sues Avigilon, Genetec, Others for Patent Infringement on Oct 24, 2018
Axcess International, Inc. has sued Avigilon, Genetec and ACTi, among others for patent infringement. Who are they and what are their complaints...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...
Default Passwords Outlawed in California, US To Follow on Oct 09, 2018
UPDATES A new California bill aimed at improving security for connected devices has been signed into law. The law takes aim especially at...
China Hacks Video Servers Causing Uproar on Oct 05, 2018
An incident causing an international uproar is hitting home in the video surveillance industry as a Bloomberg report, "The Big Hack: How China...
Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
Ascent / MONI Faces Lender Lawsuit and Debt Crisis on Sep 13, 2018
ASCMA, aka Ascent, aka Brinks Home Security, aka MONI, aka Monitronics is being sued by a group of their lenders who allege: As of June 30,...
Hikvision FIPS 140-2 Cybersecurity Certification Examined on Aug 27, 2018
A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US...

Most Recent Industry Reports

Integrator Credit Card Alternative Divvy on Nov 13, 2018
Most security integrators are small businesses but large enough that they have various employees that need to be able to expense various charges as...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...
Magos Radar Company Profile on Nov 12, 2018
Magos America General Manager Yaron Zussman admits when he first came across Magos, he asked himself: "What's innovative about radar?" Be that as...
Genetec Privacy Protector Tested on Nov 12, 2018
Genetec has built Kiwi Security's Privacy Protector into Security Center, an analytic which anonymizes individuals in cameras' fields of view...
Chinese Government Increases Hikvision Ownership on Nov 12, 2018
The Chinese government - Hikvision's controlling shareholder - is increasing its ownership of the video surveillance giant amid sharp stock price...
Axis: "No One Wants To Buy A Camera" on Nov 09, 2018
Axis has, in its own description, made a bold declaration: The industry is changing so rapidly that the following statement might seem bold but...
Video Surveillance Hard Drive Size Statistics 2018 on Nov 08, 2018
What is the most common hard drive size for video surveillance? 150+ integrators answered: What size hard drive do you most commonly use? What...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact