Hikvision Discontinuing Online Service

Author: John Honovich, Published on Dec 12, 2016

Hikvision has declared it will discontinue its Hikvision online service, just days after IPVM's Hikvision Cloud Security Vulnerability Uncovered report. The abrupt move, including blocking logins in a few weeks, is troubling many dealers amidst ongoing security problems with the service.

Determined To Discontinue

Hikvision posted a 'notice' to users logging into the service declaring "all of our customers using the HiDDNS service need to migrate" and that in less than 3 weeks (Dec 30th), logins to the system will be blocked. Notice is copied below:

This has caused notable concern and confusion among Hikvision dealers.

  • No official email or announcement has been made, only the pop up notice when logging in to the system.
  • The announcement is from China / HQ and suffers from various grammatical errors making it hard to read, e.g., "As the use base continues to grow, a new platform with enhanced supporting capacity is extremely expected. To meet this certain needs..."
  • This service is important to many Hikvision dealers for facilitating remote access. The rapid 'login block' raises operational problems.

UPDATE Hikvision USA Announcement

4 days after Hikvision HQ posted their notice, Hikvision USA has released theirs. It differs in a number of material ways:

  • Hikvision USA emphasizes this as a migration in the title and opening, however the transition between the systems is completely manual, with no tools or automation to facilitate the process.
  • Also, Hikvision USA acknowledges that the "fully featured Hik-Connect platform" is not ready now and is scheduled for Q1 2017.
  • The 'login block' declaration from Hikvision HQ has been removed from Hikvision USA so it is not clear which is correct. However, Hikvision USA did emphasize that starting Dec 30th, access to Device Status and Device Management will be disabled.
  • For security, Hikvision USA indirectly acknowledged the issues with Hik-online.com, emphasizing that with the other system "Hik-Connect on AWS [they] leverage their best practices to enhance our security."

UPDATE Hikvision Corporate Change

~6 days after the initial announcement from Hikvision corporate, Hikvision has modified the 'notice' (copied above) to remove the 'login block' assertion. That has been replaced with the same language from Hikvision USA's release about blocking "access the Device Status tab or the Device Management tab." The various grammatical problems have not been corrected.

Security Problems

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Hik-online.com has suffered from a number of security problems. The largest, which Hikvision has never publicly acknowledged, is a vulnerability that allowed an "attacker to remotely take over the server." That vulnerability, according to the researcher who discovered it, has been resolved.

However, a number of other vulnerabilities continue to exist. For example, the service does not use HTTPS at all, not for logging nor when logged in to one's account as shown below:

Not using HTTPS for such a service violates basic information security principles.

Moreover, Hik-online.com has a vulnerability that allows obtaining a list of all devices / IP addresses connected, including every new device added. Requests to http://www.hik-online.com/{number} are redirected to the IP address of the device, without any authentication needed. All an attacker needs to do is run a script that increments through the numbers, gathering the IP addresses connected. The gif below shows how Hik-online.com redirects from the number entered to IP addresses:

This provides a master list of probably hundreds of thousands of Hikvision devices that are publicly available on the Internet. From the testing we performed, ~3% of numbers scanned returned available Hikvision IP addresses, many of which were high numbered ports so even if dealers thought this would help obscure the devices from scanning, Hikvision's vulnerability undermines that.

Now Hikvision Wants Internal Network Access

As a replacement for this, Hikvision recommends Hik-connect (see: Hikvision Cloud Service (Ezviz / HikConnect) Tested). This service no longer needs the IP address of the Hikvision device to be made public (through port forwarding, etc.). Not making the device public is good.

However, now Hikvision will use a tunnel inside of one's internal network, through one's firewall. This will require trust that Hikvision has no security vulnerabilities in this service (a challenge given the many vulnerabilities in the current one) and that Hikvision itself will not misuse it.

"Phoning Home to China"

An increasing criticism is that Hikvision cameras are 'phoning home to China'. What is technically happening is that many new Hikvision cameras are being defaulted to automatically, and without user confirmation, phone home to Hik-connect (see Hikvision 'Phone Home' Raises Security Fears). At least for North America Hikvision devices, they are auto programmed to phone home to Amazon Web Services (AWS), though given this is the Internet, once access is established via AWS, it can be accessed from anywhere - China, Chile, Cameroon, etc.

This auto home phone 'feature' is extremely uncommon within video surveillance and none of Hikvision's major competitors (e.g., Avigilon, Axis, Bosch, Dahua, Samsung/Hanwha, Panasonic, etc., etc.) do this. Indeed, 95% of respondents say they prefer not to have any phone home feature automatically enabled (345 respondents).

Now, however, phoning home to their service is Hikvision's recommended migration path.

2016 Hikvision Challenges

Hikvision has grown phenomenally overseas in the past few years.

2015 had their first major challenge as a series of security issues, including a Hikvision engineer copying malware from an online forum into their production mobile app, shook the company.

2016's main challenge, by contrast, was people learning that Hikvision is a China state-owned company, and then having Genetec expel them, followed by a US Embassy removing Hikvision.

Now, Hikvision ends 2016 with a major challenge with its online / cloud service. The company still has immense resources from its China domestic projects plus $6 billion in recent China government funding committed. However, these continued security problems plus the China government control concerns combine for Hikvision's greatest challenge yet.

14 reports cite this report:

Hikvision Critical Cloud Vulnerability Disclosed on Apr 25, 2018
Security researchers Vangelis Stykas and George Lavdanis discovered a vulnerability in Hikvision's HikConnect cloud service that: just by...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2018, with more and more users relying on mobile apps as their main way of operating the system....
Hikvision Hardening Guide Recommends Port Forwarding on Jun 09, 2017
Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below: In this note, we...
Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory for...
Q1 2017 Video Surveillance Market Review on Mar 30, 2017
These are the most notable moves and events for January - March 2017 in the video surveillance market. Cybersecurity Rising Cybersecurity, once...
DDNS vs P2P vs VPN Usage Statistics on Mar 30, 2017
Cyber security concerns are escalating, even in the video surveillance industry which has historically lagged in its attention here. A key...
Hikvision OEM DDNS Devices To 'Lose Remote Access' on Feb 17, 2017
The fallout of Hikvision's DDNS discontinuation is expanding, this time hitting OEM partner Supercircuits, who reports that on June 30th: The...
Hikvision Barred From US City Housing Authority Bid on Feb 14, 2017
A US city's housing authority has barred Hikvision products from their bid, due to 'increasing security concerns.' In the past few...
Hikvision Most Polarizing Favorability Results on Jan 05, 2017
Pro or con, integrators have an opinion on Hikvision. Hikvision scored, by far, the lowest neutral levels on IPVM's favorability results,...
Suffering Criticism, Hikvision Keeps Insecure Online Service Up [Now Down] on Jan 03, 2017
Hikvision suffered severe criticisms for its abrupt plan to discontinue its Hikvision Online service, with 3 core functions to be removed on Dec...
Hikvision Sales and Support Conflict Over Discontinuation on Dec 28, 2016
Numerous Hikvision technical support employees have confirmed that the iVMS-4500 will be discontinued. Some Hikvision sales people say this is...
12 Video Surveillance Poll Results 2016 on Dec 28, 2016
IPVM has conducted more than 100 polls this year. Here are a selection of 12 of the most interesting results, receiving 4,500+ votes: Hikvision vs...
Hikvision iVMS-4500 Discontinued In Days [Says Support, Corporate Says No] on Dec 24, 2016
Hikvision's iVMS-4500 application will be discontinued in days, on December 30th, confirmed by multiple Hikvision technical support...
Hikvision Discontinued 'Migration' To Hik-Connect Tested on Dec 16, 2016
In 2 weeks, Hikvision's online service web portal will be discontinued. Hikvision has now framed it as a 'migration', though the transition will be...
Comments (38) : PRO Members only. Login. or Join.

Related Reports

Ban of Dahua and Hikvision Is Now US Gov Law on Aug 13, 2018
The US President has signed the 2019 NDAA into law, banning the use of Dahua and Hikvision (and their OEMs) for the US government, for US...
Dahua Ban Response: NOT Chinese Government Owned on Aug 08, 2018
Dahua has responded to the US Congress passing a US government ban on Dahua and Hikvision's products. While Dahua offered the now standard...
US Government Puts Export Control On Hikvision's Chinese Government Parent on Aug 07, 2018
Chinese media and the Chinese stock market have not only been concerned about the NDAA bill banning Hikvision for US government use. Additionally,...
Hikvision Admits Ban To Become Law on Aug 03, 2018
Hikvision has admitted they expect the US government ban to become law as soon as this month. In a new 'Special Bulletin' to dealers, Hikvision...
US Congress Passes Bill Banning Dahua and Hikvision on Aug 02, 2018
The bill banning US government use of Dahua and Hikvision products has been passed by both chambers of Congress (House vote, Senate vote). The US...
Hikvision NA President Jeffrey He 'Promoted' / Removed on Aug 01, 2018
With an impending US government ban of their products, financial struggles and increasing scrutiny of Hikvision human rights abuse, Hikvision has...
US Congressional Hearing on China Human Rights Crisis Calls Out Dahua and Hikvision on Jul 31, 2018
The US Congress had a hearing titled "Surveillance, Suppression, and Mass Detention: Xinjiang’s Human Rights Crisis" in which Dahua and Hikvision...
Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance devices. Now Talos researchers have discovered multiple vulnerabilities in...
Hikvision Strong Domestically, International Business Struggles on Jul 25, 2018
Hikvision's H1 2018 results are out. Overall revenue growth has sharply dropped, with the company acknowledging their "facing geopolitical...
Hikvision Wins Chinese Government Forced Facial Recognition Project Across 967 Mosques on Jul 16, 2018
Hikvision has won a Chinese government tender which requires that facial recognition cameras be set up at the entrance of every single mosque...

Most Recent Industry Reports

SimpliSafe Violating California, Florida, and Texas Licensing Laws on Aug 14, 2018
IPVM has verified that DIY security system provider SimpliSafe, founded in 2006 and acquired in June of 2018 at a billion dollar valuation, is...
Cut Milestone Licensing Costs 80% By Using Hikvision and Dahua NVRs (Tested) on Aug 13, 2018
Enterprise VMS licensing can be quite expensive, with $200 or more per channel common, meaning a 100 camera system can cost $20,000 in VMS...
Nortek Sues SDS, Battle Over Unpaid Bill and Cancelled Lines on Aug 13, 2018
Nortek and SDS legal battle continues. As IPVM reported, SDS sued Nortek alleging bribery and antitrust violation. However, Wave fired back at SDS,...
Uniview Intrusion Analytics and VMD Tested on Aug 13, 2018
IPVM's IP Camera Analytics Shootout featuring Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision created some ill will with a Uniview distributor who...
ADT Employees Protest ADT CEO on Aug 10, 2018
So many ADT employees were so upset with ADT's CEO speech reported on by IPVM, that ADT's CEO was forced to send a mass email to employees to...
Axis / Avigilon Legal Battle Rises on Aug 09, 2018
In what is shaping up to be high-powered, will-not-back-down battle, Axis and Avigilon are squaring off in multiple legal contests. In 2017, IPVM...
Camera Focusing Tutorial on Aug 09, 2018
A camera's focus is fundamental to quality imaging. Mistakes can cause important problems. In this guide, we explain focus issues and proper...
Dahua Ban Response: NOT Chinese Government Owned on Aug 08, 2018
Dahua has responded to the US Congress passing a US government ban on Dahua and Hikvision's products. While Dahua offered the now standard...
Bad Move: ADT Markets Rival Amazon on Aug 08, 2018
Amazon may be lining up ADT as its next victim but ADT is happy to promote Amazon. Amazon has made major moves recently, including acquiring...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact