Hikvision Discontinuing Online Service

By: John Honovich, Published on Dec 12, 2016

Hikvision has declared it will discontinue its Hikvision online service, just days after IPVM's Hikvision Cloud Security Vulnerability Uncovered report. The abrupt move, including blocking logins in a few weeks, is troubling many dealers amidst ongoing security problems with the service.

Determined To Discontinue

Hikvision posted a 'notice' to users logging into the service declaring "all of our customers using the HiDDNS service need to migrate" and that in less than 3 weeks (Dec 30th), logins to the system will be blocked. Notice is copied below:

This has caused notable concern and confusion among Hikvision dealers.

  • No official email or announcement has been made, only the pop up notice when logging in to the system.
  • The announcement is from China / HQ and suffers from various grammatical errors making it hard to read, e.g., "As the use base continues to grow, a new platform with enhanced supporting capacity is extremely expected. To meet this certain needs..."
  • This service is important to many Hikvision dealers for facilitating remote access. The rapid 'login block' raises operational problems.

UPDATE Hikvision USA Announcement

4 days after Hikvision HQ posted their notice, Hikvision USA has released theirs [link no longer available]. It differs in a number of material ways:

  • Hikvision USA emphasizes this as a migration in the title and opening, however the transition between the systems is completely manual, with no tools or automation to facilitate the process.
  • Also, Hikvision USA acknowledges that the "fully featured Hik-Connect platform" is not ready now and is scheduled for Q1 2017.
  • The 'login block' declaration from Hikvision HQ has been removed from Hikvision USA so it is not clear which is correct. However, Hikvision USA did emphasize that starting Dec 30th, access to Device Status and Device Management will be disabled.
  • For security, Hikvision USA indirectly acknowledged the issues with Hik-online.com, emphasizing that with the other system "Hik-Connect on AWS [they] leverage their best practices to enhance our security."

UPDATE Hikvision Corporate Change

~6 days after the initial announcement from Hikvision corporate, Hikvision has modified the 'notice' (copied above) to remove the 'login block' assertion. That has been replaced with the same language from Hikvision USA's release about blocking "access the Device Status tab or the Device Management tab." The various grammatical problems have not been corrected.

Security Problems

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Hik-online.com has suffered from a number of security problems. The largest, which Hikvision has never publicly acknowledged, is a vulnerability that allowed an "attacker to remotely take over the server." That vulnerability, according to the researcher who discovered it, has been resolved.

However, a number of other vulnerabilities continue to exist. For example, the service does not use HTTPS at all, not for logging nor when logged in to one's account as shown below:

Not using HTTPS for such a service violates basic information security principles.

Moreover, Hik-online.com has a vulnerability that allows obtaining a list of all devices / IP addresses connected, including every new device added. Requests to http://www.hik-online.com/{number} are redirected to the IP address of the device, without any authentication needed. All an attacker needs to do is run a script that increments through the numbers, gathering the IP addresses connected. The gif below shows how Hik-online.com redirects from the number entered to IP addresses:

This provides a master list of probably hundreds of thousands of Hikvision devices that are publicly available on the Internet. From the testing we performed, ~3% of numbers scanned returned available Hikvision IP addresses, many of which were high numbered ports so even if dealers thought this would help obscure the devices from scanning, Hikvision's vulnerability undermines that.

Now Hikvision Wants Internal Network Access

As a replacement for this, Hikvision recommends Hik-connect (see: Hikvision Cloud Service (Ezviz / HikConnect) Tested). This service no longer needs the IP address of the Hikvision device to be made public (through port forwarding, etc.). Not making the device public is good.

However, now Hikvision will use a tunnel inside of one's internal network, through one's firewall. This will require trust that Hikvision has no security vulnerabilities in this service (a challenge given the many vulnerabilities in the current one) and that Hikvision itself will not misuse it.

"Phoning Home to China"

An increasing criticism is that Hikvision cameras are 'phoning home to China'. What is technically happening is that many new Hikvision cameras are being defaulted to automatically, and without user confirmation, phone home to Hik-connect (see Hikvision 'Phone Home' Raises Security Fears). At least for North America Hikvision devices, they are auto programmed to phone home to Amazon Web Services (AWS), though given this is the Internet, once access is established via AWS, it can be accessed from anywhere - China, Chile, Cameroon, etc.

This auto home phone 'feature' is extremely uncommon within video surveillance and none of Hikvision's major competitors (e.g., Avigilon, Axis, Bosch, Dahua, Samsung/Hanwha, Panasonic, etc., etc.) do this. Indeed, 95% of respondents say they prefer not to have any phone home feature automatically enabled (345 respondents).

Now, however, phoning home to their service is Hikvision's recommended migration path.

2016 Hikvision Challenges

Hikvision has grown phenomenally overseas in the past few years.

2015 had their first major challenge as a series of security issues, including a Hikvision engineer copying malware from an online forum into their production mobile app, shook the company.

2016's main challenge, by contrast, was people learning that Hikvision is a China state-owned company, and then having Genetec expel them, followed by a US Embassy removing Hikvision.

Now, Hikvision ends 2016 with a major challenge with its online / cloud service. The company still has immense resources from its China domestic projects plus $6 billion in recent China government funding committed. However, these continued security problems plus the China government control concerns combine for Hikvision's greatest challenge yet.

14 reports cite this report:

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Hikvision Critical Cloud Vulnerability Disclosed on Apr 25, 2018
Security researchers Vangelis Stykas [link no longer available] and George...
Hikvision Hardening Guide Recommends Port Forwarding on Jun 09, 2017
Hikvision's Network Security Hardening Guide recommends port forwarding as a...
Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber...
Q1 2017 Video Surveillance Market Review on Mar 30, 2017
These are the most notable moves and events for January - March 2017 in the...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2017 on Mar 30, 2017
Cyber security concerns are escalating, even in the video surveillance...
Hikvision OEM DDNS Devices To 'Lose Remote Access' on Feb 17, 2017
The fallout of Hikvision's DDNS discontinuation is expanding, this time...
Hikvision Barred From US City Housing Authority Bid on Feb 14, 2017
A US city's housing authority has barred Hikvision products from their bid,...
Hikvision Most Polarizing Favorability Results 2017 on Jan 05, 2017
Pro or con, integrators have an opinion on Hikvision. Hikvision scored, by...
Suffering Criticism, Hikvision Keeps Insecure Online Service Up [Now Down] on Jan 03, 2017
Hikvision suffered severe criticisms for its abrupt plan to discontinue its...
Hikvision Sales and Support Conflict Over Discontinuation on Dec 28, 2016
Numerous Hikvision technical support employees have confirmed that the...
12 Video Surveillance Poll Results 2016 on Dec 28, 2016
IPVM has conducted more than 100 polls this year. Here are a selection of...
Hikvision iVMS-4500 Discontinued In Days [Says Support, Corporate Says No] on Dec 24, 2016
Hikvision's iVMS-4500 application will be discontinued in days, on December...
Hikvision Discontinued 'Migration' To Hik-Connect Tested on Dec 16, 2016
In 2 weeks, Hikvision's online service web portal will be discontinued....
Comments (38) : Members only. Login. or Join.

Related Reports

Genetec Drops Support for Dahua and Hikvision on Jun 01, 2020
Genetec has dropped support for Dahua and Hikvision, citing US blacklisting...
Remove Dahua and Hikvision Equipment "Immediately" Or Else Banned From US Government Contracts on Jul 10, 2020
The US government has directed contractors to remove covered equipment, such...
ISC West 2020 Finally Cancelled on Jun 25, 2020
ISC West has now been cancelled for the third time, now for all of...
Dahua Revenue Plunges, 3 Execs Resign on Apr 29, 2020
Dahua's sales dropped by 19.47% in the first quarter of 2020 amid the...
Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...
Hikvision And Dahua Now Blocked From Conforming ONVIF Products on Apr 03, 2020
Dahua and Hikvision, sanctioned for human rights abuses, are now blocked from...
Directory of Companies Dropping ISC West 2020 on Mar 06, 2020
UPDATE March 2020: UPDATE April 2020: ISC West 2020 Cancelled Again,...
Hikvision AI Training In Xinjiang Paramilitary Base, Now Denies on Mar 10, 2020
Hikvision has been listing AI training in a Xinjiang paramilitary base that...
JCI Slashes ISC West Booth 88.8% on Mar 05, 2020
The mega-booth at the main entrance of the ISC West show floor is now...
Amazon, Microsoft and IBM Abandoning Face Recognition Is An "Irresponsible PR Stunt" Says AnyVision on Jul 17, 2020
In the wake of national protests against US police abuses, big tech firms...
Ban Rules Released: Use Dahua or Hikvision, No US Government Contracts on Jul 13, 2020
The US government has released the rules implementing the "Prohibition on...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
ISC West 2020 Removes China Pavilion, No Plans To Cancel Or Postpone on Feb 17, 2020
ISC West plans to go on next month, amidst concerns over coronavirus....
Dahua CEO Is Out on Feb 28, 2020
Dahua CEO Li Ke has resigned less than 3 years after he was brought in from...
Hanwha Removes ISC West Coronavirus Waiver on Mar 02, 2020
Hanwha Techwin has removed a waiver that would have put any liability for...

Recent Reports

Taiwan Lilin NDAA Compliant Cameras Tested on Aug 13, 2020
Taiwan-based manufacturer Lilin is taking direct aim at Dahua and Hikvision...
White House Expands Dahua Hikvision Blacklist To Federal Funding on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
Actual Coronavirus Testing Options Examined on Aug 13, 2020
Fever cameras have emerged as an indirect and flawed way to test for...
Video Analytics Online Show September 2020 Opened - Axis, Avigilon, Bosch, BriefCam, Genetec, Milestone + 30 More on Aug 12, 2020
IPVM's sixth online show will feature 35+ Video Analytics companies...
The German Company Powering Many China Temperature Tablets (Heimann) on Aug 12, 2020
Many fever tablet suppliers market German-made Heimann thermal sensors while...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Access Control Course Fall 2020 - Register Now on Aug 12, 2020
IPVM offers the most comprehensive access control course in the industry....
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...