Morten Tor Nielsen Defends Hikvision

By: IPVM Team, Published on Jun 12, 2017

Morten Tor Nielsen, veteran software developer for Prescienta working for OnSSI, has posted "In Defence of Hikvision". As Nielsen explains himself:

[Update: Nielsen later edited that sentence in his post.]

This follows Hikvision giving IPVM an 'F' and social media posts from Hikvision and Nielsen criticizing IPVM.

In this note, we examine Nielsen's defense, why we agree with his specific claims about Hikvision and where he misunderstood our reporting.

*******'* **** ******* ****** a *** **** ******* form ** ******** *************** *****, "*****, ********* *** ******* Under *****" ** ***** ***** surveys ******* ** ****** cybersecurity ****** ********* ********** to **** *********.

******* ******** *********** ********* ******* ******* hacked:

** ***, **** **** of **** ****** ****** is ****** ****, *** there **** *** "******" user ********!!?! **** **** be *** ******* **********'* work.

** ***** **** *******, Hikvision's ***** ** ******** defaulted ******* *** **** recent ***** ********* **** has********* ** **** *** Chinese **********. ******, ** have ***** ********* ********* here.

******* **** ******* ** Krebs ********** ************ ************* ************ ********* ******* *********:

***** ***** ** **** to **** * **** in *** **** "********* Hikvision ******" ********, ** instead ** ******* * meaningful ********, ** ****** things **

** *** ****** **** Nielsen **** ***** ****** as ********, ** ********* agree. ******, **** ** why ** **** ******* those ********** **********. **** like ** **** *** separate ******** *** **** a************* *** ***** ** Hikvision's ***** ********* ************* ********* ******* ** their ****** ************ ******* ************** *** hacked ********* ********* ************'* ******** ***** ******** no ************ *** ****** be ********, ***** ********* ********** **** forwarding ******* ******* ** their ********* *****, ***.

******, **** ******** ****** the ******* ********** ** encouraging ********* ** **** so **** ***** ****** with *************. ** **** end, ** ***** **** Nielsen's ******* ******* ** Hikvision. *** ******* / more *********** ******* ********** impact ** ********* ** economic (*.*, *********'* $*.*+ billion ***** ******** *****, massive ***** **** **** projects,$* ******* ** ***** government **** ********, ***.).

OnSSI **** *** *******

***** *** **** ***** [link ** ****** *********] responded ** **** ****** that, "***** **** *** endorse, ** ******* ******'* personal ********," ****** **** "OnSSI **** *** *** not **** ** ********* any ******* ** **** Hikvision *******."

UPDATE: ***** ***********

******* ****** * *** article ******* ******** **** called ******* '**-********', **** we "****** * ***** banning *********" *** **** IPVM *** ************ ********. All ** ***** *** 100% ********* *****.

*** **** *** ***** been *******, * ******* screencap ** *** ********* of *** **** *****:

**** ********* ******** *** right ** **** ******, opinion, ***********, ***. *** stating ******* ********* ***** claims ** ********** *** we **** *** ****** that.

Comments (24)

Sean Nelson

Nelly's Security
06/12/17 05:26pm

Indeed, IPVM strongly doubts the Chinese government is encouraging Hikvision to have so many basic issues with cybersecurity.

I am shocked (and proud) that IPVM finally admits that the Chinese Government doesnt want to initiate Cyber Warfare with the USA through Hikvision devices. I give you a B on this statement :)

The clearer / more significant Chinese government impact to Hikvision is economic (e.g, Hikvision's $3.2+ billion China domestic sales, massive China safe city projects

I dont disagree with you that Hikvision has an advantage due to their government money. But what do you expect integrators to do? Start quoting more expensive stuff from other manufacturers thats not as good? Arent we all indirectly helping Hikvision's government support anytime we buy something that was "Made In China". How do you think the government gets all that money to give to Hikvision? A huge part of that money was "American Money" at one time right?

John Honovich

IPVM | In reply to Sean Nelson | 06/12/17 05:36pm

Sean, thank you for your spirited response!

Your statement here is different from what we said:

IPVM finally admits that the Chinese Government doesnt want to initiate Cyber Warfare with the USA through Hikvision devices

Does the Chinese government want to initiate cyber warfare (or simply cyber espionage) through Hikvision devices? There is no direct evidence to say either way but given the Chinese government's track record on cyber warfare / spying, it is hard for us to believe the Chinese government would rule it out.

Is the Chinese government telling Hikvision to recommend port forwarding Linksys routers or not verifying who tries to reset admin passwords? This is the type of 'basic issues with cybersecurity' we are saying makes no sense for the Chinese government to be driving.

Nielsen is conflating our criticisms of the Chinese government's economic impact with our reporting of various basic Hikvision cybersecurity problems.

As for the economic side:

But what do you expect integrators to do? Start quoting more expensive stuff from other manufacturers

As we have discussed before, your approach of prioritizing short-term money making over longer term and bigger issues is, in itself, a very American thing to do. That noted, I do think quite a lot of buyers are reconsidering their approach here as Hikvision's escalating anti-IPVM marketing campaign implicitly acknowledges.

Sean Nelson

Nelly's Security
In reply to John Honovich | 06/12/17 05:41pm

Unfortunately you have been downgraded to a D- for "wishywashyness"

As we have discussed before, your approach of prioritizing short-term money making over longer term and bigger issues is, in itself, a very American thing to do.

What bigger issues?

John Honovich

IPVM | In reply to Sean Nelson | 06/12/17 05:48pm

Let's start a list:

The cost of dealing with and applying firmware upgrades each time Hikvision has a new serious vulnerability discovered.
The cost of dealing with Hikvision's ongoing discontinuation of Hik-Online and transitioning devices away from there.
The risk of Hikvision failing to provide updates and support in the future given Hikvision's relying on the debt fueled Chinese economy and their increasing challenges in North America.
The risk of your customer's Hikvision devices being used in future hacks / exploits.
The risk of Hikvision devices being used by the Chinese government for future cyber espionage / cyber warfare.
The undermining of the North American video surveillance industry (not just 'US' 'manufacturers' but all competitors) due to driving a price war that is destructive long-term to most players in the industry.
Supporting a company who unfairly leverages their Chinese government ownership to undermine foreign free markets.

I am sure you will disagree with some and not care about others but there are bigger issues at play here.

Others who have items to add, please share.

Sean Nelson

Nelly's Security
In reply to John Honovich | 06/12/17 07:48pm

Sigh, just when I thought things were coming around.

Undisclosed Integrator #2

In reply to Sean Nelson | 06/12/17 07:54pm

Forget it they will never 'come around'......

John Honovich

IPVM | In reply to Undisclosed Integrator #2 | 06/12/17 07:58pm

Forget it they will never 'come around'......

I think you are projecting ;)

In all seriousness, if Hikvision changes, we will change our position on them. Avigilon changed their management and culture and our position on them correspondingly changed, etc. Hikvision certainly can make changes for the better.

Ross Vander Klok

IPVMU Certified | In reply to Sean Nelson | 06/12/17 05:49pm

I took the

Indeed, IPVM strongly doubts the Chinese government is encouraging Hikvision to have so many basic issues with cybersecurity.

comment to mean that the government would be encouraging Hikvision to be a little more sneaky or savvy about it and not to present such amateurish flaws.

Undisclosed #1

IPVMU Certified | 06/12/17 06:17pm

Breaking news: Mortem Tor Nielsen doubles down with self-asserting post, points to African conspiracy...

John Honovich

IPVM | In reply to Undisclosed #1 | 06/12/17 07:20pm

Breaking news

To be clear, he posted that prior to us releasing this post. Indeed, that post is quoted in this post's introduction about 'bullshit' and 'assholery'.

Undisclosed #1

IPVMU Certified | In reply to John Honovich | 06/12/17 09:43pm

Right, missed the second link.

Marty Calhoun

IPVMU Certified | 06/12/17 07:55pm

Thank you Morten for your honesty

Undisclosed #3

In reply to Marty Calhoun | 06/13/17 03:51pm

Interesting wording...

I can see if you thanked Morten for his perspective - as you agree with it.

But to thank him for his honesty, what you are actually saying is that you think that anyone who happens to disagree with you (and Morten) is being dishonest.

The air must be quite thin all the way up there on your high horse.

Undisclosed Manufacturer #6

In reply to Undisclosed #3 | 06/16/17 08:43pm

Honest or not has nothing to do with agree or not.

One can completely disagree with another one but "thank you for your honesty".

It seems to me that Marty might agree, but #3 your logic doesn't stand.

Both sides of a agreement can be honest or dishonest at the same time, as I said they are unrelated.

Undisclosed #3

In reply to Undisclosed Manufacturer #6 | 06/16/17 09:00pm

"Honest or not has nothing to do with agree or not."

As a simple statement, I agree. But I've read hundreds of Marty posts and - primarily because of that - I can logically infer that Marty is using that statement as a sideways slam on the honesty of his detractors. There is context to his statement that you are ignoring.

"Both sides of a agreement can be honest or dishonest at the same time, as I said they are unrelated."

Again, a true statement. However, I maintain that based on the Historical Record of Marty here on IPVM that he was making a derogatory inference regarding those that disagree with him as being dishonest.

Undisclosed #1

IPVMU Certified | 06/13/17 01:56pm

Breaking News, second attempt.

Morten responds via a thickly veiled allegorical Kubrickian screenplay.

From 2009: A NSFW Oddity

I later realized that the guy published some sort of periodical that people had to pay to read. It mostly contained self praise, and descriptions of what happens when completely inept people attempt to use high tech equipment. I suppose it could be thought of as a mildly entertaining break from the daily humdrum at the office and you can always call it "working", because it is kinda, sorta, related to what you do.

John Honovich

IPVM | 06/14/17 01:14pm

Update: Nielsen posted a new article falsely alleging IPVM called someone 'Un-American', that we "issued a fatwa banning Hikvision" and that IPVM has manufacturer sponsors. All of these are 100% factually false.

His post has since been removed, a partial screencap of the beginning of the post below:

IPVM certainly supports the right to free speech, opinion, perspective, etc. but stating clearly factually false claims is defamation and we will not accept that.

Randall Raszick

In reply to John Honovich | 06/14/17 07:32pm

Man oh man, those anonymous sources are everywhere! Nobody's safe! Psst...a friend's sister's cousin's ex-boyfriend told me from a very trusted anonymous source that John dyes his hair.

Say it ain't so, John! Counter my irrefutable proof! :)

Undisclosed Integrator #4

06/14/17 01:43pm

Let's make one thing clear and I have been to enough FBI Infraguard, ASIS, University, and Security Industry seminars to know this and feel 99.99% certain about it.

CHINA performs economic espionage against the U.S. in effort to build it economy so it can complete against us militarily.

That is truth, you can make your own conclusions from there.

Sean Nelson

Nelly's Security
In reply to Undisclosed Integrator #4 | 06/14/17 02:05pm

I have no doubt that China, like most countries (including ours), have stepped over the line on their allies when it comes to gathering intel. But you think Conducting espionage helps build their economy? I think what builds their economy for the most part are all the goods the USA purchases from them.

But has anyone ever stopped and thought about how incredibly dumb it would be for China to launch any type of large scale attack, cyber or military wise on the USA? China's economy would completely collapse without us and more than likely vice versa. China is very much business oriented, and to cause harm to the USA would cause more harm to China. Why would they shoot themselves in the foot? A similar comparison would be like taking your number one customer and punching them in the face for no reason, it just doesnt make sense. Even though we dont agree with everything they do economically or otherwise, they are still one of our greatest partners. This is why I think the conspiracy theory of using Hikvision devices to initiate a large scare cyber attack on the USA is completely bananas insane and laughable.

John Honovich

IPVM | In reply to Sean Nelson | 06/14/17 02:09pm

how incredibly dumb it would be for China to launch any type of large scale attack, cyber or military wise on the USA? China's economy would completely collapse without us

The PRC is smarter than that. They already have done numerous cyber attacks against the US. They know that they can get a way with a lot and the US will do little or anything in response.

Same thing with their unfair, mercantile trade policies. They have been doing it for years and have gotten away with it.

Net/net your assumption that the PRC could wrong the US and face imminent great damage has already been disproved and is something that the PRC has masterfully taken advantage of.

Undisclosed End User #5

In reply to Sean Nelson | 06/14/17 02:39pm

You are either incredibly naive or lack a basic understanding of how much of the Chinese economy is built on industrial espionage and out right, blatant patent infringement and theft.

John Honovich

IPVM | 10/02/17 06:31pm

Update: Nielsen, in his defense of Hikvison speculated that:

someone discovering a bug in the validation of a reset packet (I guess that is the vulnerability, because I don’t know the details).

Unfortunately, for Nielsen, it turned out to be far more direct and dangerous as Hikvision included a magic string backdoor.

John Honovich

IPVM | 10/06/17 11:31pm

Update: Nielsen is now calling for firings at Dahua and Hikvision:

the PoC of the HikVision authentication bypass string should cause heads to roll at Hikvisions (and Dahuas) R&D department. Either there’s no code-review (bad) or there was, and they ignored it (even worse). There’s just no excuse for that kind of crap to be present in the code. Certainly not at this day and age.

Read this IPVM report for free.

This article is part of IPVM's 6,541 reports, 882 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.