Morten Tor Nielsen Defends Hikvision

By: IPVM Team, Published on Jun 12, 2017

Morten Tor Nielsen, veteran software developer for Prescienta working for OnSSI, has posted "In Defence of Hikvision". As Nielsen explains himself:

[Update: Nielsen later edited that sentence in his post.]

This follows Hikvision giving IPVM an 'F' and social media posts from Hikvision and Nielsen criticizing IPVM.

In this note, we examine Nielsen's defense, why we agree with his specific claims about Hikvision and where he misunderstood our reporting.

*******'* **** ******* ****** a *** **** ******* form ** ******** *************** *****, "*****, ********* *** ******* Under *****" ** ***** ***** surveys ******* ** ****** cybersecurity ****** ********* ********** to **** *********.

******* ******** *********** ********* ******* ******* hacked:

** ***, **** **** of **** ****** ****** is ****** ****, *** there **** *** "******" user ********!!?! **** **** be *** ******* **********'* work.

** ***** **** *******, Hikvision's ***** ** ******** defaulted ******* *** **** recent ***** ********* **** has********* ** **** *** Chinese **********. ******, ** have ***** ********* ********* here.

******* **** ******* ** Krebs ********** ************ ************* ************ ********* ******* *********:

***** ***** ** **** to **** * **** in *** **** "********* Hikvision ******" ********, ** instead ** ******* * meaningful ********, ** ****** things **

** *** ****** **** Nielsen **** ***** ****** as ********, ** ********* agree. ******, **** ** why ** **** ******* those ********** **********. **** like ** **** *** separate ******** *** **** a************* *** ***** ** Hikvision's ***** ********* ************* ********* ******* ** their ****** ************ ******* ************** *** hacked ********* ********* ************'* ******** ***** ******** no ************ *** ****** be ********, ***** ********* ********** **** forwarding ******* ******* ** their ********* *****, ***.

******, **** ******** ****** the ******* ********** ** encouraging ********* ** **** so **** ***** ****** with *************. ** **** end, ** ***** **** Nielsen's ******* ******* ** Hikvision. *** ******* / more *********** ******* ********** impact ** ********* ** economic (*.*, *********'* $*.*+ billion ***** ******** *****, massive ***** **** **** projects,$* ******* ** ***** government **** ********, ***.).

OnSSI **** *** *******

***** *** **** ***** [link ** ****** *********] responded ** **** ****** that, "***** **** *** endorse, ** ******* ******'* personal ********," ****** **** "OnSSI **** *** *** not **** ** ********* any ******* ** **** Hikvision *******."

UPDATE: ***** ***********

******* ****** * *** article ******* ******** **** called ******* '**-********', **** we "****** * ***** banning *********" *** **** IPVM *** ************ ********. All ** ***** *** 100% ********* *****.

*** **** *** ***** been *******, * ******* screencap ** *** ********* of *** **** *****:

**** ********* ******** *** right ** **** ******, opinion, ***********, ***. *** stating ******* ********* ***** claims ** ********** *** we **** *** ****** that.

Comments (24)

Indeed, IPVM strongly doubts the Chinese government is encouraging Hikvision to have so many basic issues with cybersecurity.

I am shocked (and proud) that IPVM finally admits that the Chinese Government doesnt want to initiate Cyber Warfare with the USA through Hikvision devices. I give you a B on this statement :) 

The clearer / more significant Chinese government impact to Hikvision is economic (e.g, Hikvision's $3.2+ billion China domestic sales, massive China safe city projects

I dont disagree with you that Hikvision has an advantage due to their government money. But what do you expect integrators to do? Start quoting more expensive stuff from other manufacturers thats not as good? Arent we all indirectly helping Hikvision's government support anytime we buy something that was "Made In China". How do you think the government gets all that money to give to Hikvision? A huge part of that money was "American Money" at one time right? 

Sean, thank you for your spirited response!

Your statement here is different from what we said:

IPVM finally admits that the Chinese Government doesnt want to initiate Cyber Warfare with the USA through Hikvision devices

Does the Chinese government want to initiate cyber warfare (or simply cyber espionage) through Hikvision devices? There is no direct evidence to say either way but given the Chinese government's track record on cyber warfare / spying, it is hard for us to believe the Chinese government would rule it out.

Is the Chinese government telling Hikvision to recommend port forwarding Linksys routers or not verifying who tries to reset admin passwords? This is the type of 'basic issues with cybersecurity' we are saying makes no sense for the Chinese government to be driving.

Nielsen is conflating our criticisms of the Chinese government's economic impact with our reporting of various basic Hikvision cybersecurity problems.

As for the economic side:

But what do you expect integrators to do? Start quoting more expensive stuff from other manufacturers

As we have discussed before, your approach of prioritizing short-term money making over longer term and bigger issues is, in itself, a very American thing to do. That noted, I do think quite a lot of buyers are reconsidering their approach here as Hikvision's escalating anti-IPVM marketing campaign implicitly acknowledges.

Unfortunately you have been downgraded to a D- for "wishywashyness"

As we have discussed before, your approach of prioritizing short-term money making over longer term and bigger issues is, in itself, a very American thing to do.

What bigger issues? 

Let's start a list:

  • The cost of dealing with and applying firmware upgrades each time Hikvision has a new serious vulnerability discovered.
  • The cost of dealing with Hikvision's ongoing discontinuation of Hik-Online and transitioning devices away from there.
  • The risk of Hikvision failing to provide updates and support in the future given Hikvision's relying on the debt fueled Chinese economy and their increasing challenges in North America.
  • The risk of your customer's Hikvision devices being used in future hacks / exploits.
  • The risk of Hikvision devices being used by the Chinese government for future cyber espionage / cyber warfare.
  • The undermining of the North American video surveillance industry (not just 'US' 'manufacturers' but all competitors) due to driving a price war that is destructive long-term to most players in the industry.
  • Supporting a company who unfairly leverages their Chinese government ownership to undermine foreign free markets.

I am sure you will disagree with some and not care about others but there are bigger issues at play here.

Others who have items to add, please share.

Sigh, just when I thought things were coming around. 

Forget it they will never 'come around'......

Forget it they will never 'come around'......

I think you are projecting ;)

In all seriousness, if Hikvision changes, we will change our position on them. Avigilon changed their management and culture and our position on them correspondingly changed, etc. Hikvision certainly can make changes for the better.

I took the 

Indeed, IPVM strongly doubts the Chinese government is encouraging Hikvision to have so many basic issues with cybersecurity.

comment to mean that the government would be encouraging Hikvision to be a little more sneaky or savvy about it and not to present such amateurish flaws. 

Breaking news

To be clear, he posted that prior to us releasing this post. Indeed, that post is quoted in this post's introduction about 'bullshit' and 'assholery'.

Right, missed the second link.  

Thank you Morten for your honesty

Interesting wording...

I can see if you thanked Morten for his perspective - as you agree with it.

But to thank him for his honesty, what you are actually saying is that you think that anyone who happens to disagree with you (and Morten) is being dishonest.

The air must be quite thin all the way up there on your high horse.

Honest or not has nothing to do with agree or not.

One can completely disagree with another one but "thank you for your honesty".

It seems to me that Marty might agree, but #3 your logic doesn't stand.

Both sides of a agreement can be honest or dishonest at the same time, as I said they are unrelated.

"Honest or not has nothing to do with agree or not."

As a simple statement, I agree.  But I've read hundreds of Marty posts and - primarily because of that - I can logically infer that Marty is using that statement as a sideways slam on the honesty of his detractors.  There is context to his statement that you are ignoring.

"Both sides of a agreement can be honest or dishonest at the same time, as I said they are unrelated."

Again, a true statement.  However, I maintain that based on the Historical Record of Marty here on IPVM that he was making a derogatory inference regarding those that disagree with him as being dishonest.

 <edited from original by author to bold the word logically>

 

Breaking News, second attempt.

Morten responds via a thickly veiled allegorical Kubrickian screenplay.

From 2009: A NSFW Oddity

I later realized that the guy published some sort of periodical that people had to pay to read. It mostly contained self praise, and descriptions of what happens when completely inept people attempt to use high tech equipment. I suppose it could be thought of as a mildly entertaining break from the daily humdrum at the office and you can always call it "working", because it is kinda, sorta, related to what you do.

 

 

Update: Nielsen posted a new article falsely alleging IPVM called someone 'Un-American', that we "issued a fatwa banning Hikvision" and that IPVM has manufacturer sponsors. All of these are 100% factually false.

His post has since been removed, a partial screencap of the beginning of the post below:

IPVM certainly supports the right to free speech, opinion, perspective, etc. but stating clearly factually false claims is defamation and we will not accept that.

Man oh man, those anonymous sources are everywhere! Nobody's safe! Psst...a friend's sister's cousin's ex-boyfriend told me from a very trusted anonymous source that John dyes his hair.

Say it ain't so, John! Counter my irrefutable proof! :)

Let's make one thing clear and I have been to enough FBI Infraguard, ASIS, University, and Security Industry seminars to know this and feel 99.99% certain about it.

 

CHINA performs economic espionage against the U.S. in effort to build it economy so it can complete against us militarily.

 

That is truth, you can make your own conclusions from there.   

I have no doubt that China, like most countries (including ours), have stepped over the line on their allies when it comes to gathering intel. But you think Conducting espionage helps build their economy? I think what builds their economy for the most part are all the goods the USA purchases from them.

But has anyone ever stopped and thought about how incredibly dumb it would be for China to launch any type of large scale attack, cyber or military wise on the USA? China's economy would completely collapse without us and more than likely vice versa. China is very much business oriented, and to cause harm to the USA would cause more harm to China. Why would they shoot themselves in the foot? A similar comparison would be like taking your number one customer and punching them in the face for no reason, it just doesnt make sense. Even though we dont agree with everything they do economically or otherwise, they are still one of our greatest partners. This is why I think the conspiracy theory of using Hikvision devices to initiate a large scare cyber attack on the USA is completely bananas insane and laughable. 

how incredibly dumb it would be for China to launch any type of large scale attack, cyber or military wise on the USA? China's economy would completely collapse without us 

The PRC is smarter than that. They already have done numerous cyber attacks against the US. They know that they can get a way with a lot and the US will do little or anything in response.

Same thing with their unfair, mercantile trade policies. They have been doing it for years and have gotten away with it.

Net/net your assumption that the PRC could wrong the US and face imminent great damage has already been disproved and is something that the PRC has masterfully taken advantage of.

You are either incredibly naive or lack a basic understanding of how much of the Chinese economy is built on industrial espionage and out right, blatant patent infringement and theft.  

Update: Nielsen, in his defense of Hikvison speculated that:

someone discovering a bug in the validation of a reset packet (I guess that is the vulnerability, because I don’t know the details).

Unfortunately, for Nielsen, it turned out to be far more direct and dangerous as Hikvision included a magic string backdoor.

Update: Nielsen is now calling for firings at Dahua and Hikvision:

the PoC of the HikVision authentication bypass string should cause heads to roll at Hikvisions (and Dahuas) R&D department. Either there’s no code-review (bad) or there was, and they ignored it (even worse). There’s just no excuse for that kind of crap to be present in the code. Certainly not at this day and age.

Read this IPVM report for free.

This article is part of IPVM's 6,541 reports, 882 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Hikvision Chairman Targeted For Sanctions As Federal Watchdog Calls Out Hikvision "Serious Religious Freedom Violations" on May 21, 2020
The US government's religious freedom watchdog has criticized Hikvision for...
Hikvision Salespeople: We Don't Need A Blackbody on May 13, 2020
Dahua jumped out on its cross-town rival selling fever cameras but Hikvision...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
ZKTeco SpeedFace+ Are Medical Devices, Per FDA Definition, Contrary Claims Are False on Jun 12, 2020
ZKTeco SpeedFace+ series products are medical devices as defined by the US...
White House Trade Advisor Calls Hikvision "Very Evil Company" on Jun 24, 2020
White House trade advisor Peter Navarro has called Hikvision a "very evil...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
IPVM Rejects Feevr's Improper Threats And Demands on May 04, 2020
IPVM categorically rejects Feevr's improper threats and demands submitted...
Gait Recognition Examined on Sep 14, 2020
Facial recognition faces increasing ethical and political criticisms while...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
JCI Sues Genetec For Patent Infringement on Jul 13, 2020
Surprisingly, security giant JCI has sued their partner, security software...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...