The Hikvision Hacking Scandal

Author: John Honovich, Published on Mar 03, 2015

What was once just warnings and consumer concerns has exploded into a major problem for Hikvision.

A Chinese province's Hikvision devices have been hacked.

In this note, we examine what happened, what Hikvision says they are doing about this and what this means for the mega-manufacturer.

Update September 2015. Hikvision has suffered another major hack.

Hikvision Historical Security Problems

As background, Hikvision had already been hit with a number of security concerns / issues over the past few years. The most infamous was Wired's article on Hikvision: HACKERS TURN SECURITY CAMERA DVRS INTO WORST BITCOIN MINERS EVER. In addition, there was a buffer overflow vulnerability found later in 2014. Even more basically, since Hikvision historically did not force users to change default passwords, and since there are so many Hikvision products out there, Hikvision made itself an obvious target for even the least sophisticated hackers.

The Chinese Province Hack

Given the historical problems, what is important here is that this incident is hitting a government organization, where information security is critical.

The province is Jiangsu, on the East coast of China, with ~80 million people.

In a press release only posted on Hikvision's Chinese site (see google translation), Hikvision admits that their products were hacked inside the Jiangsu Province Internet Emergency Center. Hikvision claims that this was due to the use of weak passwords / default passwords. We cannot confirm that as we have no connection to the Jiangsu government.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

However it happened, the fact that government video surveillance equipment was hacked is a major problem. Indeed, this is even worse given the Chinese government's recent efforts to restrict foreign products that might expose them to hacking / attacks.

Hikvision's Response

In response, Hikvision USA Outlines Updates to Surveillance Products report has been released.

It summarizes steps they have already done in the past year and discloses a new release scheduled for later this month (5.3.0).

[[Note: This firmware has been released. See our full test of it here.]]

Key changes in this upcoming release include:

  • Forcing change of the default password (an obvious step and a key risk otherwise)
  • Disabling telnet access (telnet is considered quite vulnerable)
  • Lockouts after 5 incorrect login attempts (helpful to stop brute force attempts)

The Impact

Hikvision's stock dropped 7.5% in the first day of trading post the full disclosure (trading was actually halted Monday). In percentages terms, that is not huge but at their size, it is a drop of more than $1 billion USD in value. On the second day, the stock price rose slightly, indicating that the market does not view this as a major risk.

Update: June 25, 2015: Less than 3 months later, Hikvision's stock price is up more than 50% since the hacking announcement, showing that the market does not really care about this.

Since Hikvision is partially owned by the Chinese government and has deep connections, we doubt that this will be a fatal issue for Hikvision domestically. On the other hand, it is clearly a black eye for Hikvision and something that was hotly discussed inside of China.

In North America and Europe, we think the impact will be more severe. Rival manufacturers have already been hammering Hikvision as being 'spamware'. This will simply confirm it. On the lower end of the market, where Hikvision is most commonly used, outside of China, we suspect most will not care strongly as information security tends not to be a priority compared to price. However, as Hikvision tries to expand into the mid and high end markets, we think this will cause significant resistance, making it easy for rivals to declare, "Sure, you can buy Hikvision for half the price but with Axis you won't get hacked."

Hikvision Integrators / Users / OEMs

If you are a Hikvision integrator, user or OEM, you better very carefully review your deployed products and absolutely ensure that everything is upgraded immediately. Hikvision firmware upgrades are available here.

After a hack of this magnitude, it is going to be extremely hard to explain how you allowed your equipment to be hacked. And Hikvision products deployed before a year ago (and not upgraded) have many very basic / simple vulnerabilities. It is hard for us to tell if the upgrades solve every possible risk, but it is obvious that the older versions are significantly risk prone.

Poll

21 reports cite this report:

Cybersecurity for IP Video Surveillance Guide on May 18, 2018
Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...
Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory for...
Chinese Company Xiongmai Threatens Legal Action Against Western Accusers on Oct 24, 2016
The Chinese video surveillance manufacturer, Xiongmai, whose equipment numerous sources blame for driving massive Internet attacks over the past...
US Embassy Requires Hikvision Cameras on Aug 29, 2016
The US Embassy in Kabul Afghanistan has required only Hikvision cameras in a new US federal government bid. However: Hikvision was founded...
Hikvision Rejects Responsibility for Hacked Hikvision Cameras on May 10, 2016
After a massive number of Hikvision cameras were hacked, Hikvision has added new, and questionable legal language, declaring that Hikvision will...
ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved] on Mar 09, 2016
More than a year after massive hacks against Hikvision was disclosed; More than 9 months after Hikvision issued improved security firmware, mega...
Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the world to access and control devices like IP cameras (using Shodan, turning...
Axis Cybersecurity Hardening Guide Examined on Nov 19, 2015
In most IT areas, 'hardening' guides are commonplace, providing best practices for improving the cybersecurity of network products (e.g., see this...
Hikvision Hires Pelco / G4S Exec Sam Belbina on Nov 10, 2015
Hikvision gets another major industry executive. He was most recently the President of G4S Technology, and before that VP of Sales at Pelco. Now,...
Winners Losers Fall 2015 on Oct 12, 2015
There's a lot of losing right now, unfortunately. The industry is moving into year 2 of sharp camera price declines. Combined with the maturation...
Dahua Finally Has A US Distributor on Oct 08, 2015
Finally. Billion dollar Dahua is the 'smaller' of the two mega Chinese surveillance manufacturers (the other being Hikvision). Historically,...
Warning: ADI and Tri-Ed Video Products Major Security Risk on Sep 22, 2015
Recently, ADI and Tri-Ed both started OEMing Hikvision products. Reference - IPVM test on ADI W Box, IPVM test of Tri-Ed Northern Video. Both ADI...
Hikvision Trojan Mobile App on Sep 22, 2015
With a vengeance. The last time, the industry mostly shook it off. This time, it is clearly much worse. In this note, we examine Hikvision's...
Anixter/Tri-Ed Northern Video Tested on Sep 18, 2015
ADI is an IP video manufacturer now (see IPVM's ADI W Box test results). And now, their top rival, Anixter's Tri-Ed arm has also entered the IP...
ADI's W Box Camera / NVR Gen 1 (Hikvision) Tested on Jul 22, 2015
ADI moves hundreds of millions of dollars worth video surveillance equipment each year. And now, they are disrupting the channel, cutting out...
Pros and Cons - Automating Firmware Updates on Jul 01, 2015
Firmware and software updates are one of the most tedious tasks in surveillance, so why not make them easier? While other devices, like PCs,...
Hikvision Anti Hacking Firmware Tested on Jun 03, 2015
Hikvision has had historic hacking problems, with DVRs turned into Bitcoin miners, buffer overflow vulnerabilities, and finally culminating in the...
Hikvision Hires Ex-Samsung / Panasonic Exec on May 18, 2015
Hikvision's expansion continues, with the mega Chinese manufacturer now hiring one of the most well known and well tenured American sales...
Axis Cuts Prices 2015 on Mar 09, 2015
Axis has cut prices on a number of their most popular markets.  In this note, we look at feedback from Axis, comparing how this impacts...
NMAPing IP Cameras on Mar 05, 2015
The Hikvision hack has increased security concerns. Indeed, most users do not know whether they are vulnerable or not, which ports of their...
Avigilon 2014 Financials Disappoint Investors on Mar 04, 2015
Hikvision admits their equipment got hacked in a large government deployment - stock down just 7.5% Avigilon announces revenue up 42% - stock down...
Comments (46) : PRO Members only. Login. or Join.

Related Reports

Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
4MP Camera Shootout - Axis, Dahua, DW, Hanwha, Hikvision, Uniview, Vivotek on Sep 24, 2018
4MP usage continues to climb, especially for low cost fixed lens models. To see who was best, we bought and tested seven 4MP models from Axis,...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Chinese Government Praises Hikvision For Following Xi Jinping on Sep 17, 2018
The Chinese government council responsible for managing China's state-owned companies praised Hikvision’s obedience to China’s authoritarian leader...
Australia and French National TV Investigate Hikvision, Australia Military To Remove Hikvision Cameras on Sep 12, 2018
An Australian National TV investigation on Chinese video surveillance has put a spotlight on Hikvision, including a promise from Australia's...
Trump Administration Considers Sanctions Against Dahua and Hikvision on Sep 11, 2018
The Trump administration is considering sanctions against Dahua and Hikvision for their involvement in human rights abuses against minorities...
Ambarella on Computer Vision and US Hikua Ban on Sep 10, 2018
Ambarella, a widely-used video surveillance component supplier, is betting on the rise of computer vision and is already seeing a sales impact from...
China "Largest Threat To US National Security", Declares FBI And Counterintelligence Heads on Sep 07, 2018
China is 'bar none', the 'largest threat to [US] national security' plus China has declared 'economic war' on the US, according to William Evanina,...
Congressional Letter Urges Sanctions Against Dahua and Hikvision For Human Rights Abuses on Sep 04, 2018
17 US Congresspeople sent a letter to the Secretary of State and Treasury urging sanctions against Chinese officials plus Dahua and Hikvision,...

Most Recent Industry Reports

Ladders For Installers Guide on Sep 25, 2018
Ladders are one of the most important pieces of worksite equipment for the surveillance technician. Too often, however, even highly experienced...
Favorite Access Control Reader Manufacturer 2018 on Sep 25, 2018
Favorite reader votes are in, and it is not close. A global access giant ran away with the votes in a one-sided contest. But for many, the...
Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
4MP Camera Shootout - Axis, Dahua, DW, Hanwha, Hikvision, Uniview, Vivotek on Sep 24, 2018
4MP usage continues to climb, especially for low cost fixed lens models. To see who was best, we bought and tested seven 4MP models from Axis,...
Alexa Guard Expands Amazon's Security Offerings, Boosts ADT's Stock on Sep 21, 2018
Amazon is expanding their security offerings yet again, this time with Alexa Guard that delivers security audio analytics and a virtual "Fake...
UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact