Hacking *******
**** * ****** ***, * ******* ********'* ********* ******* **** ******. **** *** ******* ** *********** ******** weaknesses ** *********'* ******** ***, **** likely, ***** ****** ** *** ********'* network **************. *** ****** ****** ** that ***** ****** *********'* ***** ***** to ******* ****** *** ******* ** the ***** *********** ******.
** ********, *** **** ******** *** Wired's ******* ** *********: ******* **** ******** ****** **** **** WORST ******* ****** ****. ****, ***** *** * ****** ******** ************* ***** ***** ** 2014 ******** ****** *** ******.
*** *** ***** ** *** *** incident.
Trojan ****** ***
* ****** ** (****** *******) ********* shared * ********* **** ** *****'* mobile *********** *** (*****) *** ** online *****, ****** **** ******* ** from ***** ********.
******: *** ******* ** **** ***** companies *** ** ******* *****'* ******** makes *********** **** ***** ****, ****** an **** ********** ******** ******** ***** ******** ***** **** *** house ** * ****** **** **** an ****.
********* **** **** **** **** ** their ********** ****-**** ***, ********** ** and ******** ***** ***** ********* ** download **** ******* ** ** ***** mobile *******.
**** ******* ** ******** ** ***** **** to *** ******'* ******* **** **** personal *********** (*** *** ******** ******* ********** ****). ******* ***, ** ** "******* ** ********* ******** **** *** attacker" ********* "****** * **** ***** dialog ** ***** **** ***********" *** "Read *** ***** **** ** *** user’s *********, ***** ***** ** **** to **** *** ****’* ******** ** that ******** ** ****** **** * password ********** ****."
**********, **** ** *** * ************* that *****, ** ******* *** *** time ** ****** ** *******, ***** become *********** (** **** ***** ***). This *** ******** ** ** ******** exploited **** *** *****.
Response **** *********
** *********'********* ********* (*** ****), **** ********* ******** *** ******* **** app (* *.**) *** ********* ** with *** *** ***-******* ***.
********* **** ***** **** **** **** established * ******** ******** ****** *** **** they **** ******* ***** *** ****** this **** *** *** **** **** (see******* *.* ******** ******).
****

3500 *********
********* ****** ******** ***** ***** '**** engineers' *** *** **** *** #* in *** ******.
** ********, **** *** *** *** clear #* ** ******* ******. *** it ***** ***** ***** ** *** quality ***/** ************ ** ***** *********.
********
*****, ********* ***** ****** ******* ****** right ***** * ***** ******* ********* campaign / ******* **** *** ***** "Cybersecurity *** ***** ************: *** ** Protect **** ** ***** ******* [**** no ****** *********]." ** *** *******, Hikvision ********* ***** ******** *** *** **** hacked **********, ** ** ******* **** were *********** *** ***** ******.
*** **** ******* ****** **** **** the ********* ******** ***** ********* ******* cases **** ****. ** ******, ** did *** **** *** *** *********, preferring ** ***** ** *** ** Office ** ********* *********.
China **********
**********, ** ********** ********* ******* *** ********* Management **** *********** **** *****, ******* **** ******* ******.
********* ***** ** ******** *** ******* connection, *** ********* ** ********* ***** by *** ******* ********** *** *** benefited ************ **** ********** ********* ******* government *********.
******* **** ***** ** * **** risk *** ** *****. ******** ********* is **** *********** **** *** *** risk ** ******* ********* **** ** could ** ****.
Update: **** ******** **** *********
***** ********** **** ****, * ********* employee **** ** *** ******* ** his ********:

**** ********. ********* ******** *** ********* code. ** ********* *** *** ** this, ***** ***** **** **** ** hack. *** *******, *** **** *** Axis, ********, ****, ***. **** *** hacked? ******* ***** ********* *** *** submit ****** ****.
**** ********* *** *******. ** ********* going ** **** ************** *** ***** serial ***** ** ** ********** ******* else's *****?
Selling ********* ***
** *** **** ********* ***** *******, we **** *** **** ** ******* responsibility ** ******** **** **** ** ***** to **** *********. ********* *** ********** advantages (*** *****, ****** ***** *******, solid ******* *** ***********) *** **** so **** ********* ** **** * short **** *****, *** ***** ** negligent *** ** **** **** ***** up *****. **** ** ********* ** serious *** ***** *************, *** ***** that ***** *************** ***** ***** *** will ** ********* ** *** **** year.
Winners *** ******
*********, ********* ** * *** ***** here *** ** *** ***** ****** of **-********, ********* ******* *** ***-** *** ** ********* run *********'* '*****' *** ********.
***** ********* ** *** #* ****** to ****** **** ****** ************ ** the *****, ******** **** ****. *******, on *** *** **** ****, *** companies ****** ***** ** ****:
*****: ***** **** *** ***** ************* ******** * ***** *********** ** ********** on ****. ***** ************** ***** ***** ******* ***** *** marketing ************ *** **** ***** ** the ******* **** *** *** ** differentiate **********.
****** / *******: ********** **** *********** ******* ** ******* ***** ********* for *** ***-*** / ****** ******. Now, **** *** *** **** ** help ************* **** *** ***** '*******' and *** ****** ***** ************ ******** serially ******.
** ******, *** ***** *** *** will ** ****** ****, ** ** is **** ** *** ****** ** safe, *** ********* *** * ********** 'lead' ** **** **** ** ***.
Comments (107)
Jack Sink
Create New Topic
Ricardo Souza
IPVMU Certified | 09/22/15 05:29pm
Copy & Paste is a double-edged sword but it seems to be increasing everywhere. I almost installed that software recently here to test. IPVM saved me =)
Create New Topic
Undisclosed Integrator #1
I read about this Xcodeghost malware over on macrumors.com a couple days back. Good catch on the Hikvision IVMS being hacked, I did not see that on the list of applications. Some other applications that are commonly used such as CamCard and Mercury were hit as well. There is a full list on in the link above.
This is caused by developers downloading XCode versions off of third party servers rather than Apple official servers. The way Apple hosts this overseas is apparently too slow for developers to wait for so they download from third party sites. Bad move.
Create New Topic
Undisclosed #2
3.5G! That's pretty large.
Create New Topic
John Honovich
For those selling Hikvision, how do you plan to handle this? Curious to hear.
Create New Topic
Undisclosed #5
In the absence of any material harm coming from this, i.e. people's bank accounts being emptied, no one will remember this.
What Hik is saying is that for three weeks anyone who downloaded IVMS got the malware app. Just to make clear, the IVMS malware version of the app does not have access to everything on your IOS device.
In fact it only has access to what IVMS has access to. So your email account, maybe your photos, whatever personal information you put in IVMS.
Of course it can try to Trojan you by prompting you for ICloud credentials or even credit cards, bank accounts etc and if you type them in, that could be bad. But commercial users are generally more savvy than that, that and the 3 week window limits the real-world damage.
Also, Apple is to blame as much as the others here because they accepted apps built by a modified version of the tool. Hik of course is negligent by not using the right one, but somehow the signature was hacked enough to fool Apple into believing it was built by the authentic tool.
Create New Topic
Ethan Ace
I'm really surprised by the number of voters saying this will impact Hikvision significantly, or even moderately. If past history of hacking and holes in the security industry tells us anything, in two weeks, no one will remember.
Create New Topic
Jon Dillabaugh
09/22/15 08:44pm
I voted moderately, because it will linger for me. I had the app installed on my phone and had a mini freak out when I first saw the news. Now that I know that I probably wasn't exposed, I never used the app in the past six months, never had a popup, I'm not as worried.
However, it has greatly diminished my trust in Apple. They have touted their superiority due to stringent App Store regulations. They, I won't forgive as quickly.
Create New Topic
Undisclosed #5
John, you have right to think that this should be an issue, it was sloppy and reckless on Hikvision's part.
But I am still unsure how you feel this will actually affect Hik mid-term or long-term.
Here's the thing about hacks. No one gives a crap without real victims.
Think about it, the last Hikvision hack was published in Nov, detailing three buffer flow vulnerabilities found that allowed anyone access to Hik recorders.
No one cared for 3 months! Then only because a Chinese province cried "We got hacked!" did it finally get some press. Ironically, the province may have been 'hacked' only because of the default password not being changed, but again because there were 'victims' everyone remembers.
Take the trendnet example, obvious victim "Baby", result huge press coverage.
Where are the victims here that will cry out for justice? Otherwise it's just blah, blah, hack, not me, blah, blah to most.
Create New Topic
Undisclosed Integrator #1
Based on this thread it sounds like a rough ASIS is in store for Hikvision.
Create New Topic
John Honovich
After publishing this post, a Hikvision employee lept to the defense of his employer:
What nonsense. Hikvision uploaded the malicious code. If Hikvision did not do this, there would have been no hack. For example, why were the Axis, Avigilon, ACTi, etc. apps not hacked? Because those companies did not submit trojan apps.
This compounds the problem. Is Hikvision going to take responsibility for these serial hacks or is everything someone else's fault?
Create New Topic
Undisclosed Integrator #7
Ok Hikvision was hacked apparently. Without all the chest beating, what exactly does it mean. How does it actually hurt the end user. Is there a trojan possibly in the vms installed on an end users PC, Macbook, iphone or android device. What does an end user do to rectify this.
What are the real world consequenses...someone can put a crypto locker virus on my pc and I'm stuffed....someone can get into my dvr and look at my shop front......
Please don't just say don't use Hikvision. The fact is people do and will continue to do so. Where is the exposure?
- on a PC or dvr on a network behind a firewall.
- on a PC at the manager's home for remote viewing the business
- on an android phone or an iphone anywhere in the world.
Just trying to make real sense of this issue..thats all
Create New Topic
Undisclosed #2
Prediction: Hik will hire some form of 'cyber expert' whose name they will parade around in media press releases to make a show of 'taking this stuff seriously', etc etc
Create New Topic
Michael Miller
Besides DVtel are any other VMS/camera manufacturers activity promoting network security as part of there IP video solutions?
Create New Topic
Undisclosed #8
I don't know about you guys,
but I was lot more concern when IPVM.com was hacked :)
Create New Topic
Undisclosed #8
For your information
HIK has new App Ver 4.2.1
That was fast
Create New Topic
Undisclosed #5
#fingerscrossed
Create New Topic
Undisclosed #2
From Reuters
Interesting that in all the MSM stories about this huge story that nobody has mentioned that one of the relatively few apps (in relation to the total available) compromised was that of one of the worlds largest surveillance manufacturers - which happens to be partially owned by the Chinese government.
Create New Topic
Michael Miller
I wonder if the Chinese goverment has "slow internet speeds" when they are hacking other goverments?
Create New Topic
Undisclosed Manufacturer #10
Probably the mobile development was outsourced or had 1 or 2 engineers hired specifically for the project - since the language and technology were not in the core skills of the engineering team. But yes, using an IDE from an unknown source was a very naive move. Lesson learned: have strict policies on using illegal/unknown sourced softwares, even for outsourced teams. But Apple should also face it's own daemons for not having the IDE signature marked and checked on every uploaded app, they must be rushing to solve this.
About the previous Hikvision scandal: IMO, as a software engineer, I can assure you that security is not a big concern in surveillance products as expected in the comments above. Usually, the main concern is the functionality itself, and engineering aspects like security are left aside.
IP cameras and DVRs have big security flaws, that can get a lot worse the cheaper they are. Passwords are sent without any protection. SSL/encryption is rarely used, and rarely a default setting. When used, it covers only HTTP, not the RTSP port. Standalone DVRs and NVRs use proprietary protocols, developed from scratch for their desktop and ActiveX(!) client softwares, full of flaws, very easy to reverse engineer and hack. It's a honey pot for an experienced hacker to run buffer overflow attacks. Closing a telnet port and asking for a proper password doesn't solve any of these, there is much more under the hood.
I would say that hacking a cheap DVR can be done a lot of times in a period of 6 months. I'm not sure that this should be used as a metric to compare Hikvision and other companies. I've already analyzed Dahua's and many other Chinese DVRs / cameras, they fall into the same problems. With proper effort, even big player's products can be hacked too (hardware from Axis, Sony, Samsung, etc and VMSes from Genetec, Milestone, etc).
Is this a new aspect for IPVM to cover in it's tests? Evaluate low level security for surveillance equipments and VMS softwares? These would help to raise the market standards.
But please, do not expect top notch security when buying cheap from China or reseller brands.
Create New Topic
Undisclosed Integrator #11
You get what you pay for.. When your R and D department is using knock off xcode how can you be sure anthing is engineered correctly!
Create New Topic
Undisclosed Integrator #11
The issue is trust. You trust an installer to install correctly. You trust manufactures to design, build and secure correctly. Especially in the security industry! There has been several security issues from this vendor recently. I dont trust them and Im sure all the competitors will be talking about this for years to come.
Create New Topic
Hal Bennick
09/23/15 02:49pm
For the sake of disclosure, I work for Samsung.
Why do I hear the Benny Hill song playing in my head when I read this article? I get it, Hikvision is cheap, but it's pretty clear that you're getting what you pay for: non UL-listed hackatrons. With all the solid competition in the market (insert shameless plug for my employer here), I just don't see the big driver for going Hik.
www.youtube.com/watch?v=MK6TXMsvgQg
Create New Topic
Undisclosed Integrator #11
Hal - Thanks I now have benny hill in my head for the rest of the day! lol :D
but yes you are right..
Create New Topic
Undisclosed Integrator #3
These are really interesting poll results. With 257 votes, there's no clear “winner”.
I’m not sure how legitimate this article is, but it proved to be an interesting read. I’m no conspiracy theorist, but I wonder if the NSA has ever attempted to collect personal data using this tactic.
Create New Topic
Frantz Mathias
Cybersecurity is a serious problem. For the most part we the integrators do not know what going on between the cameras and the VMS. And this for any and all the IP cameras out there. True Hikvision situation is a little special and could be even said to be criminal but for the most part what is happening inside an IP Video Surveillance network is not well understood or even known by the vast majority of integrators.
The 'net is akin to the Wild West...It will take some time for us to truly come to term with those hacks and exploits... We all are threatened by this one way or the other. Buy American sounds nice but ... we all know this is not the solution ... Cybersecurity must be addressed or at the very least be a concern for integrators. I am not sure it is at this point in time.
Create New Topic
Undisclosed #5
Based on this thread, I think a lot of people care a lot about not caring.
Create New Topic
Undisclosed Integrator #11
Out of interest if the excuse is a "poor internet connection" how did they get the right version of xcode so quickly so as to bring out this new version? Can you get an internet connection this quickly installed in China?
Or did they use someone else’s, if so why wasn’t it used from day one (but that is still lame..)
Or is the excuse a lie.
Or did they go to another forum to download their development software.
It’s one thing compromising your own kit, another putting malware on users devices which phones home. With the Chinese government owning part of Hikvision this doesn’t look good..
Apple should ban them..
Create New Topic
Undisclosed #12
John. I am concerned that the basic chipsets may contain some kind of Trojan... or at minimum, a vulnerability that someone knows about because they planted it there only to exploit the vulnerability THEN insert some kind of malicious program.
What is your opinion?
My specs usually are worded in a way that no one has proposed HV, but could if they want. Should this make me add spec verbiage that restricts products from China? Or for me to have the integrator replace any cameras for xxx years if such a vulnerability is discovered at some time in the future? Some of my projects are quite sensitive and high risk (as I am sure others in the membership have). They include corporate, institutional, and government jobs with a high potential for this kind of sophisticated attack. Not a good thing if the same camera system I design can be used to peek at manufacturing processes or trade secrets or research in progress; or be used as a back door to access the Client’s network.
Do you recall many years ago when the smoke detector was actually CAUSING Fires? This seems like the same thing… or at least will have the same results (i.e. not allowing HV on my projects)
Create New Topic
Undisclosed #12
Is there a testing agency that could test for security vulnerabilities?
Create New Topic
Tim Campbell
On a somewhat related note, Apple has listed the top 25 apps in its store hit by XcodeGhost
Create New Topic