If cyber security is only an afterthought, can a manufacturer really claim product leadership and solutions in the enterprise application arena or should they settle for the small commercial and Mom & Pop shop applications usually using lowest bidder systems? Jus' sayin'- what do those 3500 engineers contribute?
I read about this Xcodeghost malware over on macrumors.com a couple days back. Good catch on the Hikvision IVMS being hacked, I did not see that on the list of applications. Some other applications that are commonly used such as CamCard and Mercury were hit as well. There is a full list on in the link above.
This is caused by developers downloading XCode versions off of third party servers rather than Apple official servers. The way Apple hosts this overseas is apparently too slow for developers to wait for so they download from third party sites. Bad move.
The issue is that Apple /doesn't/ host the file internationally, only on their western based servers. Because of this, anyone in China attempting to download the file has to get it from the western based server, which is on the other side of China's national firewall. All Internet traffic from China is funneled through their content inspecting firewall, which is reportedly very slow. It is much quicker for Chinese people to download from their own, local, third-party sharing sites. This third-party sharing site is where the malware infected copy of X-Code was located.
The irony I find here is that people from China can't download a file from Apple's servers, but have no issues hacking US servers. Glad the Chinese gov is so concerned with hacking.
As you can see below, downloading XCode from China is a piece of cake, just over 1hour is not going to be any problem for any half decent sized company, let alone Hikvision with no doubt a very much higher speed internet connection, when you only need do it once. Or at least keep updated as Apple advise.
There is no excuse for not using latest version of development tools from apple. Someone using a iffy copy from a local pirate ridden site like baidu cloud needs their head examined. These big companies should be kicked off Apple developer status. I am sure there is in the T&Cs from apple such thing. Seems Apple are being very generious to China this time.
Hikvision can't be using one programmer for their iOS apps. Dahua have at least three people. ( you only need looking the IPA and see their names because they are too stupid to remove the file paths ) So everyone using same dodgy XCode sniffs of something not so straight forward as a simple error. That's crap.
Also notice no Chinese company gives the open source credits like Axis do on their products and code. The seem to feel they loose face. "Credit where Credit is due", is lost in translation.
We forwarded Hikvisions email to our customers. Most of them do not use the iPhone app. While this is obviously not a good thing. You have to respect Hikvision for getting out in front of this. They expect the app to be re-released in the app store in the next couple of days. It would have been easy for them to just let it go, not say anything and release an update that said "squashed some bugs". To me, this shows they actually care about what's going on and are trying to fix it. Were they negligent for not handling things properly to begin with? Absolutely, but for them to get out in front of it adds points. I have seen other companies who sit and ignore much smaller problems and never address them.
At the end of the day, this will make us keep a closer eye on them. But for now, none of our customers are upset about this. Between Target and Home depot last year, and millions of people having their CC's stolen. This doesnt scare people as much...it should. But it doesn’t.
Apple removed the app from the app store, not from people’s phones. Hikvision could have easily not said anything and the majority of their customers would have never found out. The majority of their customers will still never find out. Most of the articles online don’t even mention Hikvision. Sure you can find lists buried in the internet. But no one but us nerds are looking for those lists.
When Target was compromised, two of my CC’s were stolen, it took me 3 months to get it all straightened out. I still shop there. Targets problem, was way bigger than Hikvisions.
I am not saying what happened isnt a big deal, what im trying to say is that they did the right thing by coming out and letting people know about it. I dont have time to sit on the internet and look for this information. Had they not told me, I wouldnt have known.
Hikvision can correct me if I am wrong, but I believe they started putting a team together a few months ago in North America to develop their software and apps. To help avoid some of these probelms.
In the absence of any material harm coming from this, i.e. people's bank accounts being emptied, no one will remember this.
What Hik is saying is that for three weeks anyone who downloaded IVMS got the malware app. Just to make clear, the IVMS malware version of the app does not have access to everything on your IOS device.
In fact it only has access to what IVMS has access to. So your email account, maybe your photos, whatever personal information you put in IVMS.
Of course it can try to Trojan you by prompting you for ICloud credentials or even credit cards, bank accounts etc and if you type them in, that could be bad. But commercial users are generally more savvy than that, that and the 3 week window limits the real-world damage.
Also, Apple is to blame as much as the others here because they accepted apps built by a modified version of the tool. Hik of course is negligent by not using the right one, but somehow the signature was hacked enough to fool Apple into believing it was built by the authentic tool.
The previous hacking scandal didn't affect me directly, so it is downplayed in my mind, I guess. I'm just saying that it wasn't just Hik who is affected here, nor just Chinese brands. There are western companies in that list. Had this been simply a Hik app only that was comprised, I would be much more worried. This is a widespread issue affecting many companies.
"This is a widespread issue affecting many companies."
Who all did something stupid and dangerous to save some time downloading software. Not sure why you think many companies running code in production they get from an online forum makes things any better for Hikvision.
This points to a very serious organizational issue for Hikvision. Think about it. What other stupid things are they doing that has not been exposed? How do you know another incident will not occur 6 months from now? How has Hikvision proved that there are no other risks related to such practices?
Not sure why you think many companies running code in production they get from an online forum makes things any better for Hikvision.
John, I think alot actually do. They do use open source code from various sources. Some companies will be very scroutinous and validate code, most will just rely on the "Community" to make sure there is no malicous or bad code in their.
And regarding spying on people, I would gues US is the worst in class. Ref. Snowdens release of information on the NSA.
I'm really surprised by the number of voters saying this will impact Hikvision significantly, or even moderately. If past history of hacking and holes in the security industry tells us anything, in two weeks, no one will remember.
Ethan, oustide of Hikvision, name the other video surveillance manufacturers with major hacking incidents (include dates and types of hacks). Highlight any goverments that have suffered massive hacks due to their video surveillance manufacturer. Etc.
My point is that the reason why it has not been a big deal is that such incidents are few and far between. This changes if it happens every 6 months, as it has now been happening for Hikvision.
There aren't others to name, and I'm not saying that's a bad thing. I'm simply saying what we already know: the industry doesn't care about cybersecurity. I don't think this instance is going to change that.
Also I would be willing to bet over 50% of the industry at large and the vast majority of consumers don't even know that these events happen. Which is a shame and almost criminal, but there's a lot of ignorance, willful or otherwise.
That was because Pelco actively pitched it at every opportunity when they had it. I was offered a flight for training and I never sold Pelco. The marketing value of that jet will linger longer than something that a manufacturer actively wants to sweep under the rug.
I voted moderately, because it will linger for me. I had the app installed on my phone and had a mini freak out when I first saw the news. Now that I know that I probably wasn't exposed, I never used the app in the past six months, never had a popup, I'm not as worried.
However, it has greatly diminished my trust in Apple. They have touted their superiority due to stringent App Store regulations. They, I won't forgive as quickly.
John, you have right to think that this should be an issue, it was sloppy and reckless on Hikvision's part.
But I am still unsure how you feel this will actually affect Hik mid-term or long-term.
Here's the thing about hacks. No one gives a crap without real victims.
Think about it, the last Hikvision hack was published in Nov, detailing three buffer flow vulnerabilities found that allowed anyone access to Hik recorders.
No one cared for 3 months! Then only because a Chinese province cried "We got hacked!" did it finally get some press. Ironically, the province may have been 'hacked' only because of the default password not being changed, but again because there were 'victims' everyone remembers.
Take the trendnet example, obvious victim "Baby", result huge press coverage.
Where are the victims here that will cry out for justice? Otherwise it's just blah, blah, hack, not me, blah, blah to most.
How can you sell security and not care about security at the same time? If there is a single topic a person in this industry should care about it should be "security" in its entirety. Otherwise you really have no passion or concern and you're just in it for the money!!!
We absolutely do care about security, this is why we alerted all of our customers who have hikvision apps installed of the problem. I have always disclosed hikvisions reputation along with their connection to the Chinese government. Most of our customers are not headquartered in the US so they’re not as fearful of China as we are. As John H mentions above, I dont feel comfortable selling something without being honest about potential and past problems.
I told a customer today, that my life depends on the integrity of our company. I have staked everything I have on our company. I first disclose, then have them sign off on it. If they’re willing to spend 3x the cost of a hikvision install than thats what we will install. To date, we have not had one customer say no to hikvision and choose someone else.
That's a fair representation of the majority view in the industry.
And it's also reasonable presuming Hikvision never has a hacking event where there are victims who cry for justice. And the probability is overall low, as are all hacking events.
However, given that Hikvision has so many strikes against it, if such an event was to occur, I am not sure what rationalization an integrator or consultant could give if they did not disclose this up front and get the customer to agree. If I was an integrator selling Hikvision, I'd have to disclose it up front or simply switch. It's not the type of risk I am comfortable taking.
It's one thing to say theoretically a product might get hacked that has a clean track record, it's another thing to say the product you are selling has had 3 major incidents in ~12 months, and just roll the dice.
Not the same company, just a shared name. For the sake of simplicity, Samung-Techwin is it's own entity, owned by Hanwha. (https://en.wikipedia.org/wiki/Hanwha) Samsung sold off the security group a year ago or so (http://ipvm.com/updates/2782). The Samsung I work for doesn't make phones and TVs, we make the K9 Thunder, which I desperately want in my demo kit... https://www.youtube.com/watch?v=-oaR2jPGddA
Think Home Depot -> HD Supply, Kraft -> Mondelez, Sara Lee -> Hillshire Brands, eBay -> PayPal, Time Warner -> Time Inc., Sara Lee -> Coach, McDonalds -> Chipotle, NewsCorp -> All the Fox companies.
After publishing this post, a Hikvision employee lept to the defense of his employer:
What nonsense. Hikvision uploaded the malicious code. If Hikvision did not do this, there would have been no hack. For example, why were the Axis, Avigilon, ACTi, etc. apps not hacked? Because those companies did not submit trojan apps.
This compounds the problem. Is Hikvision going to take responsibility for these serial hacks or is everything someone else's fault?
Mr. Wring is Mr. Wrong IMO. Hik, or its outsourced dev team, is to blame firstly for the issue at hand. They are the genisis of the problem. However, Apple is also to blame for letting it get to market.
I concede that Hik has had its issues and I have said it has given me pause. What I am asking for is a follow up to his image above that says "Stay calm and buy American". It's not even possible, at least not in the sense he is stating. There may not be one single company that does use an outsourced dev or rely on an SDK from another dev. It just so happens that Hik messed up big time by not getting the SDK from the source, Apple. This /could/ be a much larger, industry wide issue. I don't feel any safer with Dahua and their admin/ONVIF password issue, not to mention their software isn't well made either. But, we could all say similar things about any CCTV based company. I wasn't impressed with the Samsung firmware on the Wisenet III when it launched. You couldn't log out of the camera webpage, unless you cleared your internet browser cache and cookies. We've seen issues with Axis cams as well.
If anything, I'm a Dahua "fanboi". I've sold some Hik, and have liked them for the most part, but I have sold 20x more Dahua.
It seems like you want to take Hik to task, but forgive others for their issues. Do you not know or care about the Dahua admin account issue? Or how about the Samsung Wisenet browser logout issue? Those could be as bad as either of the Hik problems.
My bigger question isn't whether or not Hik is at fault, they are, it's how widespread is the issue? Could this infected SDK issue be larger than XCode? Could there be other exploits? What is Hik not doing that others are?
Back to undisclosed 4, if this exploit was crafted by the CIA (as claimed above), how would that change your patriotic stance?
Ok Hikvision was hacked apparently. Without all the chest beating, what exactly does it mean. How does it actually hurt the end user. Is there a trojan possibly in the vms installed on an end users PC, Macbook, iphone or android device. What does an end user do to rectify this.
What are the real world consequenses...someone can put a crypto locker virus on my pc and I'm stuffed....someone can get into my dvr and look at my shop front......
Please don't just say don't use Hikvision. The fact is people do and will continue to do so. Where is the exposure?
- on a PC or dvr on a network behind a firewall.
- on a PC at the manager's home for remote viewing the business
- on an android phone or an iphone anywhere in the world.
Just trying to make real sense of this issue..thats all
Last week, Chinese app developers disclosed that an Apple programming tool had been hijacked to trick developers into embedding malicious software into apps for Apple devices.
The malware, called XcodeGhost, works by corrupting Apple’s Xcode software, which runs on Mac computers and compiles source code into apps that can run on iPhones, iPads, and other devices, before submitting them to the App Store. If a developer has XcodeGhost installed on their computer, apps that they compile include malware without the developer realizing it.
Although XcodeGhost is the first malware to spread this way in the wild, the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference in 2012. Using documents from NSA whistleblower Edward Snowden, The Intercept‘s Jeremy Scahill and Josh Begley described the CIA’s Xcode project in a story published in March.
Security firm Palo Alto Networks has published detailedtechnicalanalyses of the malware. At least 50 apps have made it into the App Store with this malware, including WeChat, one of the world’s most popular messaging apps, with hundreds of millions of users, primarily in Asia. Apps infected with XcodeGhost malware are capable of popping up fake alerts asking for credentials, such as the user’s iCloud password; reading what has been copied to the clipboard, such as passwords from password manager apps; and exploiting other parts of iOS. It’s not clear who is behind the malware or if they are based in China.
The CIA’s campaign to attack the security of Apple devices included creating a malicious version of Xcode to sneak malware into apps, without the developer realizing. As we reported in March:
The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.
Today, Apple has published instructions for developers to verify that the version of Xcode they have installed is the official one.
7, you certainly can use it. And there's certainly an argument to be made that whatever hacking issue you suffer is trivial. Even with Target, someone gets your credit card, the credit card company wipes the charges off after a few phone calls, you get a new card, life goes on, etc. That's certainly one position to take, especially for an individual.
But there are some organizations have very low tolerance for this. For example if your customer is Target, I am sure they are not saying right now, 'Yeah whatever, Hikvision had a trojan app. Fixed it, ok, no biggie. Load 'em up'
"Ok Hikvision was hacked apparently."
No, Hikvision was hacked repeatedly in the course of a year. And Hikvision has not yet proven what they are concretely doing to stop more hacks.
"An Apple spokeswoman did not respond to questions about the app approval process and why developers in China were using unofficial Xcode, but a senior executive said on Tuesday the company would make it easier for Chinese developers to download its tools.
Marketing chief Phil Schiller told Chinese news site Sina.com it would offer domestic downloads within China of its developer software.
Some Chinese firms had said they were pushed to download Apple's developer toolkit from unofficial sources in China because of the slow internet speeds when connecting to international services."
Interesting that in all the MSM stories about this huge story that nobody has mentioned that one of the relatively few apps (in relation to the total available) compromised was that of one of the worlds largest surveillance manufacturers - which happens to be partially owned by the Chinese government.
I wonder if the Chinese goverment has "slow internet speeds" when they are hacking other goverments?
I certainly hope they do, at least slower than ours. But I don't think we have to worry too much there:
The U.S. is way ahead in high-speed tapping technology. With off-shore direct 10Gig fiber taps into Google and Yahoo among others, and backdoors into every known networking device on the planet, we can feel confident that we will continue to dominate in this area.
Not that we should rest on our laurels, but I don't think it's a reason for concern just yet...
Probably the mobile development was outsourced or had 1 or 2 engineers hired specifically for the project - since the language and technology were not in the core skills of the engineering team. But yes, using an IDE from an unknown source was a very naive move. Lesson learned: have strict policies on using illegal/unknown sourced softwares, even for outsourced teams. But Apple should also face it's own daemons for not having the IDE signature marked and checked on every uploaded app, they must be rushing to solve this.
About the previous Hikvision scandal: IMO, as a software engineer, I can assure you that security is not a big concern in surveillance products as expected in the comments above. Usually, the main concern is the functionality itself, and engineering aspects like security are left aside.
IP cameras and DVRs have big security flaws, that can get a lot worse the cheaper they are. Passwords are sent without any protection. SSL/encryption is rarely used, and rarely a default setting. When used, it covers only HTTP, not the RTSP port. Standalone DVRs and NVRs use proprietary protocols, developed from scratch for their desktop and ActiveX(!) client softwares, full of flaws, very easy to reverse engineer and hack. It's a honey pot for an experienced hacker to run buffer overflow attacks. Closing a telnet port and asking for a proper password doesn't solve any of these, there is much more under the hood.
I would say that hacking a cheap DVR can be done a lot of times in a period of 6 months. I'm not sure that this should be used as a metric to compare Hikvision and other companies. I've already analyzed Dahua's and many other Chinese DVRs / cameras, they fall into the same problems. With proper effort, even big player's products can be hacked too (hardware from Axis, Sony, Samsung, etc and VMSes from Genetec, Milestone, etc).
Is this a new aspect for IPVM to cover in it's tests? Evaluate low level security for surveillance equipments and VMS softwares? These would help to raise the market standards.
But please, do not expect top notch security when buying cheap from China or reseller brands.
The issue is trust. You trust an installer to install correctly. You trust manufactures to design, build and secure correctly. Especially in the security industry! There has been several security issues from this vendor recently. I dont trust them and Im sure all the competitors will be talking about this for years to come.
Why do I hear the Benny Hill song playing in my head when I read this article? I get it, Hikvision is cheap, but it's pretty clear that you're getting what you pay for: non UL-listed hackatrons. With all the solid competition in the market (insert shameless plug for my employer here), I just don't see the big driver for going Hik.
One of the biggest drivers to choosing Hikvision, was that for years I couldn’t get a sales rep into our business from any company other than Hikvision. No one would stop by and demo their equipment and let us play with it for a few days. To see if it was a product we could offer our customers. Hikvision was the only one who took the time to teach us how their system worked. We were new to IP video but far from new in the security industry (we hold licenses in 8 States and operate in 10). Had another company answered my phone calls. Maybe we would have gone in a different direction. When I started looking 3 years ago, surveillance only amounted to about 1% of my business, this year it will be around 20% (and rapidly growing).
This malware problem is on Hikvision and Apple (Apple announced they’ll make it easier for Chinese developers to obtain tools and Hikvision has already released an updated app). But Hikvisions growth is on sales people from companies like yours who ignore people like us.
Cybersecurity is a serious problem. For the most part we the integrators do not know what going on between the cameras and the VMS. And this for any and all the IP cameras out there. True Hikvision situation is a little special and could be even said to be criminal but for the most part what is happening inside an IP Video Surveillance network is not well understood or even known by the vast majority of integrators.
The 'net is akin to the Wild West...It will take some time for us to truly come to term with those hacks and exploits... We all are threatened by this one way or the other. Buy American sounds nice but ... we all know this is not the solution ... Cybersecurity must be addressed or at the very least be a concern for integrators. I am not sure it is at this point in time.
it also amazes me as to how many folks here could care less about Hik being hacked again and again. To me that is simply saying you give two shits about your customers. Customers trust you to install equipment on their facility/network and you again and again put trust in a Chinese company who is partially owned by the Chinese Gov. Wake up folks......
If it does not affect me why would I care. Well the truth be told it does affect everyone who YOU have installed Hik products on whether it pops up today or tomorrow......
Out of interest if the excuse is a "poor internet connection" how did they get the right version of xcode so quickly so as to bring out this new version? Can you get an internet connection this quickly installed in China?
Or did they use someone else’s, if so why wasn’t it used from day one (but that is still lame..)
Or is the excuse a lie.
Or did they go to another forum to download their development software.
It’s one thing compromising your own kit, another putting malware on users devices which phones home. With the Chinese government owning part of Hikvision this doesn’t look good..
John. I am concerned that the basic chipsets may contain some kind of Trojan... or at minimum, a vulnerability that someone knows about because they planted it there only to exploit the vulnerability THEN insert some kind of malicious program.
What is your opinion?
My specs usually are worded in a way that no one has proposed HV, but could if they want. Should this make me add spec verbiage that restricts products from China? Or for me to have the integrator replace any cameras for xxx years if such a vulnerability is discovered at some time in the future? Some of my projects are quite sensitive and high risk (as I am sure others in the membership have). They include corporate, institutional, and government jobs with a high potential for this kind of sophisticated attack. Not a good thing if the same camera system I design can be used to peek at manufacturing processes or trade secrets or research in progress; or be used as a back door to access the Client’s network.
Do you recall many years ago when the smoke detector was actually CAUSING Fires? This seems like the same thing… or at least will have the same results (i.e. not allowing HV on my projects)
"basic chipsets may contain some kind of Trojan..."
Anything is possible but I have no knowledge of that for anyone nor I am sure how it would be easily tested / verified for anyone.
"Should this make me add spec verbiage that restricts products from China?"
I do not think that is fair or appropriate. However, you could include some clause that the company's surveillance products can have no reported or no more than X number of reported cyber security incidents in the past Y years. This would be fairer.
A lot of companies around the world do. I just did a quick search and found this : http://www.ixiacom.com/products/ixload-attack
Our company has an internal security team that is involved in all SW projects where there is any communication on IP. They will then run tests against the SW being developed and also do recomendations on both coding and configuration. Like firewall setup, operating system configuration etc. that is required to have a secure network.
And it's good to have them. We who work with the functionality that our customers wants delivered yesterday, tend to get tunnel vision in getting the requested functionality ready. IT security is a profession on it's own.