Hikvision Trojan Mobile App

If cyber security is only an afterthought, can a manufacturer really claim product leadership and solutions in the enterprise application arena or should they settle for the small commercial and Mom & Pop shop applications usually using lowest bidder systems? Jus' sayin'- what do those 3500 engineers contribute?

Copy & Paste is a double-edged sword but it seems to be increasing everywhere. I almost installed that software recently here to test. IPVM saved me =)

3.5G! That's pretty large.

In the absence of any material harm coming from this, i.e. people's bank accounts being emptied, no one will remember this.

What Hik is saying is that for three weeks anyone who downloaded IVMS got the malware app. Just to make clear, the IVMS malware version of the app does not have access to everything on your IOS device.

In fact it only has access to what IVMS has access to. So your email account, maybe your photos, whatever personal information you put in IVMS.

Of course it can try to Trojan you by prompting you for ICloud credentials or even credit cards, bank accounts etc and if you type them in, that could be bad. But commercial users are generally more savvy than that, that and the 3 week window limits the real-world damage.

Also, Apple is to blame as much as the others here because they accepted apps built by a modified version of the tool. Hik of course is negligent by not using the right one, but somehow the signature was hacked enough to fool Apple into believing it was built by the authentic tool.

I'm really surprised by the number of voters saying this will impact Hikvision significantly, or even moderately. If past history of hacking and holes in the security industry tells us anything, in two weeks, no one will remember.

John, you have right to think that this should be an issue, it was sloppy and reckless on Hikvision's part.

But I am still unsure how you feel this will actually affect Hik mid-term or long-term.

Here's the thing about hacks. No one gives a crap without real victims.

Think about it, the last Hikvision hack was published in Nov, detailing three buffer flow vulnerabilities found that allowed anyone access to Hik recorders.

No one cared for 3 months! Then only because a Chinese province cried "We got hacked!" did it finally get some press. Ironically, the province may have been 'hacked' only because of the default password not being changed, but again because there were 'victims' everyone remembers.

Take the trendnet example, obvious victim "Baby", result huge press coverage.

Where are the victims here that will cry out for justice? Otherwise it's just blah, blah, hack, not me, blah, blah to most.

After publishing this post, a Hikvision employee lept to the defense of his employer:

What nonsense. Hikvision uploaded the malicious code. If Hikvision did not do this, there would have been no hack. For example, why were the Axis, Avigilon, ACTi, etc. apps not hacked? Because those companies did not submit trojan apps.

This compounds the problem. Is Hikvision going to take responsibility for these serial hacks or is everything someone else's fault?

Ok Hikvision was hacked apparently. Without all the chest beating, what exactly does it mean. How does it actually hurt the end user. Is there a trojan possibly in the vms installed on an end users PC, Macbook, iphone or android device. What does an end user do to rectify this.

What are the real world consequenses...someone can put a crypto locker virus on my pc and I'm stuffed....someone can get into my dvr and look at my shop front......

Please don't just say don't use Hikvision. The fact is people do and will continue to do so. Where is the exposure?

- on a PC or dvr on a network behind a firewall.

- on a PC at the manager's home for remote viewing the business

- on an android phone or an iphone anywhere in the world.

Just trying to make real sense of this issue..thats all

Prediction: Hik will hire some form of 'cyber expert' whose name they will parade around in media press releases to make a show of 'taking this stuff seriously', etc etc

Besides DVtel are any other VMS/camera manufacturers activity promoting network security as part of there IP video solutions?

I don't know about you guys,

but I was lot more concern when IPVM.com was hacked :)

#fingerscrossed

Some Chinese firms had said they were pushed to download Apple's developer toolkit from unofficial sources in China because of the slow internet speeds when connecting to international services."

I wonder if the Chinese goverment has "slow internet speeds" when they are hacking other goverments?

Probably the mobile development was outsourced or had 1 or 2 engineers hired specifically for the project - since the language and technology were not in the core skills of the engineering team. But yes, using an IDE from an unknown source was a very naive move. Lesson learned: have strict policies on using illegal/unknown sourced softwares, even for outsourced teams. But Apple should also face it's own daemons for not having the IDE signature marked and checked on every uploaded app, they must be rushing to solve this.

About the previous Hikvision scandal: IMO, as a software engineer, I can assure you that security is not a big concern in surveillance products as expected in the comments above. Usually, the main concern is the functionality itself, and engineering aspects like security are left aside.

IP cameras and DVRs have big security flaws, that can get a lot worse the cheaper they are. Passwords are sent without any protection. SSL/encryption is rarely used, and rarely a default setting. When used, it covers only HTTP, not the RTSP port. Standalone DVRs and NVRs use proprietary protocols, developed from scratch for their desktop and ActiveX(!) client softwares, full of flaws, very easy to reverse engineer and hack. It's a honey pot for an experienced hacker to run buffer overflow attacks. Closing a telnet port and asking for a proper password doesn't solve any of these, there is much more under the hood.

I would say that hacking a cheap DVR can be done a lot of times in a period of 6 months. I'm not sure that this should be used as a metric to compare Hikvision and other companies. I've already analyzed Dahua's and many other Chinese DVRs / cameras, they fall into the same problems. With proper effort, even big player's products can be hacked too (hardware from Axis, Sony, Samsung, etc and VMSes from Genetec, Milestone, etc).

Is this a new aspect for IPVM to cover in it's tests? Evaluate low level security for surveillance equipments and VMS softwares? These would help to raise the market standards.

But please, do not expect top notch security when buying cheap from China or reseller brands.

For the sake of disclosure, I work for Samsung.

Why do I hear the Benny Hill song playing in my head when I read this article? I get it, Hikvision is cheap, but it's pretty clear that you're getting what you pay for: non UL-listed hackatrons. With all the solid competition in the market (insert shameless plug for my employer here), I just don't see the big driver for going Hik.

www.youtube.com/watch?v=MK6TXMsvgQg

Hal - Thanks I now have benny hill in my head for the rest of the day! lol :D

but yes you are right..

These are really interesting poll results. With 257 votes, there's no clear “winner”.

I’m not sure how legitimate this article is, but it proved to be an interesting read. I’m no conspiracy theorist, but I wonder if the NSA has ever attempted to collect personal data using this tactic.

Out of interest if the excuse is a "poor internet connection" how did they get the right version of xcode so quickly so as to bring out this new version? Can you get an internet connection this quickly installed in China?

Or did they use someone else’s, if so why wasn’t it used from day one (but that is still lame..)

Or is the excuse a lie.

Or did they go to another forum to download their development software.

It’s one thing compromising your own kit, another putting malware on users devices which phones home. With the Chinese government owning part of Hikvision this doesn’t look good..

Apple should ban them..