Hikvision Trojan Mobile App

By John Honovich, Published Sep 22, 2015, 12:00am EDT

With a vengeance.

The last time, the industry mostly shook it off. This time, it is clearly much worse.

In this note, we examine Hikvision's trojan horse app, the company's response, why this is a major concern and who stands to benefit from this.

Hacking *******

**** * ****** ***, a ******* ********'* ********* ******* were hacked. **** *** ******* ** fundamental ******** ********** ** Hikvision's ******** ***, **** likely, ***** ****** ** the ********'* ******* **************. The ****** ****** ** that ***** ****** *********'* stock ***** ** ******* plunge *** ******* ** the ***** *********** ******.

** ********, *** **** infamous *** *****'* ******* on *********: ******* **** ******** ****** DVRS **** ***** ******* MINERS ****. ****, ***** *** a ****** ******** ************* ***** later ** **** ******** ****** *** ******.

*** *** ***** ** the *** ********.

Trojan ****** ***

* ****** ** (****** Chinese) ********* ****** * malicious **** ** *****'* mobile *********** *** (*****) via ** ****** *****, rather **** ******* ** from ***** ********.

******: *** ******* ** that ***** ********* *** it ******* *****'* ******** makes *********** **** ***** slow, ****** ** **** member**** ******** ******** ***** ******** ***** from *** ***** ** a ****** **** **** an ****.

********* **** **** **** code ** ***** ********** iVMS-4500 ***, ********** ** and ******** ***** ***** worldwide ** ******** **** malware ** ** ***** mobile *******.

**** ******* ** ******** to phone **** ** *** hacker's ******* **** **** personal *********** (*** *** ******** ******* disclosure ****). ******* ***, ** is "******* ** ********* ******** from *** ********" ********* "****** * fake ***** ****** ** phish **** ***********" *** "Read *** ***** **** in *** ****’* *********, which ***** ** **** to **** *** ****’* password ** **** ******** is ****** **** * password ********** ****."

**********, **** ** *** a ************* **** *****, if ******* *** *** time ** ****** ** exploit, ***** ****** *********** (as **** ***** ***). This *** ******** ** be ******** ********* **** the *****.

Response **** *********

** *********'********* ********* (*** ****), **** ********* ******** *** current **** *** (* 4.20) *** ********* ** with *** *** ***-******* one.

********* **** ***** **** they **** *********** * ******** Response ****** *** **** they **** ******* ***** the ****** **** **** and *** **** **** (see******* *.* ******** ******).

****

3500 *********

********* ****** ******** ***** their '**** *********' *** how **** *** #* in *** ******.

** ********, **** *** now *** ***** #* in ******* ******. *** it ***** ***** ***** on *** ******* ***/** organization ** ***** *********.

********

*****, ********* ***** ****** getting ****** ***** ***** a ***** ******* ********* campaign / ******* **** ran ***** "************* *** Video ************: *** ** Protect **** ** ***** Network [**** ** ****** available]." ** *** *******, Hikvision ********* ***** ******** *** not **** ****** **********, as ** ******* **** were *********** *** ***** secure.

*** **** ******* ****** came **** *** ********* employee ***** ********* ******* cases **** ****. ** course, ** *** *** cite *** *** *********, preferring ** ***** ** the ** ****** ** Personnel *********.

China **********

**********, ** ********** ********* believe *** ********* ********** **** was******** **** *****, ******* **** ******* attack.

********* ***** ** ******** its ******* **********, *** Hikvision ** ********* ***** by *** ******* ********** and *** ********* ************ from ********** ********* ******* government *********.

******* **** ***** ** a **** **** *** US *****. ******** ********* is **** *********** **** but *** **** ** clearly ********* **** ** could ** ****.

Update: **** ******** **** *********

***** ********** **** ****, a ********* ******** **** to *** ******* ** his ********:

**** ********. ********* ******** the ********* ****. ** Hikvision *** *** ** this, ***** ***** **** been ** ****. *** example, *** **** *** Axis, ********, ****, ***. apps *** ******? ******* those ********* *** *** submit ****** ****.

**** ********* *** *******. Is ********* ***** ** take ************** *** ***** serial ***** ** ** everything ******* ****'* *****?

Selling ********* ***

** *** **** ********* going *******, ** **** you **** ** ******* responsibility ** ******** **** risk up ***** ** **** customers. ********* *** ********** advantages (*** *****, ****** image *******, ***** ******* and ***********) *** **** so **** ********* ** such * ***** **** frame, *** ***** ** negligent *** ** **** this ***** ** *****. Even ** ********* ** serious *** ***** *************, who ***** **** ***** vulnerabilities ***** ***** *** will ** ********* ** the **** ****.

Winners *** ******

*********, ********* ** * big ***** **** *** so *** ***** ****** of **-********, ********* ******* *** ***-** *** we ********* *** *********'* 'risky' *** ********.

***** ********* ** *** #1 ****** ** ****** ever ****** ************ ** the *****, ******** **** wins. *******, ** *** low **** ****, *** companies ****** ***** ** gain:

*****: ***** **** *** block ************* ******** * ***** *********** to ********** ** ****. Dahua ************** ***** ***** ******* sales *** ********* ************ but **** ***** ** the ******* **** *** use ** ************* **********.

****** / *******: ********** **** *********** ******* ** ******* about ********* *** *** low-end / ****** ******. Now, **** *** *** this ** **** ************* both *** ***** '*******' and *** ****** ***** surveillance ******** ******** ******.

** ******, *** ***** now *** **** ** hacked ****, ** ** is **** ** *** anyone ** ****, *** Hikvision *** * ********** 'lead' ** **** **** so ***.

Comments (107)

Jack Sink

IPVMU Certified | 09/22/15 05:29pm

If cyber security is only an afterthought, can a manufacturer really claim product leadership and solutions in the enterprise application arena or should they settle for the small commercial and Mom & Pop shop applications usually using lowest bidder systems? Jus' sayin'- what do those 3500 engineers contribute?

Hal Bennick

Trafficware, a CUBIC Company
In reply to Jack Sink | 09/23/15 02:52pm

At least three of them are busy 60 hours a week on bittorrent, it would appear. I also wonder how many of those engineers get paid a living wage....

Ricardo Souza

IndigoVision Ltd
IPVMU Certified | 09/22/15 05:29pm

Copy & Paste is a double-edged sword but it seems to be increasing everywhere. I almost installed that software recently here to test. IPVM saved me =)

Undisclosed Integrator #1

09/22/15 05:32pm

I read about this Xcodeghost malware over on macrumors.com a couple days back. Good catch on the Hikvision IVMS being hacked, I did not see that on the list of applications. Some other applications that are commonly used such as CamCard and Mercury were hit as well. There is a full list on in the link above.

This is caused by developers downloading XCode versions off of third party servers rather than Apple official servers. The way Apple hosts this overseas is apparently too slow for developers to wait for so they download from third party sites. Bad move.

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Integrator #1 | 09/22/15 06:37pm

The issue is that Apple /doesn't/ host the file internationally, only on their western based servers. Because of this, anyone in China attempting to download the file has to get it from the western based server, which is on the other side of China's national firewall. All Internet traffic from China is funneled through their content inspecting firewall, which is reportedly very slow. It is much quicker for Chinese people to download from their own, local, third-party sharing sites. This third-party sharing site is where the malware infected copy of X-Code was located.

The irony I find here is that people from China can't download a file from Apple's servers, but have no issues hacking US servers. Glad the Chinese gov is so concerned with hacking.

Undisclosed Manufacturer #9

In reply to Jon Dillabaugh | 09/23/15 01:40am

As you can see below, downloading XCode from China is a piece of cake, just over 1hour is not going to be any problem for any half decent sized company, let alone Hikvision with no doubt a very much higher speed internet connection, when you only need do it once. Or at least keep updated as Apple advise.

There is no excuse for not using latest version of development tools from apple. Someone using a iffy copy from a local pirate ridden site like baidu cloud needs their head examined. These big companies should be kicked off Apple developer status. I am sure there is in the T&Cs from apple such thing. Seems Apple are being very generious to China this time.

Hikvision can't be using one programmer for their iOS apps. Dahua have at least three people. ( you only need looking the IPA and see their names because they are too stupid to remove the file paths ) So everyone using same dodgy XCode sniffs of something not so straight forward as a simple error. That's crap.

Also notice no Chinese company gives the open source credits like Axis do on their products and code. The seem to feel they loose face. "Credit where Credit is due", is lost in translation.

Back to checking my bitcoin account..

Tim Campbell

In reply to Jon Dillabaugh | 09/23/15 01:15pm

Anyone in China can get around the firewall to access a Western server by using a VPN. There's no excuse for a big security company not to download from the proper website.

Michael Miller

In reply to Tim Campbell | 09/23/15 01:23pm

China is cracking down on VPNs, software that allows internet users to access Twitter, Facebook, Gmail and others services blocked in the country, according to state media and service providers.

http://techcrunch.com/2015/01/23/china-vpn-crackdown/

Undisclosed #2

09/22/15 06:15pm

3.5G! That's pretty large.

Hal Bennick

Trafficware, a CUBIC Company
In reply to Undisclosed #2 | 09/23/15 02:55pm

It's a fraction of a Blu-Ray, which China seems to have no problem downloading and pirating. Hik is just showing themselves to be lazy, inept, and incompetent.

John Honovich

IPVM | 09/22/15 07:29pm

For those selling Hikvision, how do you plan to handle this? Curious to hear.

Undisclosed Integrator #3

In reply to John Honovich | 09/22/15 07:46pm

We forwarded Hikvisions email to our customers. Most of them do not use the iPhone app. While this is obviously not a good thing. You have to respect Hikvision for getting out in front of this. They expect the app to be re-released in the app store in the next couple of days. It would have been easy for them to just let it go, not say anything and release an update that said "squashed some bugs". To me, this shows they actually care about what's going on and are trying to fix it. Were they negligent for not handling things properly to begin with? Absolutely, but for them to get out in front of it adds points. I have seen other companies who sit and ignore much smaller problems and never address them.

At the end of the day, this will make us keep a closer eye on them. But for now, none of our customers are upset about this. Between Target and Home depot last year, and millions of people having their CC's stolen. This doesnt scare people as much...it should. But it doesn’t.

John Honovich

IPVM | In reply to Undisclosed Integrator #3 | 09/22/15 08:23pm

"You have to respect Hikvision for getting out in front of this."

Really?

"It would have been easy for them to just let it go, not say anything and release an update that said "squashed some bugs"."

Apple removed all malware apps and Hikvision was on the original infected list. There's no way Hikvision could have hid this.

"they actually care about what's going on and are trying to fix it."

Yes, I do agree they care but notifying people of what was already made clear publicly online is the minimum they can do.

What remains to be seen is what else they do.

Undisclosed Integrator #3

In reply to John Honovich | 09/22/15 09:15pm

Apple removed the app from the app store, not from people’s phones. Hikvision could have easily not said anything and the majority of their customers would have never found out. The majority of their customers will still never find out. Most of the articles online don’t even mention Hikvision. Sure you can find lists buried in the internet. But no one but us nerds are looking for those lists.

When Target was compromised, two of my CC’s were stolen, it took me 3 months to get it all straightened out. I still shop there. Targets problem, was way bigger than Hikvisions.

John Honovich

IPVM | In reply to Undisclosed Integrator #3 | 09/22/15 09:19pm

I guess you can tell that to your customers if / when it happens again to Hikvision...

Undisclosed Integrator #3

In reply to John Honovich | 09/22/15 09:39pm

I am not saying what happened isnt a big deal, what im trying to say is that they did the right thing by coming out and letting people know about it. I dont have time to sit on the internet and look for this information. Had they not told me, I wouldnt have known.

Hikvision can correct me if I am wrong, but I believe they started putting a team together a few months ago in North America to develop their software and apps. To help avoid some of these probelms.

John Honovich

IPVM | In reply to Undisclosed Integrator #3 | 09/22/15 09:48pm

I asked Hikvision for clarity / clarification on what they are doing about their team / improved practices. Thanks.

Hal Bennick

Trafficware, a CUBIC Company
In reply to Undisclosed Integrator #3 | 09/23/15 02:57pm

But, I also have Zander identity theft insurace (highly recommended, btw). I don't have Chinese Hacker insurance. Overall, I'd rather lose a credit card number.

Undisclosed Manufacturer #4

In reply to John Honovich | 09/22/15 07:46pm

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Manufacturer #4 | 09/22/15 08:13pm

And which camera brand can I trust from America? One that does not outsource one line of code. Please, offer me a name.

John Honovich

IPVM | In reply to Jon Dillabaugh | 09/22/15 08:27pm

Arecont??? :)

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 09/22/15 08:31pm

I voted funny! ;)

Undisclosed Integrator #6

In reply to John Honovich | 09/22/15 11:27pm

Any others?

Undisclosed Manufacturer #4

In reply to Jon Dillabaugh | 09/22/15 08:31pm

You could start with NATO countries as a good rule of thumb, assuming they have not OEM'd from China.

https://en.wikipedia.org/wiki/Member_states_of_NATO

The Chinese are at Cyber War with the United States... http://fortune.com/2015/07/31/china-cyber-attacks/

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Manufacturer #4 | 09/22/15 11:35pm

And which companies from the NATO nations can you guarantee have zero outsourced code?

Undisclosed #5

IPVMU Certified | 09/22/15 07:48pm

In the absence of any material harm coming from this, i.e. people's bank accounts being emptied, no one will remember this.

What Hik is saying is that for three weeks anyone who downloaded IVMS got the malware app. Just to make clear, the IVMS malware version of the app does not have access to everything on your IOS device.

In fact it only has access to what IVMS has access to. So your email account, maybe your photos, whatever personal information you put in IVMS.

Of course it can try to Trojan you by prompting you for ICloud credentials or even credit cards, bank accounts etc and if you type them in, that could be bad. But commercial users are generally more savvy than that, that and the 3 week window limits the real-world damage.

Also, Apple is to blame as much as the others here because they accepted apps built by a modified version of the tool. Hik of course is negligent by not using the right one, but somehow the signature was hacked enough to fool Apple into believing it was built by the authentic tool.

John Honovich

IPVM | In reply to Undisclosed #5 | 09/22/15 08:31pm

"What Hik is saying is that for three weeks anyone who downloaded IVMS got the malware app."

6 months after the last major hacking incident?

What does this tell you about what Hikvision has learned from the last incident?

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 09/22/15 08:35pm

I would assume the same lesson Apple has learned... and Tencent, WinZip, CamCard, Mercury, etc

John Honovich

IPVM | In reply to Jon Dillabaugh | 09/22/15 08:41pm

You're comparing Hikvision's cybersecurity, a company who months ago allowed default username and passwords to be used forever, to Apple?

And did those other companies on your list have major hacking incidents in the past 6 months?

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 09/22/15 08:48pm

The previous hacking scandal didn't affect me directly, so it is downplayed in my mind, I guess. I'm just saying that it wasn't just Hik who is affected here, nor just Chinese brands. There are western companies in that list. Had this been simply a Hik app only that was comprised, I would be much more worried. This is a widespread issue affecting many companies.

John Honovich

IPVM | In reply to Jon Dillabaugh | 09/22/15 09:05pm

"This is a widespread issue affecting many companies."

Who all did something stupid and dangerous to save some time downloading software. Not sure why you think many companies running code in production they get from an online forum makes things any better for Hikvision.

This points to a very serious organizational issue for Hikvision. Think about it. What other stupid things are they doing that has not been exposed? How do you know another incident will not occur 6 months from now? How has Hikvision proved that there are no other risks related to such practices?

Birger Kollstrand

In reply to John Honovich | 09/23/15 07:56am

Not sure why you think many companies running code in production they get from an online forum makes things any better for Hikvision.

John, I think alot actually do. They do use open source code from various sources. Some companies will be very scroutinous and validate code, most will just rely on the "Community" to make sure there is no malicous or bad code in their.

And regarding spying on people, I would gues US is the worst in class. Ref. Snowdens release of information on the NSA.

John Honovich

IPVM | In reply to Birger Kollstrand | 09/23/15 11:42am

There are official sources for open source / publically available code.

If I wanted a download of the .Net framework, why would I ever not get it directly from Microsoft?

If I wanted a download of the Java platform, why would I ever not get it directly from Oracle?

If I wanted a download of Xcode, why would I ever not get it directly from Apple?

If you download from the official source and its trojaned, than its on the provider.

If you download it from an online form of someone else 'in the community', it's on you.

Birger Kollstrand

In reply to John Honovich | 09/23/15 11:56am

OpenSSL came from an official library. Still with major security issues. Used by a large portion of the corporations doing embedded SW development. https://en.wikipedia.org/wiki/Heartbleed

I would also say that I do not trust Microsoft, Apple or Google that they do not have known issues with their SW that they let US intelloigence agencys take advantage of.

The point is, your never safe when it comes to SW.

That makes cybersecurity even more important to have controll over whitin the organization.

John Honovich

IPVM | In reply to Birger Kollstrand | 09/23/15 12:10pm

"The point is, your never safe when it comes to SW."

You're never 100% safe doing anything but there are degrees of risk.

Let me ask you, Birger, is it your contention that the risk level is the same or less to download Xcode from an online forum vs Apple's site directly?

Ethan Ace

IPVM | 09/22/15 08:40pm

I'm really surprised by the number of voters saying this will impact Hikvision significantly, or even moderately. If past history of hacking and holes in the security industry tells us anything, in two weeks, no one will remember.

John Honovich

IPVM | In reply to Ethan Ace | 09/22/15 08:44pm

Ethan, oustide of Hikvision, name the other video surveillance manufacturers with major hacking incidents (include dates and types of hacks). Highlight any goverments that have suffered massive hacks due to their video surveillance manufacturer. Etc.

My point is that the reason why it has not been a big deal is that such incidents are few and far between. This changes if it happens every 6 months, as it has now been happening for Hikvision.

Ethan Ace

IPVM | In reply to John Honovich | 09/22/15 08:47pm

There aren't others to name, and I'm not saying that's a bad thing. I'm simply saying what we already know: the industry doesn't care about cybersecurity. I don't think this instance is going to change that.

Ethan Ace

IPVM | In reply to Ethan Ace | 09/22/15 08:48pm

Also I would be willing to bet over 50% of the industry at large and the vast majority of consumers don't even know that these events happen. Which is a shame and almost criminal, but there's a lot of ignorance, willful or otherwise.

John Honovich

IPVM | In reply to Ethan Ace | 09/22/15 08:57pm

"I don't think this instance is going to change that."

Hikvision is one of the most important video surveillance manufacturers in the world, that will change that.

There is precedent. See the Trendnet IP camera FTC security fiasco / punishment.

The difference between Hikvision and Trendnet. Almost everyone in the industry cares about the former, almost no one about the later.

Brian Rhodes

IPVMU Certified | In reply to Ethan Ace | 09/22/15 08:47pm

Pelco hasn't had a jet in years, everyone still talks about the jet.

Undisclosed Integrator #1

In reply to Brian Rhodes | 09/22/15 09:35pm

That was because Pelco actively pitched it at every opportunity when they had it. I was offered a flight for training and I never sold Pelco. The marketing value of that jet will linger longer than something that a manufacturer actively wants to sweep under the rug.

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Integrator #1 | 09/22/15 09:42pm

My point is once a brand gets a conversation point, it will self perpetuate for years at every tradeshow, and be brought up by every salesperson competiting against it.

Hal Bennick

Trafficware, a CUBIC Company
In reply to Ethan Ace | 09/23/15 03:00pm

Wishful thinking....

Jon Dillabaugh

Pro Focus LLC
09/22/15 08:44pm

I voted moderately, because it will linger for me. I had the app installed on my phone and had a mini freak out when I first saw the news. Now that I know that I probably wasn't exposed, I never used the app in the past six months, never had a popup, I'm not as worried.

However, it has greatly diminished my trust in Apple. They have touted their superiority due to stringent App Store regulations. They, I won't forgive as quickly.

Undisclosed #5

IPVMU Certified | 09/22/15 09:36pm

John, you have right to think that this should be an issue, it was sloppy and reckless on Hikvision's part.

But I am still unsure how you feel this will actually affect Hik mid-term or long-term.

Here's the thing about hacks. No one gives a crap without real victims.

Think about it, the last Hikvision hack was published in Nov, detailing three buffer flow vulnerabilities found that allowed anyone access to Hik recorders.

No one cared for 3 months! Then only because a Chinese province cried "We got hacked!" did it finally get some press. Ironically, the province may have been 'hacked' only because of the default password not being changed, but again because there were 'victims' everyone remembers.

Take the trendnet example, obvious victim "Baby", result huge press coverage.

Where are the victims here that will cry out for justice? Otherwise it's just blah, blah, hack, not me, blah, blah to most.

Undisclosed Manufacturer #4

In reply to Undisclosed #5 | 09/22/15 09:42pm

How can you sell security and not care about security at the same time? If there is a single topic a person in this industry should care about it should be "security" in its entirety. Otherwise you really have no passion or concern and you're just in it for the money!!!

Undisclosed Integrator #3

In reply to Undisclosed Manufacturer #4 | 09/22/15 09:57pm

We absolutely do care about security, this is why we alerted all of our customers who have hikvision apps installed of the problem. I have always disclosed hikvisions reputation along with their connection to the Chinese government. Most of our customers are not headquartered in the US so they’re not as fearful of China as we are. As John H mentions above, I dont feel comfortable selling something without being honest about potential and past problems.

I told a customer today, that my life depends on the integrity of our company. I have staked everything I have on our company. I first disclose, then have them sign off on it. If they’re willing to spend 3x the cost of a hikvision install than thats what we will install. To date, we have not had one customer say no to hikvision and choose someone else.

John Honovich

IPVM | In reply to Undisclosed #5 | 09/22/15 09:46pm

That's a fair representation of the majority view in the industry.

And it's also reasonable presuming Hikvision never has a hacking event where there are victims who cry for justice. And the probability is overall low, as are all hacking events.

However, given that Hikvision has so many strikes against it, if such an event was to occur, I am not sure what rationalization an integrator or consultant could give if they did not disclose this up front and get the customer to agree. If I was an integrator selling Hikvision, I'd have to disclose it up front or simply switch. It's not the type of risk I am comfortable taking.

It's one thing to say theoretically a product might get hacked that has a clean track record, it's another thing to say the product you are selling has had 3 major incidents in ~12 months, and just roll the dice.

Undisclosed Integrator #1

09/22/15 10:01pm

Based on this thread it sounds like a rough ASIS is in store for Hikvision.

John Honovich

IPVM | In reply to Undisclosed Integrator #1 | 09/22/15 10:03pm

Based on this thread, I think a lot of people don't care!

The problem for ASIS is that (1) it's days away (so terrible timing) and (2) there does not seem to be much being announced in terms of new products across the board so there's a vacuum there.

Hal Bennick

Trafficware, a CUBIC Company
In reply to Undisclosed Integrator #1 | 09/23/15 03:03pm

I think we should all stand in front of their booth en masse, stare for a solid minute, and then start laughing uncontrollably.

Undisclosed #2

In reply to Hal Bennick | 09/23/15 03:11pm

pot... meet kettle.

Samsung’s security failures leave 600 million Android users vulnerable to simple keyboard hack.

Samsung’s Smart TVs gather and transmit potentially private information to third parties

Hal Bennick

Trafficware, a CUBIC Company
In reply to Undisclosed #2 | 09/23/15 04:09pm

Not the same company, just a shared name. For the sake of simplicity, Samung-Techwin is it's own entity, owned by Hanwha. (https://en.wikipedia.org/wiki/Hanwha) Samsung sold off the security group a year ago or so (http://ipvm.com/updates/2782). The Samsung I work for doesn't make phones and TVs, we make the K9 Thunder, which I desperately want in my demo kit... https://www.youtube.com/watch?v=-oaR2jPGddA

Think Home Depot -> HD Supply, Kraft -> Mondelez, Sara Lee -> Hillshire Brands, eBay -> PayPal, Time Warner -> Time Inc., Sara Lee -> Coach, McDonalds -> Chipotle, NewsCorp -> All the Fox companies.

John Honovich

IPVM | 09/22/15 10:23pm

After publishing this post, a Hikvision employee lept to the defense of his employer:

What nonsense. Hikvision uploaded the malicious code. If Hikvision did not do this, there would have been no hack. For example, why were the Axis, Avigilon, ACTi, etc. apps not hacked? Because those companies did not submit trojan apps.

This compounds the problem. Is Hikvision going to take responsibility for these serial hacks or is everything someone else's fault?

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 09/22/15 10:41pm

Mr. Wring is Mr. Wrong IMO. Hik, or its outsourced dev team, is to blame firstly for the issue at hand. They are the genisis of the problem. However, Apple is also to blame for letting it get to market.

Undisclosed Manufacturer #4

In reply to Jon Dillabaugh | 09/22/15 11:41pm

YOU (person selling Hik) are the problem here! Keep installing their infested/spy products into the US market and see what happens to our industry.

Integrity and trust are cornerstones in our business.

To blame Apple for Hik's ongoing cyber security failures is delusional.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #4 | 09/22/15 11:43pm

Ok, 4, I think you have made your point... repeatedly.

Let's all (including myself) pause until new issues or elements are raised.

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Manufacturer #4 | 09/22/15 11:57pm

I'm still waiting for his list of safe alternatives... /eye roll/

John Honovich

IPVM | In reply to Jon Dillabaugh | 09/23/15 12:01am

Really?

Safe alternatives? How about everyone else who has not had 3 major hacking incidents in the past 12 months?

Are you saying Axis, Avigilon, Samsung, Sony, to name a few, have demonstrated anywhere near the level of cybersecurity issues that Hikvision has?

This is not an issue of being pro or anti-America, for me. It's simply acknowledging that one company has repeated issues and most of the others have none.

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 09/23/15 12:37am

I concede that Hik has had its issues and I have said it has given me pause. What I am asking for is a follow up to his image above that says "Stay calm and buy American". It's not even possible, at least not in the sense he is stating. There may not be one single company that does use an outsourced dev or rely on an SDK from another dev. It just so happens that Hik messed up big time by not getting the SDK from the source, Apple. This /could/ be a much larger, industry wide issue. I don't feel any safer with Dahua and their admin/ONVIF password issue, not to mention their software isn't well made either. But, we could all say similar things about any CCTV based company. I wasn't impressed with the Samsung firmware on the Wisenet III when it launched. You couldn't log out of the camera webpage, unless you cleared your internet browser cache and cookies. We've seen issues with Axis cams as well.

John Honovich

IPVM | In reply to Jon Dillabaugh | 09/23/15 01:01am

"We've seen issues with Axis cams as well."

Lol, you are trying to equate Axis track record here with Hikvision? Come on? You're really sounding like a Hikvision fanboi.

Ignore the silly 'buy America' image and concentrate on reality.

"we could all say similar things about any CCTV based company."

I ask again: Does Dahua, Samsung, or Axis have anywhere near the recorded / documented hacking issues that Hikvision has?

The answer is obviously no.

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 09/23/15 02:15am

If anything, I'm a Dahua "fanboi". I've sold some Hik, and have liked them for the most part, but I have sold 20x more Dahua.

It seems like you want to take Hik to task, but forgive others for their issues. Do you not know or care about the Dahua admin account issue? Or how about the Samsung Wisenet browser logout issue? Those could be as bad as either of the Hik problems.

My bigger question isn't whether or not Hik is at fault, they are, it's how widespread is the issue? Could this infected SDK issue be larger than XCode? Could there be other exploits? What is Hik not doing that others are?

Back to undisclosed 4, if this exploit was crafted by the CIA (as claimed above), how would that change your patriotic stance?

Undisclosed Manufacturer #4

In reply to Jon Dillabaugh | 09/23/15 02:22am

"the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference"

Undisclosed #5

IPVMU Certified | In reply to Jon Dillabaugh | 09/23/15 02:47am

...I'm a Dahua "fanboi"...

No surprise here, hacking your name yields:

DILLABAUGH = ALL BIG DAHUA

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed #5 | 09/23/15 03:20am

That's quite clever! Too bad you needed an extra A to make your point.

Undisclosed Integrator #7

09/23/15 12:52am

Ok Hikvision was hacked apparently. Without all the chest beating, what exactly does it mean. How does it actually hurt the end user. Is there a trojan possibly in the vms installed on an end users PC, Macbook, iphone or android device. What does an end user do to rectify this.

What are the real world consequenses...someone can put a crypto locker virus on my pc and I'm stuffed....someone can get into my dvr and look at my shop front......

Please don't just say don't use Hikvision. The fact is people do and will continue to do so. Where is the exposure?

- on a PC or dvr on a network behind a firewall.

- on a PC at the manager's home for remote viewing the business

- on an android phone or an iphone anywhere in the world.

Just trying to make real sense of this issue..thats all

Undisclosed #8

In reply to Undisclosed Integrator #7 | 09/23/15 01:03am

Copy from theintercept.com

Last week, Chinese app developers disclosed that an Apple programming tool had been hijacked to trick developers into embedding malicious software into apps for Apple devices.

The malware, called XcodeGhost, works by corrupting Apple’s Xcode software, which runs on Mac computers and compiles source code into apps that can run on iPhones, iPads, and other devices, before submitting them to the App Store. If a developer has XcodeGhost installed on their computer, apps that they compile include malware without the developer realizing it.

Although XcodeGhost is the first malware to spread this way in the wild, the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference in 2012. Using documents from NSA whistleblower Edward Snowden, The Intercept‘s Jeremy Scahill and Josh Begley described the CIA’s Xcode project in a story published in March.

Security firm Palo Alto Networks has published detailed technical analyses of the malware. At least 50 apps have made it into the App Store with this malware, including WeChat, one of the world’s most popular messaging apps, with hundreds of millions of users, primarily in Asia. Apps infected with XcodeGhost malware are capable of popping up fake alerts asking for credentials, such as the user’s iCloud password; reading what has been copied to the clipboard, such as passwords from password manager apps; and exploiting other parts of iOS. It’s not clear who is behind the malware or if they are based in China.

The CIA’s campaign to attack the security of Apple devices included creating a malicious version of Xcode to sneak malware into apps, without the developer realizing. As we reported in March:

The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.

Today, Apple has published instructions for developers to verify that the version of Xcode they have installed is the official one.

John Honovich

IPVM | In reply to Undisclosed Integrator #7 | 09/23/15 01:08am

7, you certainly can use it. And there's certainly an argument to be made that whatever hacking issue you suffer is trivial. Even with Target, someone gets your credit card, the credit card company wipes the charges off after a few phone calls, you get a new card, life goes on, etc. That's certainly one position to take, especially for an individual.

But there are some organizations have very low tolerance for this. For example if your customer is Target, I am sure they are not saying right now, 'Yeah whatever, Hikvision had a trojan app. Fixed it, ok, no biggie. Load 'em up'

"Ok Hikvision was hacked apparently."

No, Hikvision was hacked repeatedly in the course of a year. And Hikvision has not yet proven what they are concretely doing to stop more hacks.

Undisclosed Integrator #7

In reply to John Honovich | 09/23/15 01:18am

"Ok Hikvision was hacked apparently" don't you recognise sarcasm when you see it.

Undisclosed #2

09/23/15 01:07am

Prediction: Hik will hire some form of 'cyber expert' whose name they will parade around in media press releases to make a show of 'taking this stuff seriously', etc etc

Michael Miller

09/23/15 01:37am

Besides DVtel are any other VMS/camera manufacturers activity promoting network security as part of there IP video solutions?

Undisclosed #8

09/23/15 02:26am

I don't know about you guys,

but I was lot more concern when IPVM.com was hacked :)

Undisclosed #8

09/23/15 03:09am

For your information

HIK has new App Ver 4.2.1

That was fast

Undisclosed #5

IPVMU Certified | 09/23/15 03:34am

#fingerscrossed

Undisclosed #2

09/23/15 03:57am

From Reuters

"An Apple spokeswoman did not respond to questions about the app approval process and why developers in China were using unofficial Xcode, but a senior executive said on Tuesday the company would make it easier for Chinese developers to download its tools.

Marketing chief Phil Schiller told Chinese news site Sina.com it would offer domestic downloads within China of its developer software.

Some Chinese firms had said they were pushed to download Apple's developer toolkit from unofficial sources in China because of the slow internet speeds when connecting to international services."

Interesting that in all the MSM stories about this huge story that nobody has mentioned that one of the relatively few apps (in relation to the total available) compromised was that of one of the worlds largest surveillance manufacturers - which happens to be partially owned by the Chinese government.

Michael Miller

09/23/15 04:17am

Some Chinese firms had said they were pushed to download Apple's developer toolkit from unofficial sources in China because of the slow internet speeds when connecting to international services."

I wonder if the Chinese goverment has "slow internet speeds" when they are hacking other goverments?

Undisclosed #5

IPVMU Certified | In reply to Michael Miller | 09/23/15 10:24am

I wonder if the Chinese goverment has "slow internet speeds" when they are hacking other goverments?

I certainly hope they do, at least slower than ours. But I don't think we have to worry too much there:

The U.S. is way ahead in high-speed tapping technology. With off-shore direct 10Gig fiber taps into Google and Yahoo among others, and backdoors into every known networking device on the planet, we can feel confident that we will continue to dominate in this area.

Not that we should rest on our laurels, but I don't think it's a reason for concern just yet...

Undisclosed Manufacturer #10

09/23/15 04:30am

Probably the mobile development was outsourced or had 1 or 2 engineers hired specifically for the project - since the language and technology were not in the core skills of the engineering team. But yes, using an IDE from an unknown source was a very naive move. Lesson learned: have strict policies on using illegal/unknown sourced softwares, even for outsourced teams. But Apple should also face it's own daemons for not having the IDE signature marked and checked on every uploaded app, they must be rushing to solve this.

About the previous Hikvision scandal: IMO, as a software engineer, I can assure you that security is not a big concern in surveillance products as expected in the comments above. Usually, the main concern is the functionality itself, and engineering aspects like security are left aside.

IP cameras and DVRs have big security flaws, that can get a lot worse the cheaper they are. Passwords are sent without any protection. SSL/encryption is rarely used, and rarely a default setting. When used, it covers only HTTP, not the RTSP port. Standalone DVRs and NVRs use proprietary protocols, developed from scratch for their desktop and ActiveX(!) client softwares, full of flaws, very easy to reverse engineer and hack. It's a honey pot for an experienced hacker to run buffer overflow attacks. Closing a telnet port and asking for a proper password doesn't solve any of these, there is much more under the hood.

I would say that hacking a cheap DVR can be done a lot of times in a period of 6 months. I'm not sure that this should be used as a metric to compare Hikvision and other companies. I've already analyzed Dahua's and many other Chinese DVRs / cameras, they fall into the same problems. With proper effort, even big player's products can be hacked too (hardware from Axis, Sony, Samsung, etc and VMSes from Genetec, Milestone, etc).

Is this a new aspect for IPVM to cover in it's tests? Evaluate low level security for surveillance equipments and VMS softwares? These would help to raise the market standards.

But please, do not expect top notch security when buying cheap from China or reseller brands.

Undisclosed Integrator #11

09/23/15 09:12am

You get what you pay for.. When your R and D department is using knock off xcode how can you be sure anthing is engineered correctly!

Undisclosed Integrator #11

09/23/15 11:50am

The issue is trust. You trust an installer to install correctly. You trust manufactures to design, build and secure correctly. Especially in the security industry! There has been several security issues from this vendor recently. I dont trust them and Im sure all the competitors will be talking about this for years to come.

Hal Bennick

Trafficware, a CUBIC Company
09/23/15 02:49pm

For the sake of disclosure, I work for Samsung.

Why do I hear the Benny Hill song playing in my head when I read this article? I get it, Hikvision is cheap, but it's pretty clear that you're getting what you pay for: non UL-listed hackatrons. With all the solid competition in the market (insert shameless plug for my employer here), I just don't see the big driver for going Hik.

www.youtube.com/watch?v=MK6TXMsvgQg

Bob Germain

In reply to Hal Bennick | 09/23/15 03:01pm

Mr. Bennick- Hikvision Products sold into North America are UL/cUL listed.

Disclosure- I work for Hikvision.

Hal Bennick

Trafficware, a CUBIC Company
In reply to Bob Germain | 09/23/15 03:42pm

Is that a recent change?

Undisclosed #5

IPVMU Certified | In reply to Hal Bennick | 10/04/15 06:52am

No, I think he's been with Hik for a while now.

Undisclosed Integrator #3

In reply to Hal Bennick | 09/23/15 03:11pm

One of the biggest drivers to choosing Hikvision, was that for years I couldn’t get a sales rep into our business from any company other than Hikvision. No one would stop by and demo their equipment and let us play with it for a few days. To see if it was a product we could offer our customers. Hikvision was the only one who took the time to teach us how their system worked. We were new to IP video but far from new in the security industry (we hold licenses in 8 States and operate in 10). Had another company answered my phone calls. Maybe we would have gone in a different direction. When I started looking 3 years ago, surveillance only amounted to about 1% of my business, this year it will be around 20% (and rapidly growing).

This malware problem is on Hikvision and Apple (Apple announced they’ll make it easier for Chinese developers to obtain tools and Hikvision has already released an updated app). But Hikvisions growth is on sales people from companies like yours who ignore people like us.

Undisclosed Integrator #11

09/23/15 02:52pm

Hal - Thanks I now have benny hill in my head for the rest of the day! lol :D

but yes you are right..

Undisclosed Integrator #3

09/23/15 02:52pm

These are really interesting poll results. With 257 votes, there's no clear “winner”.

I’m not sure how legitimate this article is, but it proved to be an interesting read. I’m no conspiracy theorist, but I wonder if the NSA has ever attempted to collect personal data using this tactic.

Frantz Mathias

09/23/15 03:05pm

Cybersecurity is a serious problem. For the most part we the integrators do not know what going on between the cameras and the VMS. And this for any and all the IP cameras out there. True Hikvision situation is a little special and could be even said to be criminal but for the most part what is happening inside an IP Video Surveillance network is not well understood or even known by the vast majority of integrators.

The 'net is akin to the Wild West...It will take some time for us to truly come to term with those hacks and exploits... We all are threatened by this one way or the other. Buy American sounds nice but ... we all know this is not the solution ... Cybersecurity must be addressed or at the very least be a concern for integrators. I am not sure it is at this point in time.

Undisclosed #5

IPVMU Certified | 09/23/15 03:14pm

Based on this thread, I think a lot of people don't care!

Based on this thread, I think a lot of people care a lot about not caring.

Hal Bennick

Trafficware, a CUBIC Company
In reply to Undisclosed #5 | 09/23/15 04:10pm

...and they're getting apathetic about it.

Undisclosed Manufacturer #13

In reply to Undisclosed #5 | 09/23/15 05:02pm

it also amazes me as to how many folks here could care less about Hik being hacked again and again. To me that is simply saying you give two shits about your customers. Customers trust you to install equipment on their facility/network and you again and again put trust in a Chinese company who is partially owned by the Chinese Gov. Wake up folks......

If it does not affect me why would I care. Well the truth be told it does affect everyone who YOU have installed Hik products on whether it pops up today or tomorrow......

Andrew Bowman

In reply to Undisclosed Manufacturer #13 | 09/23/15 06:06pm

Couldn't agree more. I had to reply so that no one assumed that I was responding as #13.

Undisclosed #5

IPVMU Certified | In reply to Andrew Bowman | 09/23/15 09:43pm

I had to reply so that no one assumed that I was responding as #13.

I doubt anyone would, but if anyone actually did, they probably would not be convinced anyway and think instead you were just replying to yourself. :)

Undisclosed Integrator #11

09/23/15 03:47pm

Out of interest if the excuse is a "poor internet connection" how did they get the right version of xcode so quickly so as to bring out this new version? Can you get an internet connection this quickly installed in China?

Or did they use someone else’s, if so why wasn’t it used from day one (but that is still lame..)

Or is the excuse a lie.

Or did they go to another forum to download their development software.

It’s one thing compromising your own kit, another putting malware on users devices which phones home. With the Chinese government owning part of Hikvision this doesn’t look good..

Apple should ban them..

Undisclosed #12

09/23/15 04:24pm

John. I am concerned that the basic chipsets may contain some kind of Trojan... or at minimum, a vulnerability that someone knows about because they planted it there only to exploit the vulnerability THEN insert some kind of malicious program.

What is your opinion?

My specs usually are worded in a way that no one has proposed HV, but could if they want. Should this make me add spec verbiage that restricts products from China? Or for me to have the integrator replace any cameras for xxx years if such a vulnerability is discovered at some time in the future? Some of my projects are quite sensitive and high risk (as I am sure others in the membership have). They include corporate, institutional, and government jobs with a high potential for this kind of sophisticated attack. Not a good thing if the same camera system I design can be used to peek at manufacturing processes or trade secrets or research in progress; or be used as a back door to access the Client’s network.

Do you recall many years ago when the smoke detector was actually CAUSING Fires? This seems like the same thing… or at least will have the same results (i.e. not allowing HV on my projects)

Undisclosed Manufacturer #10

In reply to Undisclosed #12 | 09/23/15 04:37pm

So I suggest you to use Axis products only, with HTTPS enabled (their protocol uses RTSP over HTTPS).

Hal Bennick

Trafficware, a CUBIC Company
In reply to Undisclosed Manufacturer #10 | 09/23/15 05:09pm

Undisclosed (Axis) Manufacturer?

John Honovich

IPVM | In reply to Hal Bennick | 09/23/15 05:12pm

No, not an Axis employee and please stop. I'll handle moderation.

Hal Bennick

Trafficware, a CUBIC Company
In reply to John Honovich | 09/23/15 05:23pm

Sorry, tounge and cheek and all that. Mea culpa.

Undisclosed Manufacturer #10

In reply to Hal Bennick | 09/23/15 05:22pm

Nope. Software developer, see other comment above. I used to implement camera and DVR drivers, Axis was the only one that allowed RTSP over HTTPS. Maybe there are others nowadays.

Undisclosed #5

IPVMU Certified | In reply to Undisclosed Manufacturer #10 | 09/23/15 06:02pm

Demo here.

John Honovich

IPVM | In reply to Undisclosed #12 | 09/23/15 04:54pm

"basic chipsets may contain some kind of Trojan..."

Anything is possible but I have no knowledge of that for anyone nor I am sure how it would be easily tested / verified for anyone.

"Should this make me add spec verbiage that restricts products from China?"

I do not think that is fair or appropriate. However, you could include some clause that the company's surveillance products can have no reported or no more than X number of reported cyber security incidents in the past Y years. This would be fairer.

Anyone else with ideas please share.

Undisclosed #12

09/23/15 05:33pm

Is there a testing agency that could test for security vulnerabilities?

Undisclosed Manufacturer #14

In reply to Undisclosed #12 | 09/23/15 05:36pm

Many multinational companies hire 3rd party "ethical" hackers. Process is usually a week or so although I have seen longer.

Birger Kollstrand

In reply to Undisclosed #12 | 09/24/15 05:41am

A lot of companies around the world do. I just did a quick search and found this : http://www.ixiacom.com/products/ixload-attack

Our company has an internal security team that is involved in all SW projects where there is any communication on IP. They will then run tests against the SW being developed and also do recomendations on both coding and configuration. Like firewall setup, operating system configuration etc. that is required to have a secure network.

And it's good to have them. We who work with the functionality that our customers wants delivered yesterday, tend to get tunnel vision in getting the requested functionality ready. IT security is a profession on it's own.

Tim Campbell

09/24/15 02:11pm

On a somewhat related note, Apple has listed the top 25 apps in its store hit by XcodeGhost

Read this IPVM report for free.

This article is part of IPVM's 6,653 reports, 896 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.