Hikvision Trojan Mobile App

If cyber security is only an afterthought, can a manufacturer really claim product leadership and solutions in the enterprise application arena or should they settle for the small commercial and Mom & Pop shop applications usually using lowest bidder systems? Jus' sayin'- what do those 3500 engineers contribute?

Copy & Paste is a double-edged sword but it seems to be increasing everywhere. I almost installed that software recently here to test. IPVM saved me =)

3.5G! That's pretty large.

For those selling Hikvision, how do you plan to handle this? Curious to hear.

I voted moderately, because it will linger for me. I had the app installed on my phone and had a mini freak out when I first saw the news. Now that I know that I probably wasn't exposed, I never used the app in the past six months, never had a popup, I'm not as worried.

However, it has greatly diminished my trust in Apple. They have touted their superiority due to stringent App Store regulations. They, I won't forgive as quickly.

After publishing this post, a Hikvision employee lept to the defense of his employer:

What nonsense. Hikvision uploaded the malicious code. If Hikvision did not do this, there would have been no hack. For example, why were the Axis, Avigilon, ACTi, etc. apps not hacked? Because those companies did not submit trojan apps.

This compounds the problem. Is Hikvision going to take responsibility for these serial hacks or is everything someone else's fault?

Ok Hikvision was hacked apparently. Without all the chest beating, what exactly does it mean. How does it actually hurt the end user. Is there a trojan possibly in the vms installed on an end users PC, Macbook, iphone or android device. What does an end user do to rectify this.

What are the real world consequenses...someone can put a crypto locker virus on my pc and I'm stuffed....someone can get into my dvr and look at my shop front......

Please don't just say don't use Hikvision. The fact is people do and will continue to do so. Where is the exposure?

- on a PC or dvr on a network behind a firewall.

- on a PC at the manager's home for remote viewing the business

- on an android phone or an iphone anywhere in the world.

Just trying to make real sense of this issue..thats all

Prediction: Hik will hire some form of 'cyber expert' whose name they will parade around in media press releases to make a show of 'taking this stuff seriously', etc etc

I don't know about you guys,

but I was lot more concern when IPVM.com was hacked :)

#fingerscrossed

Some Chinese firms had said they were pushed to download Apple's developer toolkit from unofficial sources in China because of the slow internet speeds when connecting to international services."

I wonder if the Chinese goverment has "slow internet speeds" when they are hacking other goverments?

Probably the mobile development was outsourced or had 1 or 2 engineers hired specifically for the project - since the language and technology were not in the core skills of the engineering team. But yes, using an IDE from an unknown source was a very naive move. Lesson learned: have strict policies on using illegal/unknown sourced softwares, even for outsourced teams. But Apple should also face it's own daemons for not having the IDE signature marked and checked on every uploaded app, they must be rushing to solve this.

About the previous Hikvision scandal: IMO, as a software engineer, I can assure you that security is not a big concern in surveillance products as expected in the comments above. Usually, the main concern is the functionality itself, and engineering aspects like security are left aside.

IP cameras and DVRs have big security flaws, that can get a lot worse the cheaper they are. Passwords are sent without any protection. SSL/encryption is rarely used, and rarely a default setting. When used, it covers only HTTP, not the RTSP port. Standalone DVRs and NVRs use proprietary protocols, developed from scratch for their desktop and ActiveX(!) client softwares, full of flaws, very easy to reverse engineer and hack. It's a honey pot for an experienced hacker to run buffer overflow attacks. Closing a telnet port and asking for a proper password doesn't solve any of these, there is much more under the hood.

I would say that hacking a cheap DVR can be done a lot of times in a period of 6 months. I'm not sure that this should be used as a metric to compare Hikvision and other companies. I've already analyzed Dahua's and many other Chinese DVRs / cameras, they fall into the same problems. With proper effort, even big player's products can be hacked too (hardware from Axis, Sony, Samsung, etc and VMSes from Genetec, Milestone, etc).

Is this a new aspect for IPVM to cover in it's tests? Evaluate low level security for surveillance equipments and VMS softwares? These would help to raise the market standards.

But please, do not expect top notch security when buying cheap from China or reseller brands.

The issue is trust. You trust an installer to install correctly. You trust manufactures to design, build and secure correctly. Especially in the security industry! There has been several security issues from this vendor recently. I dont trust them and Im sure all the competitors will be talking about this for years to come.

Hal - Thanks I now have benny hill in my head for the rest of the day! lol :D

but yes you are right..

Cybersecurity is a serious problem. For the most part we the integrators do not know what going on between the cameras and the VMS. And this for any and all the IP cameras out there. True Hikvision situation is a little special and could be even said to be criminal but for the most part what is happening inside an IP Video Surveillance network is not well understood or even known by the vast majority of integrators.

The 'net is akin to the Wild West...It will take some time for us to truly come to term with those hacks and exploits... We all are threatened by this one way or the other. Buy American sounds nice but ... we all know this is not the solution ... Cybersecurity must be addressed or at the very least be a concern for integrators. I am not sure it is at this point in time.

Out of interest if the excuse is a "poor internet connection" how did they get the right version of xcode so quickly so as to bring out this new version? Can you get an internet connection this quickly installed in China?

Or did they use someone else’s, if so why wasn’t it used from day one (but that is still lame..)

Or is the excuse a lie.

Or did they go to another forum to download their development software.

It’s one thing compromising your own kit, another putting malware on users devices which phones home. With the Chinese government owning part of Hikvision this doesn’t look good..

Apple should ban them..

On a somewhat related note, Apple has listed the top 25 apps in its store hit by XcodeGhost