Hikvision Silent on "Bad Architectural Practices" Cybersecurity Report

By John Honovich, Published on Nov 14, 2018

A 'significant vulnerability was found in Hikvision cameras' by VDOO, a startup cybersecurity specialist. Hikvision has fixed the specific vulnerability but has ignored the various underlying problems VDOO has called out.

VDOO outlined 8 'bad architectural practices' in their report, recommending changes, including:

  • Hikvision's "use of appweb 3, specifically an old version of it – which has not been maintained for a long time...  is designated “end-of-life”, meaning that it will get no security patches."
  • Hikvision's "firmware file is encrypted using a symmetric encryption. That allows an attacker to open the firmware for research."
  • Hikvision's "firmware file is not digitally signed. This allows an attacker to repack a malicious firmware."
  • Hikvision's "usage of unsafe functions... The best practice is to not use any of the unsafe versions of the functions even if at a specific case it is safe, since using them regularly can lead to using them in an unsafe manner by mistake"
  • "Almost all the logic of the device is contained in one binary. When everything is in one binary there is less privilege separation, and it increases the attack surface."

Silent On Bad Architectural Practices

Hikvision USA sent an email to dealers reiterating that they fixed the vulnerability but they ignored VDOO's recommendations entirely.

Hikvision responded to IPVM, declining any comment on the bad architectural practices, citing the previous vulnerability notice that does not address VDOO's recommendations.

Transparency Commitment

Facing the fallout of 2017's backdoor and 2018's US government ban, Hikvision has emphasized that they will be transparent about cybersecurity to prove that they can be trusted. For example, their Cybersecurity Center page declares:

Hikvision makes the following commitments: ... we will continue to improve and use open and transparent methods so that users can assess Hikvision’s cybersecurity capabilities. [emphasis added]

Indeed, following the ban's passage, then Hikvision President of North America, Jeffrey He declared:

We want to be clear: security and transparency are our top priorities and part of our long-standing commitment to you [emphasis added]

Missed Opportunity

While Hikvision has concentrated on generic cybersecurity posts, like explainer videos and generic cybersecurity tips, they will not go into depth about real issues.

Hikvision had a great opportunity to prove its transparency on a concrete technical report from a cybersecurity specialist but has refused.

1 report cite this report:

UK Installer CCTV Aware - Flat Pricing, No Salespeople on Apr 10, 2019
This is a different kind of company. They do flat pricing, they do not have...
Comments (16) : Members only. Login. or Join.

Related Reports

School District Admits Not Following FDA Guidelines With 144, No Blackbody, Hikvision Fever Cameras on Aug 21, 2020
The Baldwin County School District has admitted it is not following FDA...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
SIA: "Refrain From Working With Companies And/or Products That Are Implicated In Human Rights Abuses" Like Dahua and Hikvision on Aug 17, 2020
The US (Security Industry Association) SIA has taken a stand, declaring that...
Hikvision Alleges Forehead Only Fever Screening is Smart; It's Actually Dangerous on Oct 09, 2020
Forehead only fever screening violates global standards and increases error...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...

Recent Reports

ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...