Hikvision Silent on "Bad Architectural Practices" Cybersecurity Report

By: John Honovich, Published on Nov 14, 2018

A 'significant vulnerability was found in Hikvision cameras' by VDOO, a startup cybersecurity specialist. Hikvision has fixed the specific vulnerability but has ignored the various underlying problems VDOO has called out.

VDOO outlined 8 'bad architectural practices' in their report, recommending changes, including:

  • Hikvision's "use of appweb 3, specifically an old version of it – which has not been maintained for a long time...  is designated “end-of-life”, meaning that it will get no security patches."
  • Hikvision's "firmware file is encrypted using a symmetric encryption. That allows an attacker to open the firmware for research."
  • Hikvision's "firmware file is not digitally signed. This allows an attacker to repack a malicious firmware."
  • Hikvision's "usage of unsafe functions... The best practice is to not use any of the unsafe versions of the functions even if at a specific case it is safe, since using them regularly can lead to using them in an unsafe manner by mistake"
  • "Almost all the logic of the device is contained in one binary. When everything is in one binary there is less privilege separation, and it increases the attack surface."

Silent On Bad Architectural Practices

Hikvision USA sent an email to dealers reiterating that they fixed the vulnerability but they ignored VDOO's recommendations entirely.

Hikvision responded to IPVM, declining any comment on the bad architectural practices, citing the previous vulnerability notice that does not address VDOO's recommendations.

Transparency Commitment

Facing the fallout of 2017's backdoor and 2018's US government ban, Hikvision has emphasized that they will be transparent about cybersecurity to prove that they can be trusted. For example, their Cybersecurity Center page declares:

Hikvision makes the following commitments: ... we will continue to improve and use open and transparent methods so that users can assess Hikvision’s cybersecurity capabilities. [emphasis added]

Indeed, following the ban's passage, then Hikvision President of North America, Jeffrey He declared:

We want to be clear: security and transparency are our top priorities and part of our long-standing commitment to you [emphasis added]

Missed Opportunity

While Hikvision has concentrated on generic cybersecurity posts, like explainer videos and generic cybersecurity tips, they will not go into depth about real issues.

Hikvision had a great opportunity to prove its transparency on a concrete technical report from a cybersecurity specialist but has refused.

1 report cite this report:

UK Installer CCTV Aware - Flat Pricing, No Salespeople on Apr 10, 2019
This is a different kind of company. They do flat pricing, they do not have...
Comments (16) : Members only. Login. or Join.

Related Reports

Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Beware Of Feevr on Apr 14, 2020
Beware of "Feevr". The company is marketing a 'Feevr' solution that...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
UK ICO Approves Unconsented Facial Recognition At Security Conferences on Feb 05, 2020
The UK's data protection agency has declined IPVM's GDPR complaint against...
Hikvision AI Training In Xinjiang Paramilitary Base, Now Denies on Mar 10, 2020
Hikvision has been listing AI training in a Xinjiang paramilitary base that...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Latest London Police Facial Recognition Suffers Serious Issues on Feb 24, 2020
On February 20, IPVM visited another live face rec deployment by London...

Recent Reports

Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...