White House Proposes Blacklist of Dahua, Hikvision Users

By Charles Rollet, Published Feb 04, 2020, 01:09pm EST (Info+)

The White House is proposing to blacklist Hikvision and Dahua users from federally-funded contracts, even if their use of this equipment is unrelated.

The new proposal, subject to public comment until March 22, uses the strongest language so far from the federal government, reflecting the Trump administration's broad interpretation of the NDAA's blacklist clause.

In this post, we examine this important development.

**********

******* ********* **** **********: *****, * *********** ** *** federal ********** ****** *********/*****/****** *********, *** second, * *********** ** *** ******* government ***** ******** **** *** ****** that “****” ***** ****** ******** (*** the ********* ******, *** ***** ** full):

— (*) *** **** ** ** executive ****** *** ***— (*) ***** into * ******** (** ****** ** renew * ********) ****an ****** that uses any equipment, system, or service that uses ******* telecommunications *********** ******** ** * *********** ** essential ********* ** *** ******, ** as ******** ********** ** **** ** any ******. [******** *****]

*** ********* ****** **** ***** **** effect ** ****** ** ****, *.*. two ***** ***** *** **** *** passed **** ***.

OMB *********** *******

** ******* **, *** ***** *****’* Office *** ********** *** ****** (***), which ******** *** ******* ******,****** * ********** ** ** “** ********* ** revise” *** ***********.

*** *** ********* ** ***** ******* a *** ****, * *** ***.***, that ********** *** ****’* ********* ****** for "******* ***** [*****/****] **********" *** are "***** ********** *****". *********, *** OMB ********* **** ******** **** ***** prohibit **********-****** ********* **** ******** **** "use" ****** *********, ********** ** ******* this *** ** ******* ** *** federal **********:

**** *********** *******even ** *** ******** ** *** ******** to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services. [emphasis added]

Trump **************'* "***** **************" *********

**** *** ******** **** **** *** been *** ******** ******* ** *** blacklist ****** **** *** *****, ***** on ******** ** ** **** * Congressional ********* ************ (******* ***** ** ********* ** ***, Banned **** ******* ** ** ******* Government, **** ** ****.)

*******, ***** ***, *** ******* ********** itself *** *** **** ** ******** about ************ ******** *** ***** ****** equipment ** ********* ********. ************, *** OMB ******** ** *** "******* ***** recipients" ***** "********** *****", ***** ** more ********* **** ****** ******* ********** agencies **********; *** *******, ** ***** encompass * ******* ********* ***** * federal ***** ** ******** ********.

** ** *** ***** **** *** Trump ************** ***** ** ************ * "broad **************" ** *** ****, ** D.C. *** **** **** ********* ** ** ********:

*** ******** ******** * ***** ************** of § ***’* ***** *** ****-******* statutory ***********

Impact ** *********** ****

**** *** **** ****** **** ***** mean * ********* ***** ************** **** be ******* ***** ******* *********** *************** ** ***** ******* ** ********* the ********* ****** *** *** ******* government ****** ************:

[****] *** ****** *** ***** **************’* intention ** ****** * ********* ***** approach ** *** *********** ********** ************ procurement *********** ***** § ***(*)(*)(*), ***** will **** ****** ********* ****** **, 2020.

** ** *** ************** ******* **, **** ***** *** rule (***** ** *** *** ******) is ***** ******** ** *** **********'********* ****** *********** *******.

**** *** **** **** **** ** even ***** ****** ** ********* *********** from *** ******* ********, **************** **** ****-***** ******** **** *** FBI *** *** ******** *** **** the ***** *****, **** *******, *** Veterans **************, ***.

Remaining ***********: **** **** "****" ****?

*** *** ******** **** *** ******* what ** ***** ** "****" - for *******:

  • ** ********** **** *** ********* * Hikvision ****** ** * ***** ******. Does **** ***** ** ** ****** that "****" ****** *********?
  • * ************ / ********** **** ********* or ******* **** **** ********* *** non-government *********. **** **** *****?
  • * ***********, **** ** *** ** Anixter **** ***** ***** *** ********* broadly ** ******* ********** *****. **** that *****?
  • ** ***-**** **** *** ***** ** Hikvision ******* ******* ** ***** **********. Does **** *****?

** ****** **** ******* ** **** question ** *** ****** ******, *******, the ******** ******** ***** ******** ** expansive **************, ***** *** **** **** Gump:

**** ** *** ******* *********** ********* are ********* ******** *** ******* ** regulations ************ § ***(*)(*)(*)’* *********** ** contracting **** ** ****** **** “****” items *** ******** ********* ** § 889. ***’* ******** ************** ** *** Loan/Grant *********** ** *** ************ ******* to ***** *********** ***********,but *** *********** ** ******* ********’ *********** ************* **** ***** ******** **** *** “******* **********” ******** *** ***** ************** ******* ** ******* ********* *** **** “****” in § 889(a)(1)(B).

OMB ****** ***********, **** *** ********

** ** ***** ****** **** *** OMB******** *** "******* ****" ** *** impact ** *** ********* **************, ***** is *** **** ***** *** ********:

*** *** ******* **** ** *** impact ** **** *********** ** ******* award ********** *** *********** *** *** covered ********** *** ***** ******** ** the ***********, ******, ************ ******, *** cost ********** **** ************ **** ***********. Commenters *** ********** ** ******* ******** data ** *** ******* ** **** proposed ****** *** *********** ** *** to ******* ************** ** **** ***********.

**********

*** ****** **** **** ** ***** Dahua, ********* ** ****** ***** ******** that **** ***** ** ** ******** with *** ******* ********** ** ** federally-funded ******** ****** *** **** ***** attention ** **** *******. ** ** becoming ************ ***** **** **** *** a ******* ****** ** ***** ***********.

Poll / ****

Comments (35)

Charles, good reporting!

Yesterday, when we reported on Axis citing NDAA as the reason for discontinuing Companion, even I thought that it was likely unnecessary. This indicates that Axis has real reason to be concerned. Imagine the far greater risks of most other surveillance camera manufacturers who have far more exposure to Dahua, Hikvision, Huawei.

Related: Stanley Makes "Multi-Million Dollar Investment" Into Banned Hikvision Products, Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity.

Agree: 3
Disagree
Informative: 3
Unhelpful
Funny

A distributor, such as ADI or Anixter that sells Dahua and Hikvision broadly to smaller commercial users. Does that count?

As someone who works in the Canadian market this is the most interesting component to me. I realize it's highly unlikely that these distributors would ever stop selling those products, but if they did it would make the Canadian market feel a lot more like the landscape that has developed over the last few years in the US.

Agree
Disagree
Informative
Unhelpful
Funny

As someone who works in the Canadian market

Anthony, thanks for your first comment! With the Canadian market, it raises another question - if a company uses or sells Dahua or Hikvision in Canada but does not sell or use it in the US, does that count? I don't know.

I do think it's possible, though unlikely, that some distributors, even ADI, might stop selling Dahua and Hikvision. As long as they could switch to other China manufacturers, they would still have a supply of low-cost products that budget buyers still want. Not saying this is a good or right idea and with the Coronavirus, not sure how much supply of other China products will be readily available. Quite a complex and challenging situation.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Thanks John.

This is definitely one of those situations that raises a lot more questions than answers and I'm sure someone could spend months working out the complexities like burden of proof and repercussions. To me at the end of the day it's just another hurdle in a growing list of reasons not to have any association with these manufacturers.

All that said I do feel for the sales teams on the front lines who are put in really difficult scenarios by all of this.

To your point there will always be demand in the SMB market for lowest cost products so I would be interested to see what, if any, new low cost options will emerge from all of this. With Axis discontinuing their companion line there is still Uniview and some others, but the industry is definitely being forced to change, at least North America.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Uniview ships a lot of HiSilicon SoC based cameras, which I expect would be covered due to the Huawei connection.

Agree: 7
Disagree
Informative
Unhelpful
Funny

UNV was born from Huawei/HiSilicon. Most of their executives were execs at HiSilicon and 3COM (3COM and Huawei have an interesting history, google it!). If my memory serves correctly 3COM and some other joint venture got rid of their security department and UNV was a spin off from that. They have deep connections to Huawei/HiSilicon. We know this because we were one of the first 3 major distributors "allowed" to import UNV when they made their entry into America and were actually serious about protecting their brand and the channel strategy. We had many meetings with their management about ownership and their history. We were excited because they were owned by Bain Capital at the time, which meant they were more than 90% American owned, that was very short lived though and they've been repeatedly sold to other Chinese companies a few times since then.

It will be interesting if America ever gets serious about the actual security concerns. If anyone plays in the stock market, and if our industry has any power to move the needle, I'd probably be looking into Mediatek (owner of MStar) right about now.

Agree: 2
Disagree: 1
Informative: 3
Unhelpful
Funny

How many of the other Chineese manufacturers are not using the Huawei chips though. Much harder for us integrators to determine this.

Agree
Disagree
Informative
Unhelpful
Funny

How many of the other Chineese manufacturers are not using the Huawei chips

Steve, good question. What makes it particularly tough is that this can vary on a model by model basis. For example, Axis had a few cameras using Hisilicon, recently discontinued. And Hikvision uses Hisilicon on some models, Ambarella on others etc.

And some non-Chinese manufacturers use Hisilicon as well.

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

Agreed. I recently checked on some products from Digital Watchdog and they were forthcoming about which of their products contain Huawei chips and which did not. If I had not asked I would not have known.

There are some companies I would not trust to tell me the truth about their products - particularly some of these companies that assemble Hikua parts in the US and call them selves US manufacturers.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

I think I understand the rationale behind this, which is to punish Hikuawei as severely as possible through simple domestic policy. But I think this overreaches in typical paranoid American fashion. We know that Hikuawei have spy concerns, human rights issues, etc. but how much do you want to harm businesses over something that may be a non-issue depending on the matter at hand? Better yet, the doings of Hikuawei aren't even their fault in the first place!

It makes sense that anything government or infrastructure related shouldn't be using Hikuawei for communications or security, but this proposed policy sounds like a very broad brush they want to paint with. Concerns about suppliers using Hikuawei equipment should be evaluated case by case. Example, I have a small business. I make a unique product not found elsewhere, and let's say US LE agencies want to evaluate it. I use Hikvision cameras around the exterior of my house (where I have a "home office") to deter people from breaking into my vehicle and stealing my barbeque. Am I now disqualified from selling to US LE because of that?

I'm not a wealthy man. I bought Hikvision because it met my budget and performance requirements, and did so prior to all this drama. Why should I be punished for the bad behavior of a foreign, unrelated megacorporation that's on another continent and has NO relation to the kind of product I make? Furthermore I'd like to know how agencies plan to vet whether every supplier and business partner is a Hikuawei user?

Oh wait, we all know how that goes. NSA Intercept #3425-A32: suspect confirmed Hikuawei user, has one IP dome watching their home driveway. *A few minutes later* "FEDERAL AGENTS WE HAVE A WARRANT!! *dog barks* *RATATATATATAT* BREAKING NEWS - suspected Chinese spy and entire family killed in raid, clear case of self defense by officers...

Agree: 1
Disagree: 6
Informative
Unhelpful: 4
Funny: 4

From a hacking perspective, it kinda sorta makes sense to me.

Suppose I'm the evil mastermind who is secretly controlling China. For me, these cameras are an incredible delivery tool. All I have to do is pull a few strings and suddenly the next firmware update has some very targeted malware embedded. That's the fear that inspired the NDAA ban (unless you're a cynical person who thinks it was really all about money).

So what does that have to do with you? If you have anything to do with the U.S. government, you are on my hit list. Cameras at home office? Yes, please. Chances are you don't have much separating your camera network and your work network. I'll check out the router, do some fancy stuff (you forgot to update the firmware, so actually this isn't that fancy) and then I can look around for something interesting. Maybe I can get on your laptop. If you have a server, maybe I can get into that as well. The attack plan is infiltrate and pivot, infiltrate and pivot. Normally, I would be concerned about covering my tracks, but if it's just a home network, I'm not worried.

On your work laptop, I'll consider installing a screen sharing utility. (I already installed a RAT, so installing another utility is fairly simple.) I'll watch for a while and see how you interact with your government contacts. Is it by email? Great, I'll copy your writing style and send them one of my own, maybe from your account. Do you use a web portal? Cool, I'll log in there myself when you're not looking. Do you use a VPN to get into a partner level network? Suits me. I'll just use whatever means you use, and use that to get one step further. Then pivot, infiltrate, pivot, and so on.

Security of partners is a little bit out there, something most companies don't have to think about. But the U.S. government has slightly higher stakes, so even if it's a theoretical attack, they have to worry about it.

Agree: 15
Disagree
Informative: 11
Unhelpful: 1
Funny: 3

Ahh, that makes more sense to me now. I had always viewed the concern from a more direct perspective, e.g. using the camera stream to spy directly on whatever it's pointed at. In that sort of circumstance, Chinese spying doesn't seem quite as scary if it's pointed at my driveway.

The methods you describe (which, not being a hacker, I am unfamiliar with) are far more scary and certainly plausible. Thank you for the detail.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Furthering his point - how nice of the security industry to install all of these small, poorly secured Linux distributions that could be used as nodes in a botnet.. I’d bet you could do some serious damage if they were used in a coordinated DDoS attack.

Just another potential attack vector.

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

That's what happened on October 21, 2016. A botnet formed mainly by IP cameras and DVRs with XiongMai components attacked the Dyn DNS provider. According to Wikipedia, the attack took down Twitter, Reddit, Netflix, Paypal, and Amazon, among others.

Agree: 3
Disagree
Informative: 4
Unhelpful
Funny

Interesting possibility for sure. However if they're implementing it this broadly how are they going to prevent every US government supplier and all their employees from buying the $300 Costco camera kits, $20 Wyze cameras off Amazon, or any of the other millions of action cameras, drones, Android TV boxes, and various other devices that are using Hisilicon chipsets? There are millions (maybe billions?) of devices with these chipsets that no one knows about including the people selling them.

Agree: 2
Disagree
Informative
Unhelpful
Funny

how are they going to prevent every

An analogy to seatbelts is useful here. One could say that a law requiring using seatbelts is ridiculous because surely you’ll never be able to get everyone to wear seatbelts. On the other hand, the fact that there is a law and even some enforcement, has the net effect of making the desired action much more likely. So looking at our industry’s example, increasing the risk of penalty will make many actors take the desired effect. Agree/disagree?

Agree: 8
Disagree
Informative: 1
Unhelpful
Funny

Sounds like using the HIKUA security weakness helps open the door to the real weakness, Microsoft Windows...

Agree: 2
Disagree
Informative
Unhelpful
Funny: 7

Int #5 is correct. Please understand that Im not a paranoid guy. This is just the world we live in. And make no mistake about it, our "trading partners" are most certainly also our enemies, now and in the future. Further aggravating the fact (and the behavior) is the fact that the Chinese are largely a secular bunch and, for the most part, "biz-think" with no moral or ethical interlace whatsoever. When it comes to both business and espionage, the Chinese Governments conscience doesn't transmit back to the PLC.

Agree: 1
Disagree
Informative
Unhelpful
Funny

A few other questions related to this discussion. How far back are they going to go with this?

-Is this only going to be looked at for the timeline since the NDAA ban went into effect?
-What about equipment sold prior to that point?
-What about equipment sold under a name (such as Axis) that the installer/end user/integrator did not know had the hisilicon chipset?

Agree: 5
Disagree
Informative
Unhelpful
Funny

Good questions, but the truth is that we still have little clarity on what the government means by "uses." It could apply to equipment sold prior to the NDAA or it could not, although the present tense "uses" hints that it's not retroactive, and I think it's unlikely to be. To be completely sure, we'll have to wait for more implementation details, which will happen in the coming months when the FAR rule is released and when the OMB publishes its revision.

Regarding an integrator who didn't know about HiSilicon chipsets - not knowing something is not a legal excuse. Claude Chafin, a spokesperson for the Congressional committee which drafted the NDAA, told IPVM in 2018:

If a company has an end item with Hisillicon chips that they sell to anyone, they will be unable to do business with the federal government.

Agree
Disagree
Informative
Unhelpful
Funny

I kinda saw this coming, and have been using this as a talking point for some time with existing and potential clients. Eventually, the tentacles of this will go very deeply down the food chain to a point where anyone whose business touches the federal government will have to certify NDAA compliance under penalty of law. I'm all for it.

Agree: 3
Disagree
Informative
Unhelpful
Funny

How do your clients respond? A small amount of ours actually care about security concerns and even less care about the human rights problems. Some people were actually upset that we issued a stop-ship(awaiting a firmware fix) on all Dahua after the Mirai botnet was made public. They really didn't care that nearly the moment you plugged in a factory-default DH IPC it was compromised (tested and proven by our CTO).

Agree
Disagree
Informative: 3
Unhelpful
Funny

My larger clients react as I would expect, or hope they would. Transportation, county government, those types. My firm does a LOT of work in Multifamily housing, and I don't get any real sense of urgency from them. That industry is very bottom-line oriented but little by little they are starting to turn away from the iceberg. Same here, the human rights element os low on the totem. The cost curve has been so artificially low for so long, that capital budgets reflect how the bigger firms have been getting (my opinion) screwed by the small guys with little overhead. We spent some time trying to get "real" product into engineering specs in the front end, because some low-information chap can just swoop in and beat us, price-wise. It all means I have a large amount of time investment in educating end users about how this issue will affect them long term. I appreciate your posts, BTW, very informative!

Agree: 4
Disagree
Informative: 6
Unhelpful
Funny

I can concur that this is also our experience. I think the technology is so common (I often joke our industry has been commoditized) that selling is less on the technological specs these days and more in the education/value realm. Thanks for the kind words too! I'm glad they prove useful sometimes!

Agree: 2
Disagree
Informative
Unhelpful
Funny

If I had a nickel for every time I heard "so who cares if the Chinese can watch my cameras", I would have... almost enough money to buy a small coffee. A nickel really isn't very much these days.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

I identify and agree, Brian and Zachary, with all of your points.

I think the topic of effective education, for those users who are willing to listen, has become the differentiation between selling cameras and proposing a solution.

In my experience security is almost always heavily weighted toward the bottom line as it is rarely a revenue generating tool so the old "as long as it works" mentality is very common.

The gaining momentum of cyber security awareness, at least among enterprise technology teams, should slowly start to help us fight the good fight and make the customers more inclined to listen and understand to how these vulnerabilities effect their overall health as an organization, but it will still take some time.

Agree: 5
Disagree
Informative
Unhelpful
Funny

Can't agree more.

Agree
Disagree
Informative
Unhelpful
Funny

How late my before when can expect the manufacturers to actually let us know if a Huawei chip is in their camera or if the camera itself is a Hikua OEM?

It is discouraging not really knowing what is in the camera and whether it is ok or not. Would be nice if there was a standard the cameras could meet and advertise meeting......if you can trust there manufacturers to tell the truth.

Maybe the IPVM security standard...just kidding. But something similar to a certifying organization like ONVIF but for security standards.

I expect my kickback if anyone does this.

Agree
Disagree
Informative
Unhelpful
Funny

We started moving away from HIKVision/Dahua 4 years ago. At first we moved to an OEM. Then as time went one we started selling less and less. At this point we have almost no products (constraining computer chips) in our inventory that are made in China. We won’t get out of China for things like door contacts, resistors or power supplies I’m sure. But as far as cameras go. We’re out.

I do have a separate LLC that sells DIY alarm systems. We use Alula over there and they do OEM HIKVision. This is unfortunate but almost unavoidable. Most alarm panel manufacturers are OEMing HIKVision still. But that’s what it’s a totally separate company working in a totally separate office.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Most alarm panel manufacturers are OEMing HIKVision still.

Are you talking about video or do you really mean Alarm panels? I have not heard of any company OEMing HIKVision alarm panels

Agree
Disagree
Informative
Unhelpful
Funny

I do mean alarm panel manufacturers. Companies like Alula, DMP, Honeywell, ADC and others are using Hik cameras for their alarm apps.

Agree
Disagree
Informative
Unhelpful
Funny

Ok thanks, i understand what you mean now. I thought you meant that the alarm panels themselves were being made by HIK

Agree
Disagree
Informative
Unhelpful
Funny

If government has discovered any intentional maneuvers form China government to bring economical damage or intelligence threats using the products to spy etc., then they should restrict the distribution of the products. Controlling the users is unjustifiably large control over too many processes, people and spheres of operation, for solving the declared issues.

Agree: 2
Disagree
Informative
Unhelpful
Funny

They should also ban their OEM/ODM customers from selling in the US

Agree
Disagree: 2
Informative
Unhelpful
Funny

Update: Marco Rubio and another Senator, Ben Cardin (D-MD), have sent a letter to the White House's OMB asking that they set up special/separate "processes" for small businesses to comply with the blacklist clause:

we respectfully request that you ensure that any regulations established to implement section 889(a)(1)(B) of the FY2019 NDAA include explicit processes by which small business contractors can examine their supply chains and efficiently become compliant.

The letter doesn't give more details on what these processes would actually look like, or how they define "small business".

Still, if granted, this request could make things easier for some integrators without access to lawyers/compliance people.

Agree
Disagree
Informative: 2
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports