WSJ Investigates Hikvision

By: John Honovich, Published on Nov 13, 2017

The Wall Street Journal (WSJ) has released a detailed investigation into Hikvision's government ownership and cybersecurity problems, hitting the paper's front page.

 

Given the WSJ's global readership (42 million monthly readers, 2+ million paid subscribers), the paper has the reach to make Hikvision's actions known to powerful political and business leaders globally.

Growing Global Investigations

This adds to a series of global publications investigating Hikvision, including:

US Gov Official 'Stunning'

The WSJ quotes the chairperson of the "U.S.-China Economic and Security Review Commission, which was created by Congress to monitor the national-security implications of trade with China" on Hikvision saying:

The fact that it’s at a U.S. military installation and was in a very sensitive U.S. embassy is stunning. We shouldn’t presume that there are benign intentions in the use of information-gathering technology that is funded directly or indirectly by the Chinese government.

The risk is severe for Hikvision. The US government already bans Huawei equipment. By contrast, Hikvision's government is ownership and control is far more direct and clear than Huawei. To the extent that the WSJ has made this a public issue, Hikvision risks greater regulation, barriers or even outright banning. 

Cybersecurity Problems for Hikvision

Not only did the WSJ investigate Hikvision's government ownership, they tracked their cybersecurity problems, noting and citing IPVM:

The Hikvision flaws identified by the Department of Homeland Security affected more than 200 camera models and potentially tens of millions of shipped devices, estimates John Honovich, editor of IPVM. They made it possible for outsiders to hack into internet-connected Hikvision cameras in just a few steps, according to Mr. Honovich and FireEye, the cybersecurity firm. Hikvision acknowledged the flaws affected some cameras, but dismisses Mr. Honovich’s assertions as “unfounded insinuations and hearsay.”

Hikvision's cavalier response is easily disproven since our analysis is grounded in (1) their own admission of the backdoor 'flaw' impacting multiple series of IP cameras over multiple years of firmware, (2) their claims of producing 55 million cameras just in 2016, and (3) DHS advisory on Hikvision which we easily demonstrated 'in just a few steps' in this video:

More Problems Cataloged By WSJ

******* ****** ******* (***) has ******** * ******** investigation **** *********'*********** ********* *** ************* problems, ******* *** *****'* front ****.

 

***** *** ***'* ****** readership (** ******* ******* *******, *+ ******* **** subscribers), *** ***** *** the ***** ** **** Hikvision's ******* ***** ** powerful ********* *** ******** leaders ********.

Growing ****** **************

**** **** ** * series ** ****** ************ investigating *********, *********:

US *** ******** '********'

*** *** ****** *** chairperson ** *** "*.*.-***** ******** *** ******** Review **********, ***** *** ******* by ******** ** ******* the ********-******** ************ ** trade **** *****" ** Hikvision ******:

*** **** **** **’* at * *.*. ******** installation *** *** ** a **** ********* *.*. embassy ** ********. ** shouldn’t ******* **** ***** are ****** ********** ** the *** ** ***********-********* technology **** ** ****** directly ** ********** ** the ******* **********.

*** **** ** ****** for *********. *** ** government ******* **** ****** equipment. ** ********,*********'* ********** ** ********* and ********* *** **** ****** and ***** **** ******. To *** ****** **** the *** *** **** this * ****** *****, Hikvision ***** ******* **********, barriers ** **** ******** banning. 

Cybersecurity ******** *** *********

*** **** *** *** WSJ *********** *********'* ********** ownership, **** ******* ***** cybersecurity ********, ****** *** citing ****:

*** ********* ***** ********** by *** ********** ** Homeland ******** ******** **** than *** ****** ****** and *********** **** ** millions ** ******* *******, estimates **** ********, ****** of ****. **** **** it ******** *** ********* to **** **** ********-********* Hikvision ******* ** **** a *** *****, ********* to **. ******** *** FireEye, *** ************* ****. Hikvision ************ *** ***** affected **** *******, *** dismisses **. ********’* ********** as “********* ************ *** hearsay.”

*********'* ******** ******** ** easily ********* ***** *** analysis ** ******** ** (*) their ************ ** *** ******** 'flaw' ********* ******** ****** of ** ******* **** multiple ***** ** ********, (*) *********** ** ********* ** ******* cameras **** ** ****, *** (*)*** ******** ** ************** ** ****** ************ 'in **** * *** steps' ****** *****:

More ******** ********* ** ***

[***************]

*** **** ****** * variety ** ****** *** problems *** *********, **** of ***** **** ***** reported **, *********:

Genetec **** *** **** ****

*** *** ******* ******** a ***** **** *******'* CEO, *** ******* *********** ***** ** *********, ** *** ******* down, ****** ****:

******* **** ******* **** by “********* ***** ** controlled ** *** ******* government” *** “*******’* ********** for ********** **************” *** him ** ******* *** waiver.

********* ****** *********, "******* Hikvision **** ********* ** simply ********** *** ********** unfounded", ******, ** * step *******, ********* *** not **** ***** ***** or ********** ** *** Chinese **********.

Government *** ******** *** ** ***

********* ******* ** *********** defense **** ********** ****** the *******, *** ******* government ******* *********'* ********. Hikvision **** *** ***:

***** ****, * ********* vice *********, **** **** [Hikvision ********** **********] *** no **** ** *********’* day-to-day **********.

**** ** ********* **********. The ******* ********** ********* has ****** ******** ** the **** ** *********'* IFSEC *****, *** ** ***** of ***** **** ******* or *** **** ********* will **** ***** ****** at *** **** ****. However, ***-**-*** ********* ** far **** ********* **** the **** *** ******* government *** ** *********** Hikvision's ******** *** ******** ** the ******* **********.

Memphis ****** ******* *********

*** **** ********* ** Hikvision ** *** *** article *** ********** ****** Patty ** ** ********** ****** **********. ***** ********** *** benefits ** ***** ************ cameras, ********** ****** *******. The *** **** ***** the **** **** ** the *******, **********:

** **** *** **** started ***** *** ******* long ****** ******** ***** hacking **** **** ****. The ********** **** * decentralized ******* ***** ******* aren’t ********* ** *** police ********* ********, ** says.

“** *** *** ** the ***, **** *** the **. * ****** manufacturer ** *** *****,” says **. *****. “**** make * *** ** cameras *** **** ****** use ****, **** ** they ***’* *** ********* on *** *******.”

Negative *** *** ** *** ** ******** ********** ********

*** ******** ** *********'* government ********* ** ************* problems ** *** ********** *** Hikvision. *** **** *****, from *********'* ***********, ** for ******** ** ****** forget ***** ***** ******. To **** ***, *** WSJ *******, ********** ***** the ***'* *****, ** problematic.

** *** ***** ****, the *** **** * balanced ******** **** ******** following ********* *** ***** the *****, ********** **** taking * ****** ****** ******* the *******. *** *******, compared ** ********* ********** *** ********, *** *** *** ** *** less ************ ******* *********.

What ** ****?

**** ******** ********* ************** and *********, **** **** likely ***** ****** *** some ******** *** *********.

**** ** ******* ** what **** ******* ***** next. *** *******, **** or *** **** ***** publications **** **** **** up? *** **** *********** or ********** ********* **** learn **** **** ******* and *** **** *** future *********** ** **********? It ** ********** ** predict *** ********* ***** watching.

***, *** *********, **** need ** ****** *** what ** ** ****. Do **** ****** *** WSJ? ** ********** **** ******** *****? ********* *** **** tough ********* ** ****.

Vote / ****

UPDATE: ********* *** ********

** ******** **, ****, Hikvision ******* ** ******* a'******* ********' ****** ** **** Street ******* *******:

*** **** ******* ******* of *** ******** ** how **** **** **** their ********** *********, ********* that **** *** **** as *** **** *********** issue. ************* *** ***** dealers, ********* ****** **** saying:

********* ** ********** *********** about *** ********* ********* and ** ** **** 30, **** *** **** than **% ** *** shares ***** ** * state-owned ********** (***), **** the **** ** *** stockholders ***** ******* ***********,

**** *** ********** **********. If **** ****** ** be ***********, **** ***** acknowledge **** ***** '****** owned ** * ***' are ** **** ***** controlling ***********, ******* *** ********** ** disclose:

Comments (125)

This story is on the front page of the Wall Street Journal today, just picked this up on my morning coffee run:

Uh oh, wrong side of the WSJ. Left side good news, right side bad.

I think "good news" and "bad news" can be somewhat relative on this one.

Unless they reach out and interviewed Marty, this is just more one sided fake news ;)
Thanks to Brian and John and the rest of the IPVM team for being one of the first if not the first to highlight this significant threat. Too many integrators look at the low cost and don't care because they think they must use HIK now to compete. Wait till they get a foothold into the access control market and then have a worldwide database of names to collect while destroying the profit margins for many companies in the marketplace. Your dollars today will help subjugate many in the future.
They covered this on Fox News this afternoon and referenced the WSJ article .... did anyone else see this? I don't think they really made too big a fuss about it other than questioning the obvious, i.e. why are these cameras being installed in the U.S? The reported chalked a lot of it up to stretched end -user budgets.

Stay vigilant, my friends...

Dont you think the onus is also on the integrator to secure the network both local & wide area to ensure that the camera or recorder is not exposed to outside threats. I keep reading about Hikvision having backdoors and other weaknesses in their software, this can or could be prevented by securing their network.

Is the an onus also on the integrator to ensure that their installations are also up to date with the latest firmware?

Hikvision's latest firmware has now turned off ONVIF connectivity to further improve their security and this also had negative exposure by IPVM due to Hikvision's lack of notice to the industry. Don't you think that reading the release notes is important when using new firmware!

I work for a distributor that sells Hikvision and I'm not going to sit here defending them, but do some investigating on other products and you will find numerous firmware updates that fix security flaws.

Hikvision make a very good product at a price where everyone has to sell even more to make a profit. I feel that there is a campaign by non Chinese entities to protect their market share. This would be charging extra for camera licensing for Hikvision cameras or continual negative releases by media.

 

Dont you think the onus is also on the integrator to secure the network both local & wide area to ensure that the camera or recorder is not exposed to outside threats.

Absolutely, but at the same time, it is very difficult to secure a network when you are not given a full understanding of the risks presented by the devices attached. A fair assumption of course is to always assume everything is compromised, but practically speaking if you are dealing with cost-conscious buyers (which I would argue is the majority of Hikvision's market), you are going to have to make compromises on equipment and time invested in securing the system.

Hikvision's latest firmware has now turned off ONVIF connectivity to further improve their security 

Why? Are you/Hikvision saying that ONVIF implementations are inherently insecure? If so, they should publicize that so that the industry as a whole can understand the risks and make appropriate adjustments. Otherwise, it makes it appear more that Hikvision's specific ONVIF implementation is insecure.

you will find numerous firmware updates that fix security flaws.

A better approach would be to not have so many security flaws in the first place, yes? This is like a "lifetime warranty" on a cheap tool. I would rather pay a little more for a quality tool that does not break every time it is used, causing me to have to stop working, drive to the store, get a replacement, then come back and attempt to finish the job.

Hikvision make a very good product at a price where everyone has to sell even more to make a profit.

Are you referring to integrators having to sell a lot more product to make up for the fact that their profits are reduced (cheaper cameras = less net profit per camera, assuming similar markup)? This does not seem like a good thing.

Did you miss the massive issue with ONVIF?

http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions

No, we did not miss it, we covered it first: ONVIF Widely Used Toolkit gSOAP Vulnerability Discovered.

You will note that Hikvision claimed this vulnerability did not affect them. Also, it was patched, which would mean they should not have to disable ONVIF due to this even if it turned out they were using the gSOAP toolkit affected.

It is also worth noting that was not an issue with ONVIF specifically, but with a toolkit vendors could use to implement portions of ONVIF in their products.

Also, the gSOAP toolkit developer released specifics on the affected code, and how to patch it. This made it easier for users of the product (or users of affected products) to better assess their own risk and implement potential security work-arounds to reduce (or prevent) chance of exploit. 

In all honesty I did not check if there was an IPVM report so my bad on that one. The point that I agree on with UD2 is that even widely used solutions like ONVIF can have issues. Are they inherently insecure? No. Are they inherently secure? Also no.

I am not trying to advocate Hik is safe or safer than others. The point I made in other topics is that any IT device needs a lot of attention to be safe. Like a printer, a laptop , or any camera.

I am not trying to advocate Hik is safe or safer than others. 

But what you are effectively advocating is that all products are equally insecure / potentially vulnerable so stop picking on Hikvision.

The problem for the position you (and many other Hikvision partners) are espousing is that (1) the Hikvision backdoor was especially easy to exploit (unlike the gSOAP one), and (2) Hikvision has a far lengthier / more serious track record of cybersecurity issues than its rivals (save, of course, Dahua).

Finally, (3), and you can certainly not care about this one, but certain countries are going to find manufacturers whose controlling shareholder is an authoritarian government who conducts active cyber attacks as another risk factor that ONVIF or Milestone or Hanwha or whomever lacks.

Your spirited reply shows the overal theme. I am not looking for a fight or an argument. If you want me to say you're right just let me know where to insert the comment.

I specificaly say I am not advocating pro Hik so don't explain to me why my view is wrong, you don't know my view.

And last but not least, I agree with your premise that in some parts of the World a Chinese producer will meet more scrutiny.

Then again, just youtube some interviews with William Binney about the treasure map system by NSA. Knowing who lives where, what they make, how they vote, where they are real-time etc etc etc.
Using that info is scary, just like a communistic regime is scary.
Frankly speaking, I am glad I live in neither.

 

On (3), sure, totally understand and I've said this before that the Chinese government would be foolish to buy any network surveillance equipment from suppliers with foreign government control.

Jonathan, you skipped over my points (1) and (2). I want you to defend your position with intellectual rationale response.

Again, (1) the Hikvision backdoor was especially easy to exploit (unlike the gSOAP one), and (2) Hikvision has a far lengthier / more serious track record of cybersecurity issues than its rivals (save, of course, Dahua).

Yes, we should pay attention to the safety of all devices, but the safety of devices is made harder when suppliers have a history of specific, egregious problems. Yes/no?

If it wasn't clear in the previous comments let me be more clear:

- I am not looking for a discussion on this. I know your view and can anticipate the comments. It has all been said and done in many other topics. No need to do that all over again
- I did not espouse the position you say I take, that's your assumption.
- It's fine you want me to defend my position. I respectfully decline. Please see point 1.


I answered Brian in an topic, not you. I did not address you nor did I pick a fight. Let's bury it here and now and get back to more important things, which we both have. I won't be answering in this discussion anymore.

I am not looking for a discussion on this.

But what you were clearly looking to do is to criticize us with your erroneous opening salvo:

Did you miss the massive issue with ONVIF?

Jonathan, that showed that not only did you not understand the 'issue with ONVIF' (which clearly was nowhere comparable to Hikvision's backdoor) you were too lazy to spend the 5 seconds checking whether or not we covered it before you leveled it against us.

You are welcome to comment on IPVM but if you do choose to, for your own sake, do your homework first.

 

Frequent firmware updates are a good strategy if Hikvision's frequent security issues are merely caused by their incompetent engineering.

If, however, their frequent security issues are deliberate, and Hikivision is being used by the Chinese government as a Trojan horse to gain access to security networks all over the globe, then you can't rely on firmware updates to protect your customer, as Hikvision is only going to release a firmware update when bad publicity forces them to.

In other words, you're assuming that Hikvision doesn't know about the security holes and fixes them as soon as they find them. What if they put them there on purpose, and leaves them there as long as they can?  

What if the update is the security problem?    

The best way to respond to this is to invest heavily into cyber security with the ultimate goal of making the most secure product on the market. Public disclosure of steps taken to achieve this need to happen swiftly and often.

Of the 5% who voted postive: Can anybody detail in the comment sections how the impact of this article by WSJ is positive for Hikvision?

I imagine the response will be something along the lines of "any publicity is good publicity"...

I voted negative, but they could become a household name with this coverage. That usually takes many millions in advertising. This coverage didn’t cost them a penny up front. The back end is yet to be seen. 

they could become a household name with this coverage. That usually takes many millions in advertising. 

JD, the glass is not 9/10th empty, it is 1/10th full :)

Let's keep in mind, Hikvision has the money to do that (e.g., $6 billion, etc.) so it is not cash that constrains them from pursuing this directly.

The problem for Hikvision is how the WSJ told the story.

If the WSJ was like a paid-off security industry trade magazine, the 'story' would have been about a bunch of rag-tag peasant engineers, who by sheer determination and brilliance, built the largest and most high technology security manufacturer in the world. But the WSJ did not run that 'story'. Their story was about a company backed by an authoritarian, repressive government who has cybersecurity problems. This is not the story Hikvision wants.

As a sign that Hikvision recognizes this, notice how Hikvision and their employees have been silent on social media. Let's give it a week but I bet Hikvision either says nothing about the WSJ story or criticizes it. You on?

Heck, I can’t really even argue anymore. Hikvision is likely to stay the course. They haven’t handled many of these events well, IMO. That’s not to say that I don’t like their products, I do for the most part. Obviously this level of bad news will be hard to overcome. 

Its one thing to have a blogger say bad things about you....

Its one thing to have a blogger say bad things about you....

Thanks, buddy! I gave you an informative and a funny :)

I do agree that mainstream press impact is far more severe than IPVM, because not only does it validate what we have been saying, it exposes them to powerful government and corporate people who would never read any niche industry specific site.

It’s industry level reporting like IPVM that lays the foundation for the MSM to take the story to the masses. They couldn’t possibly know enough about the insides of the industry to make heads or tales, let alone dig deep for the good bits. 

Tip of the hat.

John D,

WSJ article/news will die like any other news :)

WSJ article/news will die like any other news :)

Yes, until the next article/news/event. Any one event can be handled but the stream of ongoing ones is a material problem for Hikvision.

#13, as a Hikvision proponent, what do you advise them to do?

They are multi-billion company

They will do whatever they want

They DO NOT need MY or YOUR advise

Let's talk about IPVM 

You attack/criticize all the time

How about teach people about network security and etc...

 

  

How about teach people about network security and etc.

Isn't informing people about government-owned IOT devices with many cybersecurity issues teaching people about network security? 

It is big difference between "informing" and "teaching"

It’s obvious you don’t have anything of substance to add and just trolling. 

just trolling

I support #U13. It is important to have detractors. While he is not capable of producing his own insights or coherent analysis, he does importantly represent a part of the industry and an opposition to IPVM, so #13 keep on doing it!

“While he is not capable of producing his own insights or coherent analysis...”

That seems like a polite backhand. Lol

It’s obvious you don’t have anything of substance to add and just trolling.

Don’t be so harsh on #U13; he’s not just any old troll, he’s an icon.

Chumming on the sea of IPVM for years, since the very beginning in fact, he has reliably called out the towering hypocrisy of IPVM time after time.

Somehow he manages his revulsion to the site enough to stick around; and at no small personal expense either!

So next time you run into a combatant undisclosed Troll, first check and see if the sentences lack periods.  Then show some respect ;)

Noted :)

We both inform and teach.

We inform on various manufacturer vulnerabilities - Axis Camera Vulnerabilities From Google Researcher AnalyzedFLIR Thermal Camera Multiple VulnerabilitiesUniview Recorder Backdoor ExaminedDirectory of Video Surveillance Cybersecurity Vulnerabilities and Exploits, etc.

We teach including our IP Networking 2017 BookVPNs for Video Surveillance Guide, our 200+ tutorials, our 3 courses in IP networking, cameras, and access control, etc.

If it was not for IPVM, 90% of this industry's media would literally only blab on about "don't use default passwords, upgrade your firmware" and other pablum.

 

To teach, you need to inform.  But to learn, one needs to accept that information.
Teaching and informing are the same action on the givers part.

Never saw you post before - but I like your words so much I gave you an Informative and an Agree.

I almost replied to the first comment about informing and teaching being different but I would've been annoying snarky in my response and readers could easily have been deflected from my point.

So thanks for posting that comment like an actual adult.  : )

but they could become a household name with this coverage. That usually takes many millions in advertising. This coverage didn’t cost them a penny up front. The back end is yet to be seen.

Yea, the any publicity is good publicity angle has worked really well for folks like Martin Shkreli, Harvey Weinstein & Jeffery Dahmer so why not Hik? 

 

:D 

The Daily Caller has also picked up the WSJ coverage of Hikvision.

They are most likely thinking that now that this is an 'event' there will be more investigative information and at the end of the day someone will most assuredly look silly when it is determined that Hikvision had no 'ulterior motives' in mind and all of the cyber-security problems are no different than any other company may have that produces millions of cameras and like products across the world.

all of the cyber-security problems are no different than any other company

This is just factually incorrect. While Hikvision is not the only company to have had cyber security issues, the number of issues they have had, the ease of exploit, and the breadth of products affected is so far unmatched and rivaled only by Dahua.

Wow did he really just say that?

I want to know if the GSA is holding the contractor who originally listed the products on Schedule 84 accountable. They deliberately lied to the Federal Government asserting the product was Made in the USA (implying that they were refurbished is a stretch anyway you put it). To be clear, this isn't a "left/right" issue, its the "legal" standing of China. It's not considered a MFN (Most Favored Nation) and the law is clear that the use of Chinese made products (unless substantially transformed in the US) is against procurement code. 

Clearly, this is only the tip of the iceberg. As many people may not know, the GSA is an acceptable procurement mechanism for multiple state and local governmental entities. In Jurisdictions where they require "open" procurement, you cannot buy off of the schedule, however, that is not the norm. Most locales can purchase off of GSA. So, the implication in that is there may be many 1000s more of their products in SLED (State Local / Educational) locations. That's disconcerting to say the least.

IT would behoove the GSA to send out a note, pursuant to their cancellation, to all parties that have purchased or implemented this solution.

 

I want to know if the GSA is holding the contractor who originally listed the products on Schedule 84 accountable. 

Based on our experience/communications with GSA they do not seem to hold sellers accountable in any way beyond asking them to remove the listings.

 

I was contacted by a WSJ intern in Hong Kong about this story a few months ago and I decided not to follow up with them due to a concern for the legitimacy of the call as well as potential negative after effects of being named in an article like this. I still think it was the right choice for my company, but I wish I hadnt in some respects because I havent shied away from criticizing Hik in other publications.

 I got the same call and also chose not to respond. 

Did you get the heebie jeebies from that call too?

No, it wasn’t the first. Just chose to take the high road. 

Do we have a comprehensive list of cameras with vulnerabilities?

They all have a similar marking.  It says "HIKVision".

Actually that is only partially correct. Had the WSJ done adequate due diligence it would have also included these https://ipvm.com/reports/hik-oems-dir Fake news!

You need to turn in your license if you are buying and selling/installing this junk!

License? What is this license thing you refer to?

You mean to tell me IPVM is actually on to something with all of this silly HikVision bashing? (Bring on the Unhelpful votes) Honestly, IPVM should get some kind of vindication here. The Govt ownership and much worse than avg security record is a legitimate concern. Good job guys for sticking to your guns.

Uh-oh, if they have any employees in China they should expect a few months of government re-education.

Not because of this article but a new hospital we just took over was instructed to remove all Hikvision camera from the network after an "issue" they had last week. The head of security told me today to come up with a plan to replace all the Hikvision cameras on the network which came down from IT. 

We were subs on one project that paid us to take out the Hikvision cameras that we had just installed less than a year ago. We replaced them with Avigilon cameras, per their wishes. So I do know it’s a real thing. Just seemed silly to us to change your mind so quickly. But hey, I will take the work. ;)

I didn't know you where an Avigilon partner :)

 

We were a sub for one in this case. 

Paid to remediate a situation you created....... holy cow I think I just realized Jon's genius! You really are laughing your way to the bank!

You are my butterfly. :)

It is not like Avigilon is particularly discriminating as of late.

How could anybody vote Unhelpful on that post...baffled I am...

    I worked for a company that installed mostly HikVision, across multiple states.

I sold numerous systems as did many other salesmen over the past 3-5 years.

I read a post on LinkedIn that lead me to IPVM, over the summer. One of my customers

asked me to add another camera to a 32 camera NVR. So we installed it on Oct.28th.

The same day IPVM posted an article about the firmware update, he called back with an

issue of not being able to view the new camera on the IVMS. On Halloween we spent

hours reinstalling the software and reloading all user accounts and passwords. It is my 

belief that this company will become very concerned about the systems' vulnerabilities.

 

   I read the WSJ last year, every day, from Sep to Nov. I especially read letters to the editor with regards to editorials and story content. Many, many powerful and well connected people care about what is written in that paper. This story will have legs.

 

I can see how the Hikvision ownership structure can be alarming to people. That and combined with their cyber security problems they have had recently.

Their is some fear that the back door was intentional which raises some concern. But this is where good common sense should come into play. Here are my rhetorical questions that I would ask the concerned person:

- If they really wanted an intentional backdoor, why wouldn't they put it in the DVR's which would have made way more of an impact. Instead, the "backdoor" was on cameras, specifically cameras that were port forwarded that had old firmware. While not rare, this is for the most part an unlikely scenario. Nothing like the Dahua Hack-a-thon that happened recently.
- As far as the Chinese peaking in on you. Do you really think the chinese govt cares about what you are doing at your house or business. Do you think they have the time to spy in on you to see whether you are mowing your lawn or picking your boogers? What intel can they gather from your boogers? 
- If you are concerned about the chinese using the devices as botnets, I again refer back to my first question.

Admittedly, I think Hikvision makes a great product but they simply put cyber security as a very low priority in previous months/years. Matter of fact, I think alot of Chinese manufacturers think this way. Its just until recently that they have woken up to the fact that cyber security is important. However, I dont think anything is intentional. 

Nonetheless, Hikvision will definetely need to respond to this WSJ article. Silence will simply raise more concern. I can understand Hikvision calling IPVM silly, but you cant do this with the WSJ. This is where a good Americanized crisis writer/press relations comes in. I think they need to respond in a humble way, admitting their mistakes. I fear the humble tone may be a difficult move for Hikvision as they put alot of pride in their work and admitting mistakes is not their forte. Nonetheless, it needs to be done. They need to admit their mistakes then inform what has already been done to take care of the issues and what is in the works to continue to make their products secure and inform that cyber security is a much higher priority than it has been in the past. Wording all this properly is where a good press relations person comes into play. If you can word this well and let everyone know you are making the most secure product on the planet, this will blow away in no time.

Again, the NVR has an internal router that allows access to the cameras. The NVRs have had vulnerabilities also...

Also, if by pride you mean arrogance, your statement would be more accurate. 

I dont disagree with your arrogance statement. Alot of humility will go along way in this scenario and will be a great step forward for Hikvision in dealing with this issue. Humility will capture back some trust lost.

Yes, but again the vulnerability only exists on cameras that are specifically port forwarded on the router that is open to the internet. This would pretty much never be the case on cameras that are connected to a POE NVR. 

If they really wanted an intentional backdoor, why wouldn't they put it in the DVR's which would have made way more of an impact.

How do you know there is NOT a backdoor on the recorders? Just because it has not been discovered (or published) yet is not proof it does not exist.

I am not claiming there specifically IS a backdoor, but unless Hikvision chooses to release the code for analysis, you can not be certain no such backdoor exists just because it has not yet been seen.

Their are many things one can speculate on. How do you know their is NOT a backdoor on any manufacturer? How would you answer this question if Hikvision asked you: How do we not know that some of IPVM's undisclosed posts are not actually IPVM employees? 

Again, common sense prevails here. If Hikvision was stealthy and smart enough to hide a backdoor in their recorders that no one have found yet, then why on earth would they make a vulnerability that was so obvious on their cameras? Why wouldnt they just duplicate the super stealthy intelligent backdoor to their cameras instead leaving open a blatantly careless vulnerability that was easy to find? 

Again, they made a careless mistake and put a very low priority on cyber security in the past. Thankfully, they are being more proactive now on cyber security as opposed to reactive. This is where Hikvision is different now as opposed to where they were in the past, and they need to better communicate this stance. 

Again, common sense prevails here. If Hikvision was stealthy and smart enough to hide a backdoor in their recorders that no one have found yet, then why on earth would they make a vulnerability that was so obvious on their cameras? Why wouldnt they just duplicate the super stealthy intelligent backdoor to their cameras instead leaving open a blatantly careless vulnerability that was easy to find?

But it wasn't easy to find. It took a skilled researcher who was specifically evaluating the product for vulnerabilities to exploit to find. 

According to IPVM it is incredibly easy and obvious to exploit.

According to IPVM, it is incredibly easy to use once you know about it, and it's something that should have been spotted by the developers. That's not quite the same thing. 

Again, either they're incompetent or they're doing this on purpose. I believe Dahua is incompetent, but I have a much harder time believing that Hikvision is incompetent. 

Sean what is your back up plan if Hikvision turns out to be no better the your Dahua experience?

I quit Dahua over a year ago due to their many quality control issues, too much RMA problems, this was before any evidence of vulnerabilities. However, I had much success with Dahua. Hikvision does not have the quality control issues that Dahua has, its a solid product.

I continue to have much success with Hikvision, and its funny that you ask right now, we just helped a client win out a local project against a competitor who was quoting Avigilon. Nothing against Avigilon but we were able to save the end user several thousand dollars and they are very pleased with the system. I wonder if the Avigilon dealer had a backup plan for that scenario. I guess not because he lost the bid.

Give me their number.  I bet you a case of beer I can get the Hikvision replaced :)

The backup plan was to wait until the devices were exploited, come back later and install Avigilon for twice the price.  Maybe this is what MARTY meant by “Laughing all the way to the bank”.

Ha! We could replace the Hikvision cameras 5 times over with similar hikvisions and still be less expensive than Avigilon. Being exaggetory of course 

*price of hacking not included

Im curious if you carry products that have never been hacked?

Not more than once or twice, no. 

Yes than No? Interesting!

You may end up Doug just that.

You may end up Doug just that.

Now there’s an ad hominem if I’ve ever seen one ;)

Not quite, I am still waiting for the 'Exploit'. 

Instead of the 'could' 'might' syndrome I am going with facts, and the real fact is no one, not even IPVM or Bashis can provide direct evidence that Hikvison has knowingly produced one camera, encoder, decoder or any other electronic device with the intent to spy on anyone, damage anyone in any way or that Hikvision has used any of the methods described for any purpose other than what they were designed for.

When all of the 'proof' is added up you have a 'pimple on an Elephants ass' quantity of facts....There is nothing but claims of 'maybe'  'could'  'might' but where is the undeniable fact that Hikvision has done anything on purpose or with malicious intent?

Go ahead make all the arguments that have no merit, no one has any factual proof whatsoever so all I can say is what should have been said long ago...

PUT UP or SHUT UP

Marty, so you seriously think that a government (or any government) which manufactures IOT devices would not think about using these devices for malicious intent? 

Yes,they sure do

goggle "nsa hacking tools"

Marty, when the proof is added up, what we see is that Hikvision has shipped a massive volume of very insecure devices. It really does not matter if the backdoors were intentional or not, they are highly indicative of poor engineering and poor concern for the overall safety and security of their customers.

 

That is entirely possible, but today as in now, they are NOT shipping  those products and have taken measures to correct 'inadvertent' mistakes. Before you denounce my statement with Chinese Government, The Chairman, the 1000yr old way China does business, SHOW PROOF OTHERWISE that HIKVISION willfully committed any act with intent to harm anyone.

Very Simple, SHOW THE PROOF? You want a blockbuster Headline,back-up the claims with FACTS.

Marty, the backdoor was obviously done on purpose. It is not a coding error when it directly bypassing authentication.

We are not going to convince you. As a US integrator recommending and installing Hikvision products on to US military bases for years, you are so wrapped up and committed to Hikvision that you simply refuse to acknowledge the obvious risks.

Marty, the backdoor was obviously done on purpose.

Wow!

Sean, this is zero surprise or 'wow' to anyone who has looked at how it works. They programmed in a specific method to bypass authentication. It was not some form or error or weird edge case.

Why they did it? Only they know. But that it was done on purpose is obvious.

So you no longer sell HIKVISION, right? Which way is it? On one hand hand you denounce them but in reality you are moving their merchandise everyday, Hmmm who is the hypocrite?

 Wow is right.....

Wow is right.....

Wow was sarcastic.

Pay attention Marty, Sean is on your side.  With friends like you...

John-

For you information, any camera that I may have installed on any Military base is secured on its own network, (BY CHOICE OF OTHERS) and was never intended to be connected to nip or sip. What you fail to understand is there are 10's of thousands of IP cameras residing on there own local networks that will will never reside outside that domain and it is not for any reason except that the CUSTOMER asks for this design. That detail is avoided because it does not support your overall negative advertisement of Hikvision products in general.

There is NO wrongdoing or other shady attempt on my part whatsoever in selecting, specifying , submitting,or the installation of those components. I would do exactly the same thing tomorrow and next week. There is no 'wrap-up' or 'collusion' with anyone and your implication is based on falsehoods and misrepresentations of facts and I take umbrage with that scenario.

Marty, the backdoor was obviously done on purpose. It is not a coding error when it directly bypassing authentication.

 

This is by far the single most damning issue regarding HIK.

It is an obvious backdoor created to allow HIK to take control of the device whenever, and for whatever purpose, they deem necessary.

There is no rationale for this to have been created other than that.

 

 

 

Here is Keen Yao, the VP of Hikvision’s International Business Centre just months ago:

Is it possible to put a “backdoor” in a Hikvision or other manufacturer’s device?

Any manufacturer, including those who develop or support software, has the technical ability to put a 'backdoor' into firmware. Of course, Hikvision has never intentionally put a backdoor into firmware or software, and it never will.”

no word on whether or not Mr. Yao's pants were, in fact, on fire at the time of this interview...

 

 

 

 

 

 

 

"SHOW PROOF OTHERWISE that HIKVISION willfully committed any act with intent to harm anyone."

It is clear that they willfully committed the act.  Do you agree that they put that backdoor there on purpose - or do you maintain that it was 'inadvertent'?

Proving intent can not knowingly be done by anyone here reading this column - which you know.  We are all left with inferring intent... and the haters gonna hate and the fanboys gonna fanboy - as you also know.  i.e. your argument is not even an argument.

also - yelling in all caps adds no strength to weak words.

Thank you, I have respect for your opinion and choose not to hurl any disrespectful comment your way.

I'll ask a 2nd time:

Do you agree that they put that backdoor there on purpose - or do you maintain that it was 'inadvertent'?

respectfully 

I said inadvertent and I stand by that assertion. Whatever their reason was is just that. 

There is nothing Hikvison can do that will be interpreted on IPVM as honest and have a purpose that will not be misconstrued by someone that will make a claim or insinuate that Hikvision is doing it for unlawful purposes. Making broad statements that Hikvison is writing code and inserting that code into products in some 'wild-ass conspiracy' is baseless and outright 'silly'.

If you have that knowledge and absolute proof that they have done this, for unlawful purposes, not that it was there, then by all means show-it here and now and I will be the first one to admit I was dead-ass wrong.

I choose not to beat this dead horse any further.

"If you have that knowledge and absolute proof that they have done this, for unlawful purposes, not that it was there,..."

The fact that the back door is there is not in question... but it wasn't 'just there' magically - Hikvision put it there on purpose.

I don't think most people believe that they did this with nefarious intent... I think most imagine this was just a short-sighted decision they made which would allow them to support these devices easier. 

You can continue to stand behind your 'inadvertent' position all you want to, but it just detracts from your message when you continue to refute what everyone else knows to be true - even Mr. Yao, et al.

So, your repeated demand for proof of Hikvision creating this back door 'for unlawful purposes' or 'intent to harm' is a big fat straw man.

The fact that they put it there means that others could possibly use that backdoor 'for unlawful purposes' or 'with intent to harm'.

 

What I find silly is your dedication to Hik and the 'good Chinese people' as I think you called them before. There is very little good about the Chinese government and they are well and truly experienced in spying on anything and everything as you well know. I don't have to spell out all horrible things that the Chinese government does to the actual good people including incarcerating political opponents, spying on different religions, blocking freedom of speech etc. Of course it is well possible and realistic to think that the not so good Chinese people that the government (self appointed Communist government) is made up of is using every single option to spy on the west simply based on their reputation.

It has to do with the sheer numbers. There are many cameras hanging off of one NVR. Also, a system may have remote cameras that are accessible. This is where the orginal IP cameras gained popularity, and thus a challenge for hackers. Finally, a Hik camera is very common due to low cost, but then the recording side is very mixed. They may have PC or cloud recording software, VMS, other brand NVR, or simply a live monitoring solution. Finally, and IP camera usually has less memory, thus the NVR can hold more code and more protection for a better firewall, etc. Historically, IP cameras are the target of choice, esp. since so many IP cameras allowed live viewing without any password whereas all NVRs require a login.

"Paging Chuck Davis....  Chuck. Davis.  White courtesy telephone, please."

Where is Chuck?

[IPVM Note: Related: Hikvision Admits Backdoor 'PR Issue']

Also this should go without saying, but multiple comments in reply to Sean were ad hominem attacks, which are also not going to be tolerated. 

I am sure that is appreciated Ethan, Been there myself.

Government representatives are exempted from satire.

One thing I think everyone, on all sides, can agree on here is that this story would not have made front page news if it weren’t for John’s incessant reporting.  The article is at least 50% recycled IPVM content with redone graphics.

Only a minor mention to IPVM at the very end of the article seems remiss...

 

Update (and appended to the original report):

On November 14, 2017, Hikvision emailed to dealers a 'Special Bulletin' Update on Wall Street Journal Article:

The most notable element of the response is how they lead with their government ownership, revealing that they see that as the most significant issue. Unfortunately for their dealers, Hikvision tricks them saying:

Hikvision is completely transparent about its ownership structure and as of June 30, 2017 had less than 42% of its shares owned by a state-owned enterprise (SOE), with the rest of the stockholders being venture capitalists,

They are completely misleading. If they wanted to be transparent, they would acknowledge that those 'shares owned by a SOE' are in fact their controlling shareholder, as their own financials do disclose:

Please offer disclosure of just how many ADDITIONAL companies in CHINA are owned this way so we have a more clear understanding that HIKVISION is by far not the only one 'semi- OWNED by the government.

Capishe?

 

I'll say one thing about these threads, it does my OCD reading no good.

More coverage in the press: https://www-washingtonpost-com.cdn.ampproject.org/c/s/www.washingtonpost.com/amphtml/business/economy/years-after-regulatory-crackdown-some-security-cameras-still-open-to-hackers/2017/11/14/b15f8428-c980-11e7-8321-481fd63f174d_story.html

We were pre-briefed on these, planning coverage next week after some followup discussions with Dahua to fact check details reported on the exploit and affected versions.

"This vulnerability is not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor," the report claims.

"the report claims"

Article link from above @WashPost ReFirm researchers said they found a vulnerability that lets anyone gain access to a TRENDnet camera by typing 12 specified characters into a Web browser, followed by the Internet address of the video camera, which can be found relatively easily online.

 

Wow.  This 12 digit string sounds just like the Hik magic string backdoor LINK.  Very interesting that Hik and Dahua and TrendNet all have similar backdoors.

What is truly amazing is how long this took to catch on. Not long ago China used to be Called Red China. Why? because they are a Communist regime. They are not our friends never have been yet we continue to buy products from a brutal totalitarian regime that has killed 40 million plus of its own people through the purges of Mao and now has become this Frankenstein due to all the money pouring in from the USA and other countries. They flex there military might in the South China sea, build artificial islands to expand there military reach, threaten neighbors such as Vietnam and the Philippines yet you buy from them....because they are cheap.

Maybe the ignorant masses need to study history a bit more and look at the current geo political atmosphere and try to comprehend what the Chinese communists are all about before sending Dollars to them.

Maybe some day people will wake from the slumber they are in but I doubt it because the either don't know or don't care where they are sending there money to. Maybe when an end user gets hacked and sensitive info is stolen and they sue the company that installed the equipment, Dealers might wake up.

I think it is just a matter of time until end users force the low end integrators hands.  I have seen indemnification on cyber security breaches in contracts on occasion.  This is likely to trickle down.  

WSJ released a video report on XinJiang, China. WSJ report   On 4'39", the video showed the name of the face recognition camera  Link to Camera Manufacturer (DeepGlint FoveaCam)

#24, thanks for sharing that company's link, helpful! We are preparing a post on that WSJ article.

One thing I wonder about that excerpt from the WSJ video is whether the example above is staged. For example, take a look at this match, the subject is heavily occluded and the video is grainy:

I find it very hard to believe any system anywhere could so confidently match against a subject under such conditions unless the system only has a few people on its watchlist. Otherwise, there would be far too many close wrong matches with such bad input.

Login to read this IPVM report.

Related Reports

White House Trade Advisor Calls Hikvision "Very Evil Company" on Jun 24, 2020
White House trade advisor Peter Navarro has called Hikvision a "very evil...
Hikvision Global News Reports Directory on Jun 18, 2020
Hikvision has received the most global news reporting of any video...
Colombia's President Promotes Bad Hikvision Fever Camera Setup on Jun 17, 2020
Colombia's President Iván Duque has promoted a haphazard Hikvision fever...
Detecting Coronavirus Fevers With Thermal Cameras on Mar 15, 2020
MAY 2020 Update: This post was our early examination of these systems being...
Embedded Logix Thermal Temperature Detection System Examined on Apr 08, 2020
Embedded Logix has been producing thermal temperature measurement systems for...
Coronavirus Impacting Hikvision and China Manufacturers on Feb 03, 2020
The coronavirus epidemic spreading through China has started to impact video...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Dahua and Hikvision Fever Cameras Endanger French and Scottish Nursing Homes on Jun 09, 2020
Dahua and Hikvision fever cameras are being used at, respectively, French and...
Worsen: Integrators Hit Even Harder By Coronavirus on Mar 30, 2020
Integrator's problems have worsened over the past 2 weeks, according to new...
Faulty Hikvision Cali Colombia Fever Camera Implementation on Jul 20, 2020
The mayor of one of Colombia's largest cities has promoted a faulty Hikvision...
Bosch Presents MIC 7100 Extreme PTZs on May 21, 2020
Bosch presented its MIC 7100 Extreme PTZs at the April 2020 IPVM New Products...
US Passes Uyghur Human Rights Law Condemning Mass Surveillance on Jun 18, 2020
The US government has passed the Uyghur Human Rights Policy Act of 2020,...
Hikvision Put on US DoD "Communist Chinese Military Companies" List, Faces Risk of Presidential Sanctions on Jun 26, 2020
The US DoD has put Hikvision on a list of "Communist Chinese Military...
The Booming Multi-Billion Coronavirus Fever Camera Market on Apr 21, 2020
The market for elevated body temperature detection cameras, aka 'coronavirus...
UK Stands Behind Hikvision But Controversy Continues on Feb 18, 2020
Hikvision is exhibiting at a UK government conference for law enforcement,...

Recent Reports

Taiwan Lilin NDAA Compliant Cameras Tested on Aug 13, 2020
Taiwan-based manufacturer Lilin is taking direct aim at Dahua and Hikvision...
White House Expands Dahua Hikvision Blacklist To Federal Funding on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
Actual Coronavirus Testing Options Examined on Aug 13, 2020
Fever cameras have emerged as an indirect and flawed way to test for...
Video Analytics Online Show September 2020 Opened - Axis, Avigilon, Bosch, BriefCam, Genetec, Milestone + 30 More on Aug 12, 2020
IPVM's sixth online show will feature 35+ Video Analytics companies...
The German Company Powering Many China Temperature Tablets (Heimann) on Aug 12, 2020
Many fever tablet suppliers market German-made Heimann thermal sensors while...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Access Control Course Fall 2020 - Register Now on Aug 12, 2020
IPVM offers the most comprehensive access control course in the industry....
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...