WSJ Investigates Hikvision

By: John Honovich, Published on Nov 13, 2017

The Wall Street Journal (WSJ) has released a detailed investigation into Hikvision's government ownership and cybersecurity problems, hitting the paper's front page.

Given the WSJ's global readership (42 million monthly readers, 2+ million paid subscribers), the paper has the reach to make Hikvision's actions known to powerful political and business leaders globally.

Growing Global Investigations

This adds to a series of global publications investigating Hikvision, including:

US Gov Official 'Stunning'

The WSJ quotes the chairperson of the "U.S.-China Economic and Security Review Commission, which was created by Congress to monitor the national-security implications of trade with China" on Hikvision saying:

The fact that it’s at a U.S. military installation and was in a very sensitive U.S. embassy is stunning. We shouldn’t presume that there are benign intentions in the use of information-gathering technology that is funded directly or indirectly by the Chinese government.

The risk is severe for Hikvision. The US government already bans Huawei equipment. By contrast, Hikvision's government is ownership and control is far more direct and clear than Huawei. To the extent that the WSJ has made this a public issue, Hikvision risks greater regulation, barriers or even outright banning.

Cybersecurity Problems for Hikvision

Not only did the WSJ investigate Hikvision's government ownership, they tracked their cybersecurity problems, noting and citing IPVM:

The Hikvision flaws identified by the Department of Homeland Security affected more than 200 camera models and potentially tens of millions of shipped devices, estimates John Honovich, editor of IPVM. They made it possible for outsiders to hack into internet-connected Hikvision cameras in just a few steps, according to Mr. Honovich and FireEye, the cybersecurity firm. Hikvision acknowledged the flaws affected some cameras, but dismisses Mr. Honovich’s assertions as “unfounded insinuations and hearsay.”

Hikvision's cavalier response is easily disproven since our analysis is grounded in (1) their own admission of the backdoor 'flaw' impacting multiple series of IP cameras over multiple years of firmware, (2) their claims of producing 55 million cameras just in 2016, and (3) DHS advisory on Hikvision which we easily demonstrated 'in just a few steps' in this video:

More Problems Cataloged By WSJ

******* ****** ******* (***) has ******** * ******** investigation **** *********'*********** ********* *** ************* problems, ******* *** *****'* front ****.

***** *** ***'* ****** readership (** ******* ******* *******, *+ ******* **** subscribers), *** ***** *** the ***** ** **** Hikvision's ******* ***** ** powerful ********* *** ******** leaders ********.

Growing ****** **************

**** **** ** * series ** ****** ************ investigating *********, *********:

****** *****: ********* ***** funded **** ******* *** eyes ****** *** *****
****** *****: ***** **** rise ** ******* ****
** ***: *******'* *** ******* *****-********** Chinese ******* ** **’* biggest **** ******** – but *** ***** **** security *******
** ***: ****** *****'* *** ******* HQ: *** ******* ******* millions ** *******. *** undercover *** ********* ********** the ***** ****** ** a **** ***** **** spies ** *** *** people ** **** *** dissidents
***** ** *******: ** the *****'* ******* ************ Camera ***** ******* ******* to *****?

US *** ******** '********'

*** *** ****** *** chairperson ** *** "*.*.-***** ******** *** ******** Review **********, ***** *** ******* by ******** ** ******* the ********-******** ************ ** trade **** *****" ** Hikvision ******:

*** **** **** **’* at * *.*. ******** installation *** *** ** a **** ********* *.*. embassy ** ********. ** shouldn’t ******* **** ***** are ****** ********** ** the *** ** ***********-********* technology **** ** ****** directly ** ********** ** the ******* **********.

*** **** ** ****** for *********. *** ** government ******* **** ****** equipment. ** ********,*********'* ********** ** ********* and ********* *** **** ****** and ***** **** ******. To *** ****** **** the *** *** **** this * ****** *****, Hikvision ***** ******* **********, barriers ** **** ******** banning.

Cybersecurity ******** *** *********

*** **** *** *** WSJ *********** *********'* ********** ownership, **** ******* ***** cybersecurity ********, ****** *** citing ****:

*** ********* ***** ********** by *** ********** ** Homeland ******** ******** **** than *** ****** ****** and *********** **** ** millions ** ******* *******, estimates **** ********, ****** of ****. **** **** it ******** *** ********* to **** **** ********-********* Hikvision ******* ** **** a *** *****, ********* to **. ******** *** FireEye, *** ************* ****. Hikvision ************ *** ***** affected **** *******, *** dismisses **. ********’* ********** as “********* ************ *** hearsay.”

*********'* ******** ******** ** easily ********* ***** *** analysis ** ******** ** (*) their ************ ** *** ******** 'flaw' ********* ******** ****** of ** ******* **** multiple ***** ** ********, (*) *********** ** ********* ** ******* cameras **** ** ****, *** (*)*** ******** ** ************** ** ****** ************ 'in **** * *** steps' ****** *****:

More ******** ********* ** ***

[***************]

*** **** ****** * variety ** ****** *** problems *** *********, **** of ***** **** ***** reported **, *********:

********* **** ************** ******* Government ******** ******
********* ******* **** ** GSA *****
********* ******* **** ** Embassy
******* ****** *********

Genetec **** *** **** ****

*** *** ******* ******** a ***** **** *******'* CEO, *** ******* *********** ***** ** *********, ** *** ******* down, ****** ****:

******* **** ******* **** by “********* ***** ** controlled ** *** ******* government” *** “*******’* ********** for ********** **************” *** him ** ******* *** waiver.

********* ****** *********, "******* Hikvision **** ********* ** simply ********** *** ********** unfounded", ******, ** * step *******, ********* *** not **** ***** ***** or ********** ** *** Chinese **********.

Government *** ******** *** ** ***

********* ******* ** *********** defense **** ********** ****** the *******, *** ******* government ******* *********'* ********. Hikvision **** *** ***:

***** ****, * ********* vice *********, **** **** [Hikvision ********** **********] *** no **** ** *********’* day-to-day **********.

**** ** ********* **********. The ******* ********** ********* has ****** ******** ** the **** ** *********'* IFSEC *****, *** ** ***** of ***** **** ******* or *** **** ********* will **** ***** ****** at *** **** ****. However, ***-**-*** ********* ** far **** ********* **** the **** *** ******* government *** ** *********** Hikvision's ******** *** ******** ** the ******* **********.

Memphis ****** ******* *********

*** **** ********* ** Hikvision ** *** *** article *** ********** ****** Patty ** ** ********** ****** **********. ***** ********** *** benefits ** ***** ************ cameras, ********** ****** *******. The *** **** ***** the **** **** ** the *******, **********:

** **** *** **** started ***** *** ******* long ****** ******** ***** hacking **** **** ****. The ********** **** * decentralized ******* ***** ******* aren’t ********* ** *** police ********* ********, ** says.
“** *** *** ** the ***, **** *** the **. * ****** manufacturer ** *** *****,” says **. *****. “**** make * *** ** cameras *** **** ****** use ****, **** ** they ***’* *** ********* on *** *******.”

Negative *** *** ** *** ** ******** ********** ********

*** ******** ** *********'* government ********* ** ************* problems ** *** ********** *** Hikvision. *** **** *****, from *********'* ***********, ** for ******** ** ****** forget ***** ***** ******. To **** ***, *** WSJ *******, ********** ***** the ***'* *****, ** problematic.

** *** ***** ****, the *** **** * balanced ******** **** ******** following ********* *** ***** the *****, ********** **** taking * ****** ****** ******* the *******. *** *******, compared ** ********* ********** *** ********, *** *** *** ** *** less ************ ******* *********.

What ** ****?

**** ******** ********* ************** and *********, **** **** likely ***** ****** *** some ******** *** *********.

**** ** ******* ** what **** ******* ***** next. *** *******, **** or *** **** ***** publications **** **** **** up? *** **** *********** or ********** ********* **** learn **** **** ******* and *** **** *** future *********** ** **********? It ** ********** ** predict *** ********* ***** watching.

***, *** *********, **** need ** ****** *** what ** ** ****. Do **** ****** *** WSJ? ** ********** **** ******** *****? ********* *** **** tough ********* ** ****.

Vote / ****

UPDATE: ********* *** ********

** ******** **, ****, Hikvision ******* ** ******* a'******* ********' ****** ** **** Street ******* *******:

*** **** ******* ******* of *** ******** ** how **** **** **** their ********** *********, ********* that **** *** **** as *** **** *********** issue. ************* *** ***** dealers, ********* ****** **** saying:

********* ** ********** *********** about *** ********* ********* and ** ** **** 30, **** *** **** than **% ** *** shares ***** ** * state-owned ********** (***), **** the **** ** *** stockholders ***** ******* ***********,

**** *** ********** **********. If **** ****** ** be ***********, **** ***** acknowledge **** ***** '****** owned ** * ***' are ** **** ***** controlling ***********, ******* *** ********** ** disclose:

Comments (125)

Brian Karas

IPVM | 11/13/17 01:16pm

This story is on the front page of the Wall Street Journal today, just picked this up on my morning coffee run:

Undisclosed Manufacturer #6

In reply to Brian Karas | 11/13/17 04:29pm

Uh oh, wrong side of the WSJ. Left side good news, right side bad.

Brian Karas

IPVM | In reply to Undisclosed Manufacturer #6 | 11/13/17 04:40pm

I think "good news" and "bad news" can be somewhat relative on this one.

Undisclosed Manufacturer #6

In reply to Brian Karas | 11/13/17 06:51pm

Unless they reach out and interviewed Marty, this is just more one sided fake news ;)

Rod Warren

In reply to Brian Karas | 11/13/17 04:30pm

Thanks to Brian and John and the rest of the IPVM team for being one of the first if not the first to highlight this significant threat. Too many integrators look at the low cost and don't care because they think they must use HIK now to compete. Wait till they get a foothold into the access control market and then have a worldwide database of names to collect while destroying the profit margins for many companies in the marketplace. Your dollars today will help subjugate many in the future.

Undisclosed Integrator #10

In reply to Brian Karas | 11/13/17 10:39pm

They covered this on Fox News this afternoon and referenced the WSJ article .... did anyone else see this? I don't think they really made too big a fuss about it other than questioning the obvious, i.e. why are these cameras being installed in the U.S? The reported chalked a lot of it up to stretched end -user budgets.

Undisclosed Manufacturer #1

11/13/17 02:40pm

Stay vigilant, my friends...

Undisclosed Distributor #2

11/13/17 02:43pm

Dont you think the onus is also on the integrator to secure the network both local & wide area to ensure that the camera or recorder is not exposed to outside threats. I keep reading about Hikvision having backdoors and other weaknesses in their software, this can or could be prevented by securing their network.

Is the an onus also on the integrator to ensure that their installations are also up to date with the latest firmware?

Hikvision's latest firmware has now turned off ONVIF connectivity to further improve their security and this also had negative exposure by IPVM due to Hikvision's lack of notice to the industry. Don't you think that reading the release notes is important when using new firmware!

I work for a distributor that sells Hikvision and I'm not going to sit here defending them, but do some investigating on other products and you will find numerous firmware updates that fix security flaws.

Hikvision make a very good product at a price where everyone has to sell even more to make a profit. I feel that there is a campaign by non Chinese entities to protect their market share. This would be charging extra for camera licensing for Hikvision cameras or continual negative releases by media.

Brian Karas

IPVM | In reply to Undisclosed Distributor #2 | 11/13/17 02:55pm

Dont you think the onus is also on the integrator to secure the network both local & wide area to ensure that the camera or recorder is not exposed to outside threats.

Absolutely, but at the same time, it is very difficult to secure a network when you are not given a full understanding of the risks presented by the devices attached. A fair assumption of course is to always assume everything is compromised, but practically speaking if you are dealing with cost-conscious buyers (which I would argue is the majority of Hikvision's market), you are going to have to make compromises on equipment and time invested in securing the system.

Hikvision's latest firmware has now turned off ONVIF connectivity to further improve their security

Why? Are you/Hikvision saying that ONVIF implementations are inherently insecure? If so, they should publicize that so that the industry as a whole can understand the risks and make appropriate adjustments. Otherwise, it makes it appear more that Hikvision's specific ONVIF implementation is insecure.

you will find numerous firmware updates that fix security flaws.

A better approach would be to not have so many security flaws in the first place, yes? This is like a "lifetime warranty" on a cheap tool. I would rather pay a little more for a quality tool that does not break every time it is used, causing me to have to stop working, drive to the store, get a replacement, then come back and attempt to finish the job.

Hikvision make a very good product at a price where everyone has to sell even more to make a profit.

Are you referring to integrators having to sell a lot more product to make up for the fact that their profits are reduced (cheaper cameras = less net profit per camera, assuming similar markup)? This does not seem like a good thing.

Jonathan de Chateau

In reply to Brian Karas | 11/13/17 03:51pm

Did you miss the massive issue with ONVIF?

http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions

Brian Karas

IPVM | In reply to Jonathan de Chateau | 11/13/17 03:59pm

No, we did not miss it, we covered it first: ONVIF Widely Used Toolkit gSOAP Vulnerability Discovered.

You will note that Hikvision claimed this vulnerability did not affect them. Also, it was patched, which would mean they should not have to disable ONVIF due to this even if it turned out they were using the gSOAP toolkit affected.

It is also worth noting that was not an issue with ONVIF specifically, but with a toolkit vendors could use to implement portions of ONVIF in their products.

Also, the gSOAP toolkit developer released specifics on the affected code, and how to patch it. This made it easier for users of the product (or users of affected products) to better assess their own risk and implement potential security work-arounds to reduce (or prevent) chance of exploit.

Jonathan de Chateau

In reply to Brian Karas | 11/14/17 08:16am

In all honesty I did not check if there was an IPVM report so my bad on that one. The point that I agree on with UD2 is that even widely used solutions like ONVIF can have issues. Are they inherently insecure? No. Are they inherently secure? Also no.

I am not trying to advocate Hik is safe or safer than others. The point I made in other topics is that any IT device needs a lot of attention to be safe. Like a printer, a laptop , or any camera.

John Honovich

IPVM | In reply to Jonathan de Chateau | 11/14/17 08:25am

I am not trying to advocate Hik is safe or safer than others.

But what you are effectively advocating is that all products are equally insecure / potentially vulnerable so stop picking on Hikvision.

The problem for the position you (and many other Hikvision partners) are espousing is that (1) the Hikvision backdoor was especially easy to exploit (unlike the gSOAP one), and (2) Hikvision has a far lengthier / more serious track record of cybersecurity issues than its rivals (save, of course, Dahua).

Finally, (3), and you can certainly not care about this one, but certain countries are going to find manufacturers whose controlling shareholder is an authoritarian government who conducts active cyber attacks as another risk factor that ONVIF or Milestone or Hanwha or whomever lacks.

Jonathan de Chateau

In reply to John Honovich | 11/14/17 08:46am

Your spirited reply shows the overal theme. I am not looking for a fight or an argument. If you want me to say you're right just let me know where to insert the comment.

I specificaly say I am not advocating pro Hik so don't explain to me why my view is wrong, you don't know my view.

And last but not least, I agree with your premise that in some parts of the World a Chinese producer will meet more scrutiny.

Then again, just youtube some interviews with William Binney about the treasure map system by NSA. Knowing who lives where, what they make, how they vote, where they are real-time etc etc etc.
Using that info is scary, just like a communistic regime is scary.
Frankly speaking, I am glad I live in neither.

John Honovich

IPVM | In reply to Jonathan de Chateau | 11/14/17 09:02am

On (3), sure, totally understand and I've said this before that the Chinese government would be foolish to buy any network surveillance equipment from suppliers with foreign government control.

Jonathan, you skipped over my points (1) and (2). I want you to defend your position with intellectual rationale response.

Again, (1) the Hikvision backdoor was especially easy to exploit (unlike the gSOAP one), and (2) Hikvision has a far lengthier / more serious track record of cybersecurity issues than its rivals (save, of course, Dahua).

Yes, we should pay attention to the safety of all devices, but the safety of devices is made harder when suppliers have a history of specific, egregious problems. Yes/no?

Jonathan de Chateau

In reply to John Honovich | 11/14/17 09:12am

If it wasn't clear in the previous comments let me be more clear:

- I am not looking for a discussion on this. I know your view and can anticipate the comments. It has all been said and done in many other topics. No need to do that all over again
- I did not espouse the position you say I take, that's your assumption.
- It's fine you want me to defend my position. I respectfully decline. Please see point 1.

I answered Brian in an topic, not you. I did not address you nor did I pick a fight. Let's bury it here and now and get back to more important things, which we both have. I won't be answering in this discussion anymore.

John Honovich

IPVM | In reply to Jonathan de Chateau | 11/14/17 09:24am

I am not looking for a discussion on this.

But what you were clearly looking to do is to criticize us with your erroneous opening salvo:

Did you miss the massive issue with ONVIF?

Jonathan, that showed that not only did you not understand the 'issue with ONVIF' (which clearly was nowhere comparable to Hikvision's backdoor) you were too lazy to spend the 5 seconds checking whether or not we covered it before you leveled it against us.

You are welcome to comment on IPVM but if you do choose to, for your own sake, do your homework first.

Undisclosed Distributor #3

In reply to Undisclosed Distributor #2 | 11/13/17 03:46pm

Frequent firmware updates are a good strategy if Hikvision's frequent security issues are merely caused by their incompetent engineering.

If, however, their frequent security issues are deliberate, and Hikivision is being used by the Chinese government as a Trojan horse to gain access to security networks all over the globe, then you can't rely on firmware updates to protect your customer, as Hikvision is only going to release a firmware update when bad publicity forces them to.

In other words, you're assuming that Hikvision doesn't know about the security holes and fixes them as soon as they find them. What if they put them there on purpose, and leaves them there as long as they can?

Undisclosed Manufacturer #6

In reply to Undisclosed Distributor #3 | 11/14/17 10:28pm

What if the update is the security problem?

Sean Nelson

Nelly's Security
11/13/17 03:06pm

The best way to respond to this is to invest heavily into cyber security with the ultimate goal of making the most secure product on the market. Public disclosure of steps taken to achieve this need to happen swiftly and often.

Undisclosed Manufacturer #4

11/13/17 03:52pm

Of the 5% who voted postive: Can anybody detail in the comment sections how the impact of this article by WSJ is positive for Hikvision?

I imagine the response will be something along the lines of "any publicity is good publicity"...

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed Manufacturer #4 | 11/14/17 12:06am

I voted negative, but they could become a household name with this coverage. That usually takes many millions in advertising. This coverage didn’t cost them a penny up front. The back end is yet to be seen.

John Honovich

IPVM | In reply to Jon Dillabaugh | 11/14/17 01:02am

they could become a household name with this coverage. That usually takes many millions in advertising.

JD, the glass is not 9/10th empty, it is 1/10th full :)

Let's keep in mind, Hikvision has the money to do that (e.g., $6 billion, etc.) so it is not cash that constrains them from pursuing this directly.

The problem for Hikvision is how the WSJ told the story.

If the WSJ was like a paid-off security industry trade magazine, the 'story' would have been about a bunch of rag-tag peasant engineers, who by sheer determination and brilliance, built the largest and most high technology security manufacturer in the world. But the WSJ did not run that 'story'. Their story was about a company backed by an authoritarian, repressive government who has cybersecurity problems. This is not the story Hikvision wants.

As a sign that Hikvision recognizes this, notice how Hikvision and their employees have been silent on social media. Let's give it a week but I bet Hikvision either says nothing about the WSJ story or criticizes it. You on?

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 11/14/17 01:07am

Heck, I can’t really even argue anymore. Hikvision is likely to stay the course. They haven’t handled many of these events well, IMO. That’s not to say that I don’t like their products, I do for the most part. Obviously this level of bad news will be hard to overcome.

Its one thing to have a blogger say bad things about you....

John Honovich

IPVM | In reply to Jon Dillabaugh | 11/14/17 01:12am

Its one thing to have a blogger say bad things about you....

Thanks, buddy! I gave you an informative and a funny :)

I do agree that mainstream press impact is far more severe than IPVM, because not only does it validate what we have been saying, it exposes them to powerful government and corporate people who would never read any niche industry specific site.

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 11/14/17 01:15am

It’s industry level reporting like IPVM that lays the foundation for the MSM to take the story to the masses. They couldn’t possibly know enough about the insides of the industry to make heads or tales, let alone dig deep for the good bits.

Tip of the hat.

Undisclosed #13

In reply to Jon Dillabaugh | 11/14/17 01:25am

John D,

WSJ article/news will die like any other news :)

John Honovich

IPVM | In reply to Undisclosed #13 | 11/14/17 01:31am

WSJ article/news will die like any other news :)

Yes, until the next article/news/event. Any one event can be handled but the stream of ongoing ones is a material problem for Hikvision.

#13, as a Hikvision proponent, what do you advise them to do?

Undisclosed #13

In reply to John Honovich | 11/14/17 01:50am

They are multi-billion company

They will do whatever they want

They DO NOT need MY or YOUR advise

Let's talk about IPVM

You attack/criticize all the time

How about teach people about network security and etc...

Michael Miller

In reply to Undisclosed #13 | 11/14/17 02:24am

How about teach people about network security and etc.

Isn't informing people about government-owned IOT devices with many cybersecurity issues teaching people about network security?

Undisclosed #13

In reply to Michael Miller | 11/14/17 02:41am

It is big difference between "informing" and "teaching"

Undisclosed Manufacturer #1

In reply to Undisclosed #13 | 11/14/17 03:33am

It’s obvious you don’t have anything of substance to add and just trolling.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 11/14/17 03:54am

just trolling

I support #U13. It is important to have detractors. While he is not capable of producing his own insights or coherent analysis, he does importantly represent a part of the industry and an opposition to IPVM, so #13 keep on doing it!

Undisclosed Manufacturer #1

In reply to John Honovich | 11/14/17 04:05am

“While he is not capable of producing his own insights or coherent analysis...”

That seems like a polite backhand. Lol

Undisclosed #14

In reply to Undisclosed Manufacturer #1 | 11/14/17 10:26am

It’s obvious you don’t have anything of substance to add and just trolling.

Don’t be so harsh on #U13; he’s not just any old troll, he’s an icon.

Chumming on the sea of IPVM for years, since the very beginning in fact, he has reliably called out the towering hypocrisy of IPVM time after time.

Somehow he manages his revulsion to the site enough to stick around; and at no small personal expense either!

So next time you run into a combatant undisclosed Troll, first check and see if the sentences lack periods. Then show some respect ;)

Undisclosed Manufacturer #1

In reply to Undisclosed #14 | 11/14/17 11:40am

Noted :)

John Honovich

IPVM | In reply to Undisclosed #13 | 11/14/17 03:52am

We both inform and teach.

We inform on various manufacturer vulnerabilities - Axis Camera Vulnerabilities From Google Researcher Analyzed, FLIR Thermal Camera Multiple Vulnerabilities, Uniview Recorder Backdoor Examined, Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits, etc.

We teach including our IP Networking 2017 Book, VPNs for Video Surveillance Guide, our 200+ tutorials, our 3 courses in IP networking, cameras, and access control, etc.

If it was not for IPVM, 90% of this industry's media would literally only blab on about "don't use default passwords, upgrade your firmware" and other pablum.

Carl Kristoffersen

In reply to John Honovich | 11/16/17 08:02pm

To teach, you need to inform. But to learn, one needs to accept that information.
Teaching and informing are the same action on the givers part.

Undisclosed #20

In reply to Carl Kristoffersen | 11/16/17 08:34pm

Never saw you post before - but I like your words so much I gave you an Informative and an Agree.

I almost replied to the first comment about informing and teaching being different but I would've been annoying snarky in my response and readers could easily have been deflected from my point.

So thanks for posting that comment like an actual adult. : )

Undisclosed Manufacturer #19

In reply to Jon Dillabaugh | 11/14/17 05:44pm

but they could become a household name with this coverage. That usually takes many millions in advertising. This coverage didn’t cost them a penny up front. The back end is yet to be seen.

Yea, the any publicity is good publicity angle has worked really well for folks like Martin Shkreli, Harvey Weinstein & Jeffery Dahmer so why not Hik?

Brian Karas

IPVM | 11/13/17 04:13pm

The Daily Caller has also picked up the WSJ coverage of Hikvision.

Undisclosed Integrator #5

11/13/17 04:17pm

They are most likely thinking that now that this is an 'event' there will be more investigative information and at the end of the day someone will most assuredly look silly when it is determined that Hikvision had no 'ulterior motives' in mind and all of the cyber-security problems are no different than any other company may have that produces millions of cameras and like products across the world.

Brian Karas

IPVM | In reply to Undisclosed Integrator #5 | 11/13/17 04:42pm

all of the cyber-security problems are no different than any other company

This is just factually incorrect. While Hikvision is not the only company to have had cyber security issues, the number of issues they have had, the ease of exploit, and the breadth of products affected is so far unmatched and rivaled only by Dahua.

Undisclosed Manufacturer #17

In reply to Undisclosed Integrator #5 | 11/14/17 01:31pm

Wow did he really just say that?

Edward Knoch

11/13/17 04:55pm

I want to know if the GSA is holding the contractor who originally listed the products on Schedule 84 accountable. They deliberately lied to the Federal Government asserting the product was Made in the USA (implying that they were refurbished is a stretch anyway you put it). To be clear, this isn't a "left/right" issue, its the "legal" standing of China. It's not considered a MFN (Most Favored Nation) and the law is clear that the use of Chinese made products (unless substantially transformed in the US) is against procurement code.

Clearly, this is only the tip of the iceberg. As many people may not know, the GSA is an acceptable procurement mechanism for multiple state and local governmental entities. In Jurisdictions where they require "open" procurement, you cannot buy off of the schedule, however, that is not the norm. Most locales can purchase off of GSA. So, the implication in that is there may be many 1000s more of their products in SLED (State Local / Educational) locations. That's disconcerting to say the least.

IT would behoove the GSA to send out a note, pursuant to their cancellation, to all parties that have purchased or implemented this solution.

Brian Karas

IPVM | In reply to Edward Knoch | 11/13/17 07:32pm

I want to know if the GSA is holding the contractor who originally listed the products on Schedule 84 accountable.

Based on our experience/communications with GSA they do not seem to hold sellers accountable in any way beyond asking them to remove the listings.

Undisclosed Integrator #7

11/13/17 06:52pm

I was contacted by a WSJ intern in Hong Kong about this story a few months ago and I decided not to follow up with them due to a concern for the legitimacy of the call as well as potential negative after effects of being named in an article like this. I still think it was the right choice for my company, but I wish I hadnt in some respects because I havent shied away from criticizing Hik in other publications.

Undisclosed Manufacturer #1

In reply to Undisclosed Integrator #7 | 11/13/17 08:15pm

I got the same call and also chose not to respond.

Undisclosed Integrator #7

In reply to Undisclosed Manufacturer #1 | 11/13/17 10:00pm

Did you get the heebie jeebies from that call too?

Undisclosed Manufacturer #1

In reply to Undisclosed Integrator #7 | 11/14/17 12:57am

No, it wasn’t the first. Just chose to take the high road.

Undisclosed Integrator #8

11/13/17 08:26pm

Do we have a comprehensive list of cameras with vulnerabilities?

Undisclosed Manufacturer #11

In reply to Undisclosed Integrator #8 | 11/13/17 10:48pm

They all have a similar marking. It says "HIKVision".

Undisclosed Manufacturer #6

In reply to Undisclosed Manufacturer #11 | 11/14/17 12:53am

Actually that is only partially correct. Had the WSJ done adequate due diligence it would have also included these https://ipvm.com/reports/hik-oems-dir Fake news!

Undisclosed Integrator #9

11/13/17 10:07pm

You need to turn in your license if you are buying and selling/installing this junk!

Undisclosed Manufacturer #6

In reply to Undisclosed Integrator #9 | 11/13/17 10:42pm

License? What is this license thing you refer to?

Undisclosed Integrator #12

11/13/17 10:58pm

You mean to tell me IPVM is actually on to something with all of this silly HikVision bashing? (Bring on the Unhelpful votes) Honestly, IPVM should get some kind of vindication here. The Govt ownership and much worse than avg security record is a legitimate concern. Good job guys for sticking to your guns.

John Honovich

IPVM | 11/14/17 01:14am

Note: The WSJ Hikvision article also ran in its China edition, in Chinese.

Undisclosed Integrator #16

In reply to John Honovich | 11/14/17 01:07pm

Uh-oh, if they have any employees in China they should expect a few months of government re-education.

Michael Miller

11/14/17 01:26am

Not because of this article but a new hospital we just took over was instructed to remove all Hikvision camera from the network after an "issue" they had last week. The head of security told me today to come up with a plan to replace all the Hikvision cameras on the network which came down from IT.

Jon Dillabaugh

Pro Focus LLC
In reply to Michael Miller | 11/14/17 01:28am

We were subs on one project that paid us to take out the Hikvision cameras that we had just installed less than a year ago. We replaced them with Avigilon cameras, per their wishes. So I do know it’s a real thing. Just seemed silly to us to change your mind so quickly. But hey, I will take the work. ;)

Michael Miller

In reply to Jon Dillabaugh | 11/14/17 01:33am

I didn't know you where an Avigilon partner :)

Jon Dillabaugh

Pro Focus LLC
In reply to Michael Miller | 11/14/17 01:35am

We were a sub for one in this case.

Undisclosed Integrator #15

In reply to Jon Dillabaugh | 11/14/17 12:49pm

Paid to remediate a situation you created....... holy cow I think I just realized Jon's genius! You really are laughing your way to the bank!

You are my butterfly. :)

Undisclosed Integrator #16

In reply to Michael Miller | 11/14/17 08:54pm

It is not like Avigilon is particularly discriminating as of late.

Undisclosed Manufacturer #21

In reply to Michael Miller | 11/14/17 10:11pm

How could anybody vote Unhelpful on that post...baffled I am...

Undisclosed Integrator #18

11/14/17 02:27pm

I worked for a company that installed mostly HikVision, across multiple states.

I sold numerous systems as did many other salesmen over the past 3-5 years.

I read a post on LinkedIn that lead me to IPVM, over the summer. One of my customers

asked me to add another camera to a 32 camera NVR. So we installed it on Oct.28th.

The same day IPVM posted an article about the firmware update, he called back with an

issue of not being able to view the new camera on the IVMS. On Halloween we spent

hours reinstalling the software and reloading all user accounts and passwords. It is my

belief that this company will become very concerned about the systems' vulnerabilities.

I read the WSJ last year, every day, from Sep to Nov. I especially read letters to the editor with regards to editorials and story content. Many, many powerful and well connected people care about what is written in that paper. This story will have legs.

Sean Nelson

Nelly's Security
11/14/17 04:43pm

I can see how the Hikvision ownership structure can be alarming to people. That and combined with their cyber security problems they have had recently.

Their is some fear that the back door was intentional which raises some concern. But this is where good common sense should come into play. Here are my rhetorical questions that I would ask the concerned person:

- If they really wanted an intentional backdoor, why wouldn't they put it in the DVR's which would have made way more of an impact. Instead, the "backdoor" was on cameras, specifically cameras that were port forwarded that had old firmware. While not rare, this is for the most part an unlikely scenario. Nothing like the Dahua Hack-a-thon that happened recently.
- As far as the Chinese peaking in on you. Do you really think the chinese govt cares about what you are doing at your house or business. Do you think they have the time to spy in on you to see whether you are mowing your lawn or picking your boogers? What intel can they gather from your boogers?
- If you are concerned about the chinese using the devices as botnets, I again refer back to my first question.

Admittedly, I think Hikvision makes a great product but they simply put cyber security as a very low priority in previous months/years. Matter of fact, I think alot of Chinese manufacturers think this way. Its just until recently that they have woken up to the fact that cyber security is important. However, I dont think anything is intentional.

Nonetheless, Hikvision will definetely need to respond to this WSJ article. Silence will simply raise more concern. I can understand Hikvision calling IPVM silly, but you cant do this with the WSJ. This is where a good Americanized crisis writer/press relations comes in. I think they need to respond in a humble way, admitting their mistakes. I fear the humble tone may be a difficult move for Hikvision as they put alot of pride in their work and admitting mistakes is not their forte. Nonetheless, it needs to be done. They need to admit their mistakes then inform what has already been done to take care of the issues and what is in the works to continue to make their products secure and inform that cyber security is a much higher priority than it has been in the past. Wording all this properly is where a good press relations person comes into play. If you can word this well and let everyone know you are making the most secure product on the planet, this will blow away in no time.

Undisclosed Manufacturer #1

In reply to Sean Nelson | 11/14/17 05:02pm

Again, the NVR has an internal router that allows access to the cameras. The NVRs have had vulnerabilities also...

Undisclosed Manufacturer #1

In reply to Undisclosed Manufacturer #1 | 11/14/17 05:04pm

Also, if by pride you mean arrogance, your statement would be more accurate.

Sean Nelson

Nelly's Security
In reply to Undisclosed Manufacturer #1 | 11/14/17 05:25pm

I dont disagree with your arrogance statement. Alot of humility will go along way in this scenario and will be a great step forward for Hikvision in dealing with this issue. Humility will capture back some trust lost.

Sean Nelson

Nelly's Security
In reply to Undisclosed Manufacturer #1 | 11/14/17 05:23pm

Yes, but again the vulnerability only exists on cameras that are specifically port forwarded on the router that is open to the internet. This would pretty much never be the case on cameras that are connected to a POE NVR.

Brian Karas

IPVM | In reply to Sean Nelson | 11/14/17 05:11pm

If they really wanted an intentional backdoor, why wouldn't they put it in the DVR's which would have made way more of an impact.

How do you know there is NOT a backdoor on the recorders? Just because it has not been discovered (or published) yet is not proof it does not exist.

I am not claiming there specifically IS a backdoor, but unless Hikvision chooses to release the code for analysis, you can not be certain no such backdoor exists just because it has not yet been seen.

Sean Nelson

Nelly's Security
In reply to Brian Karas | 11/14/17 05:44pm

Their are many things one can speculate on. How do you know their is NOT a backdoor on any manufacturer? How would you answer this question if Hikvision asked you: How do we not know that some of IPVM's undisclosed posts are not actually IPVM employees?

Again, common sense prevails here. If Hikvision was stealthy and smart enough to hide a backdoor in their recorders that no one have found yet, then why on earth would they make a vulnerability that was so obvious on their cameras? Why wouldnt they just duplicate the super stealthy intelligent backdoor to their cameras instead leaving open a blatantly careless vulnerability that was easy to find?

Again, they made a careless mistake and put a very low priority on cyber security in the past. Thankfully, they are being more proactive now on cyber security as opposed to reactive. This is where Hikvision is different now as opposed to where they were in the past, and they need to better communicate this stance.

Undisclosed Distributor #3

In reply to Sean Nelson | 11/14/17 05:46pm

Again, common sense prevails here. If Hikvision was stealthy and smart enough to hide a backdoor in their recorders that no one have found yet, then why on earth would they make a vulnerability that was so obvious on their cameras? Why wouldnt they just duplicate the super stealthy intelligent backdoor to their cameras instead leaving open a blatantly careless vulnerability that was easy to find?

But it wasn't easy to find. It took a skilled researcher who was specifically evaluating the product for vulnerabilities to exploit to find.

Sean Nelson

Nelly's Security
In reply to Undisclosed Distributor #3 | 11/14/17 05:49pm

According to IPVM it is incredibly easy and obvious to exploit.

Undisclosed Distributor #3

In reply to Sean Nelson | 11/14/17 05:53pm

According to IPVM, it is incredibly easy to use once you know about it, and it's something that should have been spotted by the developers. That's not quite the same thing.

Again, either they're incompetent or they're doing this on purpose. I believe Dahua is incompetent, but I have a much harder time believing that Hikvision is incompetent.

Michael Miller

In reply to Sean Nelson | 11/14/17 05:47pm

Sean what is your back up plan if Hikvision turns out to be no better the your Dahua experience?

Sean Nelson

Nelly's Security
In reply to Michael Miller | 11/14/17 05:57pm

I quit Dahua over a year ago due to their many quality control issues, too much RMA problems, this was before any evidence of vulnerabilities. However, I had much success with Dahua. Hikvision does not have the quality control issues that Dahua has, its a solid product.

I continue to have much success with Hikvision, and its funny that you ask right now, we just helped a client win out a local project against a competitor who was quoting Avigilon. Nothing against Avigilon but we were able to save the end user several thousand dollars and they are very pleased with the system. I wonder if the Avigilon dealer had a backup plan for that scenario. I guess not because he lost the bid.

Michael Miller

In reply to Sean Nelson | 11/14/17 08:48pm

Give me their number. I bet you a case of beer I can get the Hikvision replaced :)

Undisclosed Integrator #16

In reply to Sean Nelson | 11/14/17 08:57pm

The backup plan was to wait until the devices were exploited, come back later and install Avigilon for twice the price. Maybe this is what MARTY meant by “Laughing all the way to the bank”.

Sean Nelson

Nelly's Security
In reply to Undisclosed Integrator #16 | 11/14/17 08:59pm

Ha! We could replace the Hikvision cameras 5 times over with similar hikvisions and still be less expensive than Avigilon. Being exaggetory of course

Undisclosed Distributor #3

In reply to Sean Nelson | 11/14/17 09:01pm

*price of hacking not included

Sean Nelson

Nelly's Security
In reply to Undisclosed Distributor #3 | 11/14/17 09:04pm

Im curious if you carry products that have never been hacked?

Undisclosed Distributor #3

In reply to Sean Nelson | 11/14/17 09:05pm

Not more than once or twice, no.

Sean Nelson

Nelly's Security
In reply to Undisclosed Distributor #3 | 11/14/17 09:55pm

Yes than No? Interesting!

Undisclosed Integrator #16

In reply to Sean Nelson | 11/14/17 10:35pm

You may end up Doug just that.

Undisclosed #14

In reply to Undisclosed Integrator #16 | 11/14/17 10:55pm

You may end up Doug just that.

Now there’s an ad hominem if I’ve ever seen one ;)

Marty Calhoun

IPVMU Certified | In reply to Undisclosed Integrator #16 | 11/14/17 09:41pm

Not quite, I am still waiting for the 'Exploit'.

Instead of the 'could' 'might' syndrome I am going with facts, and the real fact is no one, not even IPVM or Bashis can provide direct evidence that Hikvison has knowingly produced one camera, encoder, decoder or any other electronic device with the intent to spy on anyone, damage anyone in any way or that Hikvision has used any of the methods described for any purpose other than what they were designed for.

When all of the 'proof' is added up you have a 'pimple on an Elephants ass' quantity of facts....There is nothing but claims of 'maybe' 'could' 'might' but where is the undeniable fact that Hikvision has done anything on purpose or with malicious intent?

Go ahead make all the arguments that have no merit, no one has any factual proof whatsoever so all I can say is what should have been said long ago...

PUT UP or SHUT UP

Michael Miller

In reply to Marty Calhoun | 11/14/17 09:47pm

Marty, so you seriously think that a government (or any government) which manufactures IOT devices would not think about using these devices for malicious intent?

Undisclosed #13

In reply to Michael Miller | 11/14/17 09:50pm

Yes,they sure do

goggle "nsa hacking tools"

Brian Karas

IPVM | In reply to Marty Calhoun | 11/14/17 10:29pm

Marty, when the proof is added up, what we see is that Hikvision has shipped a massive volume of very insecure devices. It really does not matter if the backdoors were intentional or not, they are highly indicative of poor engineering and poor concern for the overall safety and security of their customers.

Marty Calhoun

IPVMU Certified | In reply to Brian Karas | 11/14/17 10:46pm

That is entirely possible, but today as in now, they are NOT shipping those products and have taken measures to correct 'inadvertent' mistakes. Before you denounce my statement with Chinese Government, The Chairman, the 1000yr old way China does business, SHOW PROOF OTHERWISE that HIKVISION willfully committed any act with intent to harm anyone.

Very Simple, SHOW THE PROOF? You want a blockbuster Headline,back-up the claims with FACTS.

John Honovich

IPVM | In reply to Marty Calhoun | 11/14/17 10:49pm

Marty, the backdoor was obviously done on purpose. It is not a coding error when it directly bypassing authentication.

We are not going to convince you. As a US integrator recommending and installing Hikvision products on to US military bases for years, you are so wrapped up and committed to Hikvision that you simply refuse to acknowledge the obvious risks.

Sean Nelson

Nelly's Security
In reply to John Honovich | 11/14/17 10:53pm

Marty, the backdoor was obviously done on purpose.

Wow!

John Honovich

IPVM | In reply to Sean Nelson | 11/14/17 11:00pm

Sean, this is zero surprise or 'wow' to anyone who has looked at how it works. They programmed in a specific method to bypass authentication. It was not some form or error or weird edge case.

Why they did it? Only they know. But that it was done on purpose is obvious.

Marty Calhoun

IPVMU Certified | In reply to Sean Nelson | 11/15/17 08:47am

So you no longer sell HIKVISION, right? Which way is it? On one hand hand you denounce them but in reality you are moving their merchandise everyday, Hmmm who is the hypocrite?

Wow is right.....

Undisclosed #14

In reply to Marty Calhoun | 11/15/17 09:32am

Wow is right.....

Wow was sarcastic.

Pay attention Marty, Sean is on your side. With friends like you...

Marty Calhoun

IPVMU Certified | In reply to John Honovich | 11/15/17 09:08am

John-

For you information, any camera that I may have installed on any Military base is secured on its own network, (BY CHOICE OF OTHERS) and was never intended to be connected to nip or sip. What you fail to understand is there are 10's of thousands of IP cameras residing on there own local networks that will will never reside outside that domain and it is not for any reason except that the CUSTOMER asks for this design. That detail is avoided because it does not support your overall negative advertisement of Hikvision products in general.

There is NO wrongdoing or other shady attempt on my part whatsoever in selecting, specifying , submitting,or the installation of those components. I would do exactly the same thing tomorrow and next week. There is no 'wrap-up' or 'collusion' with anyone and your implication is based on falsehoods and misrepresentations of facts and I take umbrage with that scenario.

Undisclosed Manufacturer #19

In reply to John Honovich | 11/15/17 01:01pm

Marty, the backdoor was obviously done on purpose. It is not a coding error when it directly bypassing authentication.

This is by far the single most damning issue regarding HIK.

It is an obvious backdoor created to allow HIK to take control of the device whenever, and for whatever purpose, they deem necessary.

There is no rationale for this to have been created other than that.

Undisclosed #20

In reply to Undisclosed Manufacturer #19 | 11/15/17 03:32pm

Here is Keen Yao, the VP of Hikvision’s International Business Centre just months ago:

Is it possible to put a “backdoor” in a Hikvision or other manufacturer’s device?

“Any manufacturer, including those who develop or support software, has the technical ability to put a 'backdoor' into firmware. Of course, Hikvision has never intentionally put a backdoor into firmware or software, and it never will.”

no word on whether or not Mr. Yao's pants were, in fact, on fire at the time of this interview...

Undisclosed #20

In reply to Marty Calhoun | 11/14/17 11:09pm

"SHOW PROOF OTHERWISE that HIKVISION willfully committed any act with intent to harm anyone."

It is clear that they willfully committed the act. Do you agree that they put that backdoor there on purpose - or do you maintain that it was 'inadvertent'?

Proving intent can not knowingly be done by anyone here reading this column - which you know. We are all left with inferring intent... and the haters gonna hate and the fanboys gonna fanboy - as you also know. i.e. your argument is not even an argument.

also - yelling in all caps adds no strength to weak words.

Marty Calhoun

IPVMU Certified | In reply to Undisclosed #20 | 11/15/17 03:43pm

Thank you, I have respect for your opinion and choose not to hurl any disrespectful comment your way.

Undisclosed #20

In reply to Marty Calhoun | 11/15/17 03:54pm

I'll ask a 2nd time:

Do you agree that they put that backdoor there on purpose - or do you maintain that it was 'inadvertent'?

Undisclosed #20

In reply to Undisclosed #20 | 11/15/17 03:54pm

respectfully

Marty Calhoun

IPVMU Certified | In reply to Undisclosed #20 | 11/15/17 04:41pm

I said inadvertent and I stand by that assertion. Whatever their reason was is just that.

There is nothing Hikvison can do that will be interpreted on IPVM as honest and have a purpose that will not be misconstrued by someone that will make a claim or insinuate that Hikvision is doing it for unlawful purposes. Making broad statements that Hikvison is writing code and inserting that code into products in some 'wild-ass conspiracy' is baseless and outright 'silly'.

If you have that knowledge and absolute proof that they have done this, for unlawful purposes, not that it was there, then by all means show-it here and now and I will be the first one to admit I was dead-ass wrong.

I choose not to beat this dead horse any further.

Undisclosed #20

In reply to Marty Calhoun | 11/15/17 05:32pm

"If you have that knowledge and absolute proof that they have done this, for unlawful purposes, not that it was there,..."

The fact that the back door is there is not in question... but it wasn't 'just there' magically - Hikvision put it there on purpose.

I don't think most people believe that they did this with nefarious intent... I think most imagine this was just a short-sighted decision they made which would allow them to support these devices easier.

You can continue to stand behind your 'inadvertent' position all you want to, but it just detracts from your message when you continue to refute what everyone else knows to be true - even Mr. Yao, et al.

So, your repeated demand for proof of Hikvision creating this back door 'for unlawful purposes' or 'intent to harm' is a big fat straw man.

The fact that they put it there means that others could possibly use that backdoor 'for unlawful purposes' or 'with intent to harm'.

Undisclosed Manufacturer #21

In reply to Marty Calhoun | 11/15/17 06:15pm

What I find silly is your dedication to Hik and the 'good Chinese people' as I think you called them before. There is very little good about the Chinese government and they are well and truly experienced in spying on anything and everything as you well know. I don't have to spell out all horrible things that the Chinese government does to the actual good people including incarcerating political opponents, spying on different religions, blocking freedom of speech etc. Of course it is well possible and realistic to think that the not so good Chinese people that the government (self appointed Communist government) is made up of is using every single option to spy on the west simply based on their reputation.

Undisclosed Manufacturer #22

In reply to Sean Nelson | 11/15/17 01:32pm

It has to do with the sheer numbers. There are many cameras hanging off of one NVR. Also, a system may have remote cameras that are accessible. This is where the orginal IP cameras gained popularity, and thus a challenge for hackers. Finally, a Hik camera is very common due to low cost, but then the recording side is very mixed. They may have PC or cloud recording software, VMS, other brand NVR, or simply a live monitoring solution. Finally, and IP camera usually has less memory, thus the NVR can hold more code and more protection for a better firewall, etc. Historically, IP cameras are the target of choice, esp. since so many IP cameras allowed live viewing without any password whereas all NVRs require a login.

Undisclosed #20

11/14/17 05:47pm

"Paging Chuck Davis.... Chuck. Davis. White courtesy telephone, please."

Where is Chuck?

[IPVM Note: Related: Hikvision Admits Backdoor 'PR Issue']

Ethan Ace

IPVM | 11/14/17 07:50pm

Also this should go without saying, but multiple comments in reply to Sean were ad hominem attacks, which are also not going to be tolerated.

Marty Calhoun

IPVMU Certified | In reply to Ethan Ace | 11/14/17 08:46pm

I am sure that is appreciated Ethan, Been there myself.

Undisclosed Integrator #16

In reply to Marty Calhoun | 11/14/17 08:59pm

Government representatives are exempted from satire.

Undisclosed #14

11/14/17 10:16pm

One thing I think everyone, on all sides, can agree on here is that this story would not have made front page news if it weren’t for John’s incessant reporting. The article is at least 50% recycled IPVM content with redone graphics.

Only a minor mention to IPVM at the very end of the article seems remiss...

John Honovich

IPVM | 11/15/17 01:00am

Update (and appended to the original report):

On November 14, 2017, Hikvision emailed to dealers a 'Special Bulletin' Update on Wall Street Journal Article:

The most notable element of the response is how they lead with their government ownership, revealing that they see that as the most significant issue. Unfortunately for their dealers, Hikvision tricks them saying:

Hikvision is completely transparent about its ownership structure and as of June 30, 2017 had less than 42% of its shares owned by a state-owned enterprise (SOE), with the rest of the stockholders being venture capitalists,

They are completely misleading. If they wanted to be transparent, they would acknowledge that those 'shares owned by a SOE' are in fact their controlling shareholder, as their own financials do disclose:

Undisclosed Integrator #5

11/15/17 09:16am

Please offer disclosure of just how many ADDITIONAL companies in CHINA are owned this way so we have a more clear understanding that HIKVISION is by far not the only one 'semi- OWNED by the government.

Capishe?

Undisclosed Integrator #15

11/15/17 01:18pm

I'll say one thing about these threads, it does my OCD reading no good.

Michael Miller

11/16/17 01:00pm

More coverage in the press: https://www-washingtonpost-com.cdn.ampproject.org/c/s/www.washingtonpost.com/amphtml/business/economy/years-after-regulatory-crackdown-some-security-cameras-still-open-to-hackers/2017/11/14/b15f8428-c980-11e7-8321-481fd63f174d_story.html

Brian Karas

IPVM | In reply to Michael Miller | 11/16/17 01:14pm

We were pre-briefed on these, planning coverage next week after some followup discussions with Dahua to fact check details reported on the exploit and affected versions.

Undisclosed Manufacturer #1

In reply to Michael Miller | 11/16/17 01:24pm

"This vulnerability is not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor," the report claims.

Undisclosed Integrator #5

In reply to Undisclosed Manufacturer #1 | 11/16/17 01:28pm

"the report claims"

Undisclosed Manufacturer #22

11/16/17 01:25pm

Article link from above @WashPost ReFirm researchers said they found a vulnerability that lets anyone gain access to a TRENDnet camera by typing 12 specified characters into a Web browser, followed by the Internet address of the video camera, which can be found relatively easily online.

Wow. This 12 digit string sounds just like the Hik magic string backdoor LINK. Very interesting that Hik and Dahua and TrendNet all have similar backdoors.

Undisclosed #23

11/17/17 02:24pm

What is truly amazing is how long this took to catch on. Not long ago China used to be Called Red China. Why? because they are a Communist regime. They are not our friends never have been yet we continue to buy products from a brutal totalitarian regime that has killed 40 million plus of its own people through the purges of Mao and now has become this Frankenstein due to all the money pouring in from the USA and other countries. They flex there military might in the South China sea, build artificial islands to expand there military reach, threaten neighbors such as Vietnam and the Philippines yet you buy from them....because they are cheap.

Maybe the ignorant masses need to study history a bit more and look at the current geo political atmosphere and try to comprehend what the Chinese communists are all about before sending Dollars to them.

Maybe some day people will wake from the slumber they are in but I doubt it because the either don't know or don't care where they are sending there money to. Maybe when an end user gets hacked and sensitive info is stolen and they sue the company that installed the equipment, Dealers might wake up.

Undisclosed Integrator #16

In reply to Undisclosed #23 | 11/19/17 11:03am

I think it is just a matter of time until end users force the low end integrators hands. I have seen indemnification on cyber security breaches in contracts on occasion. This is likely to trickle down.

Undisclosed Integrator #24

12/22/17 03:38am

WSJ released a video report on XinJiang, China. WSJ report On 4'39", the video showed the name of the face recognition camera Link to Camera Manufacturer (DeepGlint FoveaCam)

John Honovich

IPVM | In reply to Undisclosed Integrator #24 | 12/22/17 09:22am

#24, thanks for sharing that company's link, helpful! We are preparing a post on that WSJ article.

One thing I wonder about that excerpt from the WSJ video is whether the example above is staged. For example, take a look at this match, the subject is heavily occluded and the video is grainy:

I find it very hard to believe any system anywhere could so confidently match against a subject under such conditions unless the system only has a few people on its watchlist. Otherwise, there would be far too many close wrong matches with such bad input.

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020

Hackers are targeting China video surveillance manufacturers and systems, according to the PRC's main cyber threat monitoring body. The hackers...

"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020

Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...

US Issues Criminal Charges Against Aventura For Fraudulently Selling Hikvision And Other China Products on Nov 07, 2019

The US government has made an unprecedented move on the video surveillance supply chain, charging a US company, Aventura for "having conspired with...

US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019

A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party)...

US - China Review Commission Cites IPVM on Foreign Provider Threat on Oct 01, 2019

A bipartisan congressional commission cited IPVM twice in its analysis of how the PRC government protects its surveillance firms from foreign...

Dahua And Hikvision Accept PRC Government Officials on Sep 26, 2019

Hikvision and Dahua are among the 100 companies accepting PRC government officials as part of a new initiative to boost manufacturing that has...

IFSEC Report: US Ban Hurting Hikvision In Europe on Sep 04, 2019

Prominent UK publication IFSEC Global has issued a new report finding that US bans are impacting the purchase of 'Chinese' products, most notably...

Hikvision Scrutinized In The Netherlands on Aug 15, 2019

Hikvision is facing unprecedented scrutiny in the Netherlands, at the same time the US government ban has taken effect. This week, a Dutch...

Hikvision Cameras Covering Concentration Camps on Jul 29, 2019

Hikvision cameras monitoring a concentration camp were shown in a recent BBC investigation: The video excerpt shows the Hikvision cameras and...

Hikvision VP On Muslim Oppression on May 14, 2019

Hikvision has won tens of millions of dollars, at least, in direct contracts with the Chinese government that oppresses Muslims, including a forced...

Most Recent Industry Reports

Embedded Logix Thermal Temperature Detection System Examined on Apr 08, 2020

Embedded Logix has been producing thermal temperature measurement systems for industry and fire detection for over 10 years. Now, they are entering...

Micron 1 TB SD Cards Aim To Eliminate NVRs on Apr 08, 2020

Micron has boldly proclaimed their latest 1TB microSD "eliminates the need for network video recorders", targeting the growing market of...

US DoD Declares "Can No Longer Do Business" With Contractors Using Dahua, Hikvision, Huawei on Apr 08, 2020

The US Department of Defense has confirmed to IPVM that they fully support and intend to proceed with the NDAA 'blacklist clause' covering Dahua,...

IPVM's 12th Anniversary - Thank You! on Apr 07, 2020

IPVM is proud to celebrate it's 12 anniversary expanding our commitment to providing the industry independent and objective information on video...

Mobotix Thermal Body Temperature Detection Examined on Apr 07, 2020

Mobotix has jumped into the Coronavirus temperature detection market, but how do they compare to thermal incumbents like FLIR or ICI who have been...

Verkada Coronavirus Response: Free Temp Systems For Government and Health Care on Apr 07, 2020

Verkada has built a reputation on giving away things for free - free Yeti Tumblers, free trial cameras and now free temporary systems for...

Hikvision USA Refuses, Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020

Both have been federally banned, both sanctioned for human rights abuses but only one - Dahua - is taking aim at the booming "coronavirus cameras"...

China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020

While China video surveillance vulnerabilities have been much debated in the West in the past few years, China is now saying those vulnerabilities...

USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020

Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19 with "pinpoint accurate skin temperature measurement" using their...

Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020

Two trade groups representing government contractors have asked Congress to delay implementation of the NDAA's 'blacklist' clause from this August...