However, going after just a brand solves nothing; the problem is that nobody can properly audit these devices due to their closed nature.
A huge number of IP cameras and DVR/NVR devices have been either compromised for botnet installation or caught phoning home (usually somewhere in China) in the past. Unless one can purchase a fully Open Source one (including hardware and firmware), there are no guarantees that a device won't be doing nasty things, or silently waiting for remote triggers to do so, which is something that only source code inspection could guarantee against. In the meantime the solution has always been to put them behind a firewall that doesn't let them initiate connections to the outside and also filters out incoming connections from untrusted parties; this should apply to all closed connected device, not just Hikvision cameras.
The "put them behind a firewall" approach is really not adequate.
Many times these cameras are already behind a firewall of sorts, larger CCTV system will use a dual-homed server, with a dedicated LAN for the cameras, and a secondary LAN for client access to the recording server.
Even in this dual-homed setup, there is still the potential for the cameras to infect, or otherwise compromise the recording server, which itself generally has access to a much larger part of the organizations networks, if not the internet directly.
At this point, Hikvision has a well documented record of severe cyber security flaws, and countless public statements attempting to deny or downplay them. They are funded by the Chinese government as well. We have seen plenty of other examples of various governments utilizing vulnerable devices, like IP cameras, to gain access to networks, exfiltrate data, or perform other malicious acts.
There are many other good, cost-effective, alternatives to Hikvision that do not come with the legacy of vulnerabilities, and the risks of being closed tied to the Chinese government. Hikvision has brought this upon themselves.
As for how they were alerted, there have been publications documenting Hikvision's risks for years now. I started some of these back in 2017, including this from 2018: https://ipvm.com/reports/hik-hack-map
Even in this dual-homed setup, there is still the potential for the cameras to infect, or otherwise compromise the recording server
I agree that this is a potential risk.
But if the cameras themselves can't route to the internet in this scenario then how are they infecting the recording server?
Is the suggestion that they come shipped from the factory with code to compromise common recording servers? It seems like that would be very significant and something that we'd be able to see in action.
My biggest concern with CCTV networks that I manage is some sort of backdoor access to the cameras themselves. So the dual-homed server design is exactly what I'd choose in order to control things.
The behavior of the United Kingdom looks incoherent: it wants to become a surveillance state [1], but without using cameras manufactured in China, on the grounds that China is a surveillance state.
1) there is nothing incoherent in theoretical "we want obedient citizens under our full control, not controlled by Chinese government"
2) from your own link "But are we really a Big Brother state? You may think that the government is behind this high level of surveillance, but the BSIA found that only around 1 in 70 cameras are owned by local authorities"
And 99% of them go to the same cloud crap where a single entity can gain control of them all at once (I don't know if this is the current state, but you get the point, it's the inevitable state, be it one with 99% or maybe 5 groups with equal share. In the past all that was needed to take control of a security camera product was ../).
Imagine living in a village in the far past. Your neighbors with whom you will live with for 50 years form close relationships with you. They constantly judge you. They believe in nonsense superstitions, and further judge you by that. If you ever do or convey one thing that goes against their beliefs, they will kill or exile you. You do not sound like any more of a reasonable person. Contrary to popular belief, we do not live in an enlightened time. People still have the same mundane superstitions and morals and actively seek to punish people for violating them. I do not want a village future with you. CCTV is a means of enforcing the will of the people, and only the most opinionated people. It's not worth it for whatever small benefit like a few crimes being solved or punished.
Possibly stupid/overly paranoid question: if most products are being made in China anyway, how do we know they’re not putting backdoors in everything including goods branded for non Chinese companies? Cables, power adapter etc all house chips nowadays. In theory couldn’t they have some kind of silent zero day virus on them, keylogger etc?
Does every product on sale get periodic testing to check for this kind of thing? It seems like they could manufacture clean devices to send to a test centre and then back door ones they release in the wild. In the case of non-brand goods such as cables it wouldn’t even really matter if they got caught because they could just spin up another drop ship company under a different name and keep selling.
> It seems like they could manufacture clean devices to send to a test centre and then back door ones they release in the wild.
Glenn Greenwald already went over how the US did this, which is to intercept the devices in transit. That way the backdoors wouldn't be there for general IT personnel or reviewers or state security agents, but they would be there for the targets.
Lol I thought as much. At this point I think most people assume that any major global government can access whatever device you own if they really want to.
> Does every product on sale get periodic testing to check for this kind of thing?
Other than in a very few intelligence-specific cases, nobody really cares very much about cybersecurity until they get ransomwared. Software everywhere is full of holes.
My cameras are on their own vlan, with outbound internet access disabled - so in theory they aren't sending anything anywhere else.
So is this less about the actual cameras, and more that they have been installed insecurely and not kept up to date with firmware? Or the hardware used to record the data is acutally in the cloud somewhere and that is the issue?
I have no comment on the security of Hikvision devices.
However, a lot of cameras these days come with a good sized amount of processing power onboard. This can be used for object detection amongst other things. Even without network access the devices could communicate and act on the command of others in many ways. A couple of ideas. You could communicate with the IR LEDs. You could blank the video feed if a certain QR code or flashing light pattern is detected. I'm sure there are more, but you get the idea.
A lot of cameras are for sale with such additional compute, but the only people with them are developers. Corporations that want/need security tend to have large legacy camera networks that one is lucky if they support HD resolution above 720p. I worked for a leading enterprise FR video security company, and the majority of their clients are firms with anywhere from a few hundred to several tens of thousands of original generation IP cameras, which they very slowly replace with something as close to what they already have. They want to continue to use their older cameras too, often because their network and number of cameras fit, higher resolution and greater bandwidth cameras simply can't fit into their live and operating design.
i dont think ive ever seen a firmware update for any of my hikvision cameras. They are only 5 years old and require IE to use the admin interface...
I would NEVER buy hikvision again because as far as im concerned their products are absolute junk. Im amazed they would even be looked at for gov/edu. I guess cheapest really does win those tenders.
I know a few people who are in the AV/low voltage installing business. They said it’s been going around that CCP can access the cameras remotely and/or get video off them. He said he actually likes installing and setting them up but they have to stop selling them due to customer pressure and “unknown” back doors.
I had to hunt down all of the banned devices when the 2019 ban took place on Dahua, Hikvision, and Huawei. I've never seen worse quality feeling looking software. Random cameras requiring Chrome Apps to manage, or some obscure Windows software package.
I'll take an RTSP feed from AXIS over those any day.
Assuming that cost saving will even be a concern for the new purchase. You can be pretty sure the contract of replacing it will go to a organization/corporate that is someone associated/relative to someone in the current government.
This reminds me of the whole Huawei thing: no actual evidence of any problem, no economic reason, no real political gain, but "feelings". I wonder if a US CCTV provider is about to get a multi billion pound contract having recently "donated" to the groups making this "necessary" "security" decision...
I am sure they are not guessing, and know well enough who uses the backdoor access, and how often, because they are doing the same. Of course, they are not going to present it all to lowly so-called citizens, so you only get the final decision that the dangers were considered greater than the benefits, and some media-friendly hand-waving. It's also a clear signal for other companies that “extended cooperation” is the requirement of commercial success.
When those responsible for “security” actually depend on countless things being insecure crap, we will never see any real change in how things are done, only the talks about never-ending work done ad infinitum. Cheaply and insecurely made device benefits not only its maker that saves money on development, it also benefits most of those who are supposed to check them, and set better rules for them. Instead, we have various “IoT security teams”. It's like starting the fire at an oil refinery, and then announcing that you need something more than a couple of fire trucks.
No, that is not likely to happen.
These bans have been developing for quite a while, based on continuous proof of major cyber security flaws in the products, and documented human rights abuses by Hikvision (and Dahua). Several other CCTV manufacturers will likely benefit from this, but so far there have been no indications that any singular company has gotten the bulk of the benefit, or been overly advocating for these bans.
Huawei is beholden to the CCP and can be coerced. So playing it safe is probably a better idea than rolling out networks which we have no idea if they contain back doors or not that the CCP could use…
That's fine, but now your only suppliers are domestic based with little to no international business. How many top flight 5G infra providers does the UK have?
Readit News
https://www.fortinet.com/blog/threat-research/mirai-based-bo...
However, going after just a brand solves nothing; the problem is that nobody can properly audit these devices due to their closed nature. A huge number of IP cameras and DVR/NVR devices have been either compromised for botnet installation or caught phoning home (usually somewhere in China) in the past. Unless one can purchase a fully Open Source one (including hardware and firmware), there are no guarantees that a device won't be doing nasty things, or silently waiting for remote triggers to do so, which is something that only source code inspection could guarantee against. In the meantime the solution has always been to put them behind a firewall that doesn't let them initiate connections to the outside and also filters out incoming connections from untrusted parties; this should apply to all closed connected device, not just Hikvision cameras.
https://www.wsj.com/articles/hackers-infect-army-of-cameras-...
https://hacked.camera/
Even in this dual-homed setup, there is still the potential for the cameras to infect, or otherwise compromise the recording server, which itself generally has access to a much larger part of the organizations networks, if not the internet directly.
At this point, Hikvision has a well documented record of severe cyber security flaws, and countless public statements attempting to deny or downplay them. They are funded by the Chinese government as well. We have seen plenty of other examples of various governments utilizing vulnerable devices, like IP cameras, to gain access to networks, exfiltrate data, or perform other malicious acts.
There are many other good, cost-effective, alternatives to Hikvision that do not come with the legacy of vulnerabilities, and the risks of being closed tied to the Chinese government. Hikvision has brought this upon themselves.
As for how they were alerted, there have been publications documenting Hikvision's risks for years now. I started some of these back in 2017, including this from 2018: https://ipvm.com/reports/hik-hack-map
I agree that this is a potential risk.
But if the cameras themselves can't route to the internet in this scenario then how are they infecting the recording server? Is the suggestion that they come shipped from the factory with code to compromise common recording servers? It seems like that would be very significant and something that we'd be able to see in action.
My biggest concern with CCTV networks that I manage is some sort of backdoor access to the cameras themselves. So the dual-homed server design is exactly what I'd choose in order to control things.
[1] <https://www.cctv.co.uk/how-many-cctv-cameras-are-there-in-th...>
2) from your own link "But are we really a Big Brother state? You may think that the government is behind this high level of surveillance, but the BSIA found that only around 1 in 70 cameras are owned by local authorities"
I guess you've never been burgled or mugged?
https://www.cnet.com/news/privacy/u-k-turns-cctv-terrorism-l...
CCTV doesn't prevent crime. It might sometimes help find and punish the offenders later.
Does every product on sale get periodic testing to check for this kind of thing? It seems like they could manufacture clean devices to send to a test centre and then back door ones they release in the wild. In the case of non-brand goods such as cables it wouldn’t even really matter if they got caught because they could just spin up another drop ship company under a different name and keep selling.
Glenn Greenwald already went over how the US did this, which is to intercept the devices in transit. That way the backdoors wouldn't be there for general IT personnel or reviewers or state security agents, but they would be there for the targets.
https://www.theguardian.com/books/2014/may/12/glenn-greenwal...
The UK has a specific intelligence service review process for Huawei: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/t...
> Does every product on sale get periodic testing to check for this kind of thing?
Other than in a very few intelligence-specific cases, nobody really cares very much about cybersecurity until they get ransomwared. Software everywhere is full of holes.
So is this less about the actual cameras, and more that they have been installed insecurely and not kept up to date with firmware? Or the hardware used to record the data is acutally in the cloud somewhere and that is the issue?
However, a lot of cameras these days come with a good sized amount of processing power onboard. This can be used for object detection amongst other things. Even without network access the devices could communicate and act on the command of others in many ways. A couple of ideas. You could communicate with the IR LEDs. You could blank the video feed if a certain QR code or flashing light pattern is detected. I'm sure there are more, but you get the idea.
I would NEVER buy hikvision again because as far as im concerned their products are absolute junk. Im amazed they would even be looked at for gov/edu. I guess cheapest really does win those tenders.
For home use they suit me perfectly, but I see what you are saying, I too thought that there was a more “pro” brand that govs would use.
I'll take an RTSP feed from AXIS over those any day.
When those responsible for “security” actually depend on countless things being insecure crap, we will never see any real change in how things are done, only the talks about never-ending work done ad infinitum. Cheaply and insecurely made device benefits not only its maker that saves money on development, it also benefits most of those who are supposed to check them, and set better rules for them. Instead, we have various “IoT security teams”. It's like starting the fire at an oil refinery, and then announcing that you need something more than a couple of fire trucks.
That no one has seen. Huawei must be the most examined manufacturer in history by this point and no one has found any actual security flaw yet...
It works the exact same way with every American company, as evidenced by numerous backdoors revealed by Snowden and other folks.
Supporting American protectionism, even when the US effectively has a trade war with Europe with the Inflation Reduction Act.
"We wont ban TikTok because the CCP has given a commitment not to look at the massive trove of data they are continually harvesting..."