HIKVISION has categorically rejected suggestions it would install backdoors in any of its products allowing unauthorised remote access. The official statement comes after rumours began swirling last year such deliberate backdoors existed, though their presence was never empirically proved.
“Hikvision never has, does or would intentionally contribute to the placement of ‘backdoors’ in its products,” said a spokesperson. “The company will continue to cooperate with unbiased independent professional associations for product safety examinations. We believe it is our duty to be vigilant about cybersecurity, and it is our responsibility to provide cybersecurity assurance system and to be a resource for our valued customers and the security industry as a whole.
“Hikvision is dedicated to enhancing and optimizing the cybersecurity in the development, manufacturing, delivery and servicing of our video surveillance products. The company complies with all applicable national and regional
cybersecurity regulations and follows the best industry practices. Hikvision has established a sustainable and reliable cybersecurity assurance system that encompasses the company’s policies, organizational and operational procedures, technology and regulations.
“Hikvision's information security management system has been certified with ISO27001. The Hikvision Network and Information Security Lab utilizes the world’s leading known-vulnerability scanning tools and unknown-vulnerability discovery tools to verify and ensure that Hikvision products meet the industry cybersecurity standards and regulations.
“Hikvision’s cybersecurity assurance efforts are built into the lifecycle of its products, including development, verification, manufacturing, delivery and service. We are constantly evaluating and enhancing our cybersecurity efforts in order to provide our valued customers with the highest quality and most reliable products.
“Cybersecurity threats are a challenge for the entire security industry and for any technology company. Hikvision is actively working with customers, partners, competitors and cybersecurity associations to ensure best practices and to mitigate threats. Hikvision will continue its efforts to provide the best expertise to the
industry-wide cybersecurity initiatives.”
Over the past couple of years almost every reputable camera brand has been shown to have serious network security vulnerabilities, most of which can be exploited after direct connection of cameras to the internet without activating SSL and without the application of layered IT security procedures. Professional security integrators should never expose any networked camera to the internet unless absolutely necessary and should be aware that directly-connected IP cameras will almost always be in a P2P-type environment with remote support from manufacturer servers. Cameras exposed to open networks should be secured to the level of the network frontline.
Other relevant security procedures that must be applied to networked security devices include the use of dedicated VLANs, the application of complex managed passwords at multiple network layers, including at the management layer, and the application of network intrusion detection systems that are tuned to detect attempts upon known vulnerabilities. When setting up intrusion detection support for surveillance systems, integrators might consider proxy filtering http requests to /PSIA/System/ConfigurationData, as well as proxy filtering the Range parameter in RSTP requests.
Failure to implement and maintain appropriate network security procedures would allow an attacker to breach any undefended networked-connected IP camera. ♦