HIKVISION has categorically rejected speculations raised in an article by the Wall Street Journal mid-November, including historical questions over the company’s ownership and its cyber security credentials, which have been chewed over in the trade press for several years.
All the major camera manufacturers have suffered from the exposure of exploitable coding flaws in firmware as they have been examined more and more closely by cyber security experts. The weaknesses found include a recent gSOAP nasty uncovered by Senrio that may impact on the entire ranges of dozens of IP camera manufacturers. Yet despite the industry-wide cyber security challenges, no other company faces the same level of scrutiny as that directed at the world’s largest surveillance manufacturer, Hikvision.
In response to the WSJ report, Hikvision Oceania’s managing director, Daniel Huang said a security researcher found a firmware vulnerability and reported it to Hikvision the next day.
“Only 6 days later, we released patched firmware and notified our integrator partners via special bulletin and the public via notices on our website,” Huang said. “All this happened before the vulnerability was disclosed to
the public. The company followed the responsible disclosure process and 2 months later, DHS released a report confirming that a vulnerability was found and that the updated firmware we released earlier resolved the issue. We notified our integrator partners and posted a notice on our website about the DHS report.”
Huang also reiterated the transparency of the company’s ownership, which he acknowledged includes a state-owned component.
“Hikvision is completely transparent about its ownership structure and as of June 30, 2017, had less than 42 per cent of its shares held by a state-owned enterprise (SOE), with the rest of the stockholders being venture capitalists, A-shareholders, and overseas institutional investors, such as Hong Kong Service Clearing Company Ltd. and UBS AG, which are currently among Hikvision’s top 10 shareholders,” he said.
In response to other items raised in the report, Huang said Hikvision had no knowledge of the listing of its SKUs on a GSA website in the U.S. and had never authorised such an action.
“The Wall Street Journal story mentions a December 2016 incident where 2 unauthorized distributors erroneously listed our product SKUs on a GSA website,” Huang said. “The implication could be that Hikvision was involved in unethical conduct. Hikvision was not involved in any way – we never authorized unaffiliated resellers to put our products on the GSA Schedule Advantage website, nor would we claim Hikvision products are made in the USA. Hikvision is proud to be a Chinese company and our products are clearly marked “Made in China”.
Huang said the company had no knowledge of the use of its products at the U.S. Embassy in Kabul, which was correlated, along with the company’s state-owned component, as being a potential national security risk to the United States by a number of online sources.
“Before a blog post brought this issue to our attention in August of 2016, Hikvision had no knowledge of any particulars regarding this project on the end-user level,” Huang said. “To date, we have not been contacted by the end-user in regard to this project. As always, we would be happy to discuss any product details with the end-user if requested by them.
“Hikvision is the world’s largest provider of video surveillance equipment and more determined than ever to continue our important work to fight criminal and terrorist activities,” Huang said. “We are fully committed to our business partners and we are vigilant with regards to enhancing the security of our devices and will continue to make them more robust in open networks.”
According to Senrio, all networkable security devices such as IP cameras, should be installed on their own private networks or behind a firewall.
“If you can place a firewall or other defensive mechanism in front of an IoT device, or utilize Network Address Translation, you can reduce their exposure and improve the likelihood of detecting threats against them,” Senrio said.
In spite of the endless conjecture, no Hikvision camera has ever been found to be transmiting video signals to any unauthorised, state-owned third party.