Over the past 18 months there have been persistent rumours about backdoors in Hikvision products, despite the fact almost all the major camera makers having had serious security weaknesses exposed over the same period. John Adams speaks with Hikvision’s Daniel Huang.
JA: There’s been a lot of talk lately about Hikvision – the first issue relates to ownership of the company. It’s alleged Hikvision is owned – and presumably controlled – by the Chinese Government. Could you explain Hikvision’s ownership structure for SEN readers?
DH: Hikvision’s ownership is public information, readily available on our website for anyone to see since our IPO and debut on the stock market in 2010. Hikvision is a global, publicly traded company. There are 4 major shareholder groups in Hikvision: state-owned enterprise shareholders (SOEs); an individual investor; company founders and executives; and, common-share/international institutional investors. So, while Hikvision has shareholders who are SOEs or government controlled entities, Hikvision itself is not an SOE.
As of 30 September 2016, our shareholders include government entities (42 per cent of our stock is held by 2 state-owned enterprises), major stockholders include a Hong Kong businessman, and common-shares investors, including international institutional investors. UBS AG and JP Morgan are among Hikvision’s top 10 shareholders. The Shenzhen-Hong Kong Stock Connect, which launched at the end of 2016 is also enabling more foreign investors to buy Hikvision stock, which will make the shareholder structure even more diversified.
JA: Up until a few decades ago, most Chinese enterprises were connected to the government in some way or other – at the time this was a normal state of affairs in China. Would you say the Chinese Government now has no operational input whatever into the running of the Hikvision business?
DH: As I said, Hikvision is an independent, publicly traded entity. It is not “controlled by the Chinese State” as some have asserted. Hangzhou Hikvision Digital Technology Co., Ltd. is a public joint stock company. The company fulfils its fiduciary duty to its diverse shareholder base and strictly conforms to the statutory laws and regulations. Hikvision’s management team, led by CEO, Mr. Hu Yangzhong, is responsible for the daily management and business operations of the global company, its long-term business plan and implementation of that plan.
JA: We might as get this one out of the way – backdoors in Hikvision products. Many things are called ‘backdoors’, including normal P2P comms with proprietary servers, concurrent design flaws that lead to vulnerability – things like the ability to download hashed passwords and then present them to a device to gain access – this can be facilitated by browser password hashing undertaken using JavaScript. No one has ever shown SEN a Hikvision backdoor but could you confirm for SEN readers once and for all that Hikvision cameras have no backdoors that report to mysterious government agencies?
DH: Any manufacturer, including those who develop or support software, has the technical ability to put what might be described as a ‘backdoor’ into firmware. Of course, Hikvision has never intentionally put a backdoor into firmware or software, and it never will. As a commercial company, Hikvision’s focus is on commercial success, there is no motive for a commercial company to provide access to a government. Hikvision is committed to maintaining the highest privacy standards and does not provide access to any government for unlawful surveillance through our equipment. Hikvision has sold tens of millions of network-connected devices—IP cameras and NVRs—that sit on the internet. There is no report anywhere that such access has ever taken place. A video surveillance system is comprised of front-end devices, backend devices, network devices and a system platform. Furthermore, if any change is made to an edge device – like a camera – it would immediately be detected by the network devices and security platforms.
JA: I’m not going to list all the IP camera makers that have been found to have vulnerabilities that could be called backdoors – that list includes almost every IP camera manufacturer in the world, including the very best of them. Late last year, a famous Japanese brand’s entire range was shown to be vulnerable and in March this year another quality Chinese manufacturer was found to have widespread weaknesses across its range that needed patching. Hikvision is singled out as the ‘Spectre’ of the CCTV industry when it comes to cyber security but this is a challenge facing the entire industry, isn’t it?
DH: One thing we need to clarify is that cybersecurity is a challenge for all human society – security vulnerability is inevitable, there is no IT system or device with no potential security vulnerabilities. On the other hand, not every vulnerability is damaging – it’s one thing to have a design flaw and another thing to have a design vulnerability that can be exploited by an attacker. Every vulnerability is specific to a device and an OS – there is no common vulnerability for all IT devices.
And the same vulnerability would not exist in the same way in different manufacturers’ devices or across different platforms – for example, a vulnerability in a Windows system would appear differently in Linux, though vulnerabilities in Windows platforms could also exist in many other Microsoft products. Regardless of these variables, every manufacturer of IP devices, in all industries, including video surveillance, must take cybersecurity into account.
JA: Typically, every CCTV system should be behind a firewall with access control of IP addresses, use of VLANs and subnets, with monitoring of external comms and repeated attempts to access ports. Doesn’t secure topology and system design make talk about vulnerabilities in single internet-facing IP cameras irrelevant for almost all serious electronic security applications?
DH: To ensure the network security of CCTV systems front-end devices, backend devices, the platform, and any network and additional security devices need to cooperate and complement each other to ensure holistic system security. A tiny vulnerability in any device impacts on the security of the whole system. At the same time, we think secure management procedures are actually the most important aspect of system security. We believe that for the maintenance of security, 30 per cent of the effort is about technology and the other 70 per cent is about secure management. That’s because even with a very secure cybersecurity solution, if users fail to manage or operate the system using proper procedures, that system will be compromised.
Something else to consider is that there are layers of vulnerability in any system. A manufacturer could design a secure network topology with a carefully configured firewall but if a camera itself is not secure, an attacker could access and exploit it after gaining access to an adjacent data network. In this way, the attacker could bypass the outward firewall and network topology designed to protect the security devices. The answer is to apply network security in layers – every part of the network must be secured, every device must be secured, every unauthorised attempt at intrusion should be reported and investigated.
JA: Last time I checked, Hikvision’s latest cameras had a serious array of cyber security functionality – would you say the Hikvision range has arguably the best cyber security capability on the market today?
DH: Ensuring the highest possible levels of cybersecurity is Hikvision’s top priority and we are proud of our industry-leading cybersecurity practices, which include:
* A special task force at Hikvision headquarters, the Network and Information Security Lab sets Hikvision’s security standards, performing security evaluations and testing, and responding to security issues.
* The Hikvision Security Response Centre (HSRC) to receive, dispose and report any and all security-related vulnerabilities with a professional security emergency response mechanism.
* Hikvision received its ISO/IEC 27001 certification last year.
* Hikvision partners with several renowned security data and analytics companies such as Rapid7 to perform ongoing penetration tests and vulnerability assessments of our products.
* We continue to take steps to improve our products, including having them tested by leading third-party cybersecurity firms to minimize any potential security risks.
JA: If you could say anything to end users worried about the persistent talk around Hikvision’s cyber security capabilities, what would it be?
DH: Hikvision is committed to working with its valued integrator, dealer, and end users on cybersecurity best practices as they pertain to video surveillance. Hikvision’s website features a unique Security Centre section where our customers, partners and security researchers can report potential security issues and get immediate attention. The Security Centre is updated regularly with educational material and special alerts. In addition, representatives from Hikvision have spoken about cybersecurity at numerous major security trade shows and conferences over the past 2 years.
We have also created a series of webinars, articles and white papers on cybersecurity best practices. We firmly believe that manufacturers, integrators and end users must work together to ensure the greatest level of cybersecurity possible. Hikvision’s cybersecurity assurance efforts are built into the lifecycle of its products, including development, verification, manufacturing, delivery and service. We are constantly evaluating and enhancing our cybersecurity efforts to provide our valued customers with the highest quality and most reliable products. On the other hand, end users also need to improve their security awareness, for instance, they must not only choose secure products but also strengthen passwords in system set-up, then maintain those secure password schedules going forward.
JA: Hikvision is committed to ensuring its products are the most secure IP devices in the electronic security industry?
DH: As mentioned above, it is a common scenario for IT products to have security vulnerability – this remains an insoluble technological issue for human society. As IT products usually include hundreds of thousands of lines of code, if a single code parameter is configured wrongly, or placed in the wrong order, it may result in serious vulnerabilities in a device and thus, in a system. At present, no technology can effectively detect all security problems automatically using a process of artificial auditing. For these reasons, it’s common for all products to have security issues that are discovered after release and then hardened over time. This applies to mobile phones and computers as much as it does to CCTV cameras. We cannot declare whose products are the most secure but what we can say is that as a leading security product manufacturer, Hikvision strives to develop the world’s most secure security products.
JA: Phew – now we have that out of the way – when will the new engineering building be completed in Hangzhou? Could you tell readers some of its specifications and the role it will play in the future of the business?
DH: The third phase of Hikvision’s facilities is now under construction, it is planned to be finished in year 2018. The new facility will add another 250,000 square meters of office space and will accommodate 11,000 employees.
JA: What’s new with Hikvision when it comes to hardware and software – what new products and technologies does the team have planned?
DH: As we know, video is not just about security surveillance sector, it could be used in many other areas, for example, the future’s robots need ‘eyes’, so we think machine vision will be a much larger component of our business in the future. Intelligent video is also a trend in the security industry. For instance, Hikvision has introduced AI products from front-end cameras to backend devices, such as the Deep Sight series cameras and our Blaze server.
These products perform much higher accuracy video analytics, including personnel behaviour, traffic statistics, human body properties, and face recognition, and are designed to help create safer communities, better transit hubs and more efficient business operations. Based on AI and deep learning technology, and globally shared high-performance processors, as well as big data that we have collected over the years, we believe we can contribute a lot to the industry in this area.
JA: Hikvision continues to grow – globally and here in Australia. What would you say the company’s goals are – not only financially but from the point of view of customer support and industry engagement? What is Hikvision striving to be?
DH: We aim to be a respected, world class, electronic security manufacturer. At Hikvision Australia, it’s not only about strong sales numbers but also about bringing as much value as possible to installers and end users with leading edge technologies. We offer affordable products and solutions, as well as support – from design to after sales service and all the logistics in between. We are customer-oriented, and while we compete at the affordable end of the CCTV market, our primary goal is not to cost the least but to perform the best.
John Adams with Daniel Huang