Who is Hikvision. Should you care?

I attended GSX in Atlanta this year, and was surprised to find that one of the largest booths on the exhibit floor belonged to Hikvision. This surprised me, because Hikvision had been banned for government use back in 2019.  As well, Trusted Internet has seen a massive uptick in scanning for Hikvision cameras after it was reported that access to Hikvision cameras was being sold in Russian dark web forums.

I wanted to know more about Hikvision. Why were they banned?

Here’s what I found out.

https://ipvm.com/reports/hik-oems-dir

Who is Hikvision. Should you care?

Hikvision is the world's largest video surveillance manufacturer, and it is a State (Chinese) owned company. According to them, one in six cameras worldwide are white-labeled (rebranded) Hikvision cameras.

And, according to Cybersecurity firm CYFIRMA, Russian cybercriminal forums are awash with hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability CVE-2021-36260 and reported having observed leaked credentials of Hikvision camera products available for sale.[i]

 This would explain the massive uptick in searches for Hikvision cameras that we’ve seen in our portfolio of firewalls.

Hikvision devices have been banned for use [ii]  in any US Government application since 2019; the USG stated “an unacceptable risk to US national security.”  The ban marks years of analysis and warnings from security researchers, analysts, and intelligence agencies of Chinese espionage targeting US companies and Americans. The USG’s assertion of “an unacceptable risk to US National Security” stem from the simple idea that the Chinese government could use this ubiquitous Chinese-made telecommunications equipment to spy on Americans.

The ban was unexpectedly included in an amendment to a May 2018 House bill [iii] and, shortly after that, passed into US law. [iv]  Hikvision spent millions of dollars lobbying the US government [v], hoping that the ban would be overturned, but it has not.

WHY SHOULD WE CARE? WHY IS HIKVISION BANNED FOR USE BY THE US GOVERNMENT?

·       Hikvision is a Chinese state-owned company. In multiple forms (annual reporting, press, and prospectus), Hikvision is shown to be a (Chinese) State-owned company. Their 2015 annual report shows the company was created out of a Chinese-owned research institute, and its 10 largest investors are China PRC Government.[vi]  In an investor prospectus, [vii] Hikvision disclosed the PRC government as their controlling shareholder.

·       Last year, Hikvision resigned from the Security Industry Association (SIA) [viii], the largest trade organization for surveillance vendors, after being accused of working with the Chinese Army on research to improve the “lethality” of missiles.

·       Hikvision played a role in helping to build China’s massive police surveillance system and tailoring it to oppress the Muslim minority groups in Xinjiang has come under scrutiny.[ix]

·       Hikvision could be sanctioned for aiding the Chinese government’s human rights violations. This year, the US Treasury is reportedly considering adding Hikvision to the Specially Designated Nationals and Blocked Persons (SDN) List, usually reserved for countries like North Korea or Iran. SDN designation would ban anyone anywhere in the world from doing business with Hikvision, a sanction much harsher than the Chinese company Huawei is experiencing now.[x]

·       In October, we learned that The Justice Department has required lobbyists for Hikvision to register as foreign agents.[xi]

·       Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260.[xii] The exploit was given a “critical” 9.8 out of 10 rating by NIST. Despite the severity of the vulnerability, and nearly a year into this story, over 80,000 affected devices remain unpatched. While Hikvision can’t control what their customers do or how they maintain their systems, the idea of 80,000 unprotected cameras is disturbing.

Following the ban, dozens of US companies hastened to remove Hikvision [xiii] from their environments. And today, any distributor that sells these banned products to the US Government risks their contracts being cancelled or being banned from doing further business with the Federal Government.

ANTI-HIKVISION ACTIVITY IN THE UK

Apparently the UK feels the same way. In the UK, there’s been growing concern that firms linked to human rights abuses receive public money.[xiv]  For example, 31% of police services use Hikvision technology, and 60.8% of all public bodies use Hikvision and Dahua surveillance tech.

In the UK, a recent Hikvision event was met by activists [xv] waving signs that read "No Hikvision" and "ban Chinese state-owned CCTV," with one protestor telling reporters that "technology that enables genocide is not welcome in the UK."

And in June, 67 UK Parliament members across party lines called for [xvi] a "ban on the sale and operation" of Hikvision and Dahua equipment over human rights and national security concerns.

This was the strongest move against Hikvision yet and placed unprecedented pressure on the UK government, which has so far declined to impose national-level restrictions.

THOUGHTS

Unfortunately, the size of the organization and the ubiquity of the distribution of the devices it manufactures (Hikvision is said to be the OEM camera system in as many as one in six systems worldwide) mean it’s not easy to eliminate the potential threat.

Hikvision products are white-labeled (rebranded) under many names and manufacturers. This means security integrators and OEM resellers need to be extra vigilant.

At the time since cybercriminals have started cashing in [xvii] on the flaw. Researchers have recently discovered [xviii] “multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability,” specifically in Russian Dark Web forums, where leaked credentials have been put up for sale. As many as 80,000 camera systems remain online, unpatched, and accessible.

CLOSING THOUGHTS

Do Hikvision cameras spy on Americans? Certainly, they have the capacity to and have been reportedly used in Chinese population monitoring —meaning there is a means for doing so and correlating large amounts of video data.

Should we rip and replace these cameras? Replace with what?

Suppose Hikvision’s Specially Designated Nationals and Blocked Persons (SDN) designation moves ahead. In that case, the millions of Hikvision cameras currently in use worldwide won’t have to be replaced overnight, but they won’t be available for sale in the future. However, that won’t necessarily neutralize the threat: The black market trade and exploitation of devices will be difficult to stamp out, so ongoing vigilance will be required. And, beyond Hikvision, it won’t be long before other camera systems are exploited and have access sold.

Trusted Internet has several clients who use previously installed Hikvision cameras. And many of the larger security providers continue to install and use them in non-government settings. Rather than forcing an expensive rip and replace, we created a reference architecture to protect outsiders from accessing Hikvision (and other) cameras. We fully expect that Hikvision and white-labeled Hikvision products will eventually be removed from all of our clients, but this is largely dependent on company budgets and priorities. Until funds are available, the cameras end of life, or a new vendor brings in new systems we will continue to support our clients in protecting their physical security systems -alarms, camera surveillance, network video recorders, Hikvision, or otherwise.

 

SOURCES:

[i] https://www.cyfirma.com/wp-content/uploads/2022/08/HikvisionSurveillanceCamerasVulnerabilities.pdf

[ii] IPVM Team, “US Government Ban of Dahua, Hikvision, Huawei Takes Effect Now,” IPVM, Aug 13, 2019, https://ipvm.com/reports/aug-13-2019

[iii] John Honovich, “US House Passes Bill Banning Gov Use of Dahua and Hikvision,” IPVM, May 24, 2018, https://ipvm.com/reports/us-house-5515

[iv]  John Honovich, “NDAA Ban of Dahua and Hikvision Is Now US Gov Law,” IPVM, August 13, 2018, https://ipvm.com/reports/ban-law

[v] IPVM Team, “Hikvision Fights Ban - Claims 'Red Scare', Hires 14 Term Ex-Congressman, Lobbying Records,” Jul 11, 2018, https://ipvm.com/reports/hikvision-sidley

[vi] Hikvision 2015 annual report (p. 62),

[vii] https://ipvm-uploads.s3.amazonaws.com/uploads/a283/117c/hik-bond-prospectus.PDF

[viii] Catalin Cimpanu, “Dahua, Hikvision out of security camera industry group,” The Record, July 25, 2021, https://therecord.media/dahua-hikvision-out-of-security-camera-industry-group/

[ix] Zeyi Yang, “The world’s biggest surveillance company you’ve never heard of,” MIT Technology Review, June 22, 2022, https://www.technologyreview.com/2022/06/22/1054586/hikvision-worlds-biggest-surveillance-company/

[x] MIT Technology Review, June 2022, https://www.technologyreview.com/2022/06/22/1054586/hikvision-worlds-biggest-surveillance-company/

[xi] Lachlan Markay, “Scoop: DOJ demands Hikvision lobbyists register as foreign agents,” Axios, October 17, 2022, https://www.axios.com/2022/10/17/hikvision-foreign-lobbyists-doj-fara 

[xii] CVE-2021-36260 Detail, NIST, https://nvd.nist.gov/vuln/detail/CVE-2021-36260

[xiii] IPVM Team, “Hikvision OEM Directory,” IPVM, Jan 12, 2022, https://ipvm.com/reports/hik-oems-dir

[xiv] Benedict Rogers, “The Procurement Bill is a chance for the UK to put its money where its mouth is on human rights,” PoliticsHome, October 26, 2022, https://www.politicshome.com/members/article/the-procurement-bill-is-a-chance-for-the-uk-to-put-its-money-where-its-mouth-is-on-human-rights

[xv] Charles Rollet, "Not Welcome in the UK: Hikvision Protested at London Roadshow,” IPVM, April 13, 2022, https://ipvm.com/reports/hik-protested

[xvi] Charles Rollet, “67 UK Parliamentarians Call for Total Hikvision & Dahua Ban,” IPVM, July 4, 2002, https://ipvm.com/reports/uk-call-ban

[xvii] Jonathan Greig, “Experts warn of widespread exploitation involving Hikvision cameras,” The Record, August 23, 2022, https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/

[xviii] Nate Nelson “Cybercriminals Are Selling Access to Chinese Surveillance Cameras,” Threat Post, August 25, 2022, https://threatpost.com/cybercriminals-are-selling-access-to-chinese-surveillance-cameras/180478/

Image: Shutterstock.com