>Professor Sampson asks: "Do you want untrusted companies screening at airports, watching school playgrounds or on hospital wards?" He gave the example of one such company that has won awards for work monitoring children on school buses in Scotland that is now on the new ban list.
is this an actual "professor" speaking sense? what do you mean untrusted companies? either hikvision exfiltrates data from the UK to china servers and there are logs to verify that or hikvision could remotely access any device even if it was not online or was online with security but they have a bypass, both could be verified but other than these two cases, what is this pre-emptive ban that could cost the public exchequer millions or billions for what? a hunch that, as they put it,
>"We are no longer asking whether certain security companies can be trusted, we now accept they can't, but we need to work out how to verify those we can trust."
so they will first ban hikvision, remove all their cameras from UK, replace that with a competitor, THEN authenticate the trustworthiness of hikvision and THEN maybe let them back in the market.
WTF thinks like that unless you have malicious intent?
Or they're companies which are located in a country where the state can and do put heavy pressure on the companies with no real recourse for the companies. It's not really strange to me that we'd prevent Hikvision cameras from being used in any sensitive context.
I feel this way about many security reports, they look at some very basic thing (e.g. app permissions), extrapolate what is possible and then make some claims.
Where are the in depth analysis reports? I want to see the reverse engineered code, ROM dumps, network dumps, hardware teardowns etc. I want to see what is getting collected, what is getting stored, what is getting sent and where.
don't know if this helps, but there's been weird traffic patterns reported from Hikvision cameras in places like Italy, though i think a lot of it has to do with the moral case for working with a company linked so closely to what's happening in Xinjiang https://bigbrotherwatch.org.uk/wp-content/uploads/2022/02/Wh...
> though i think a lot of it has to do with the moral case for working with a company linked so closely to what's happening in Xinjiang
I think it's perfectly fine to boycott a company for unethical practices. I'm actually for boycotting them for ethical reasons. I dislike how security gets muddied with ethical things. People dislike a company and then throw whatever they can at them to see what sticks.
I read the report, it states:
> There is no direct evidence in the public domain that Hikvison or Dahua provide data to the Chinese state or that their security vulnerabilities are exploited by Beijing.
They are insecure anyway, with many exploits discovered, but a quick search tells me that is the case for many CCTV cameras. The takeaway should be that all CCTV cameras are insecure and should be setup in private networks with no access to the internet. The security should be happening at a different architectural level regardless of who the supplier is.
The choice to boycott a supplier for ethical reasons should be separate. Just my opinion of course.
Not sure why this is downvoted. It's mentioned in the article:
>There have been growing calls for a ban on their use, particularly in sensitive and high-security areas, in part due to Hikvision’s alleged role in aiding Chinese oppression in the Xinjiang province and Tibet. Big Brother Watch’s report alleged that Hikvision and Dahua have participated in China’s oppression of the Uyghur community in Xinjiang.
If I was designing a security camera I'd have a way to connect two completely different networks to it so all my cameras don't go out in case one of the networks goes down. I do the same with my servers (+ a separate management network).
If that was the case, two different connection methods would make sense, not using Ethernet x2 which is what's happening here. Being able to daisy-chain cameras seems more likely.
Don't think so. Having two different networks in a building is pretty common, but I haven't seen any in-building net not using Ethernet in the past 20 years. Fiber is still being terminated and turned to Ethernet usually.
Not saying it wouldn't be better - but I don't think that's what people would usually do.
I'd assume they were bridged, so you could either daisy-chain the cameras, or use it in-between the uplink and an AP. So you could it whereever you already have an AP without pulling new cables.
No, I don’t think so. Daisy chaining in networking is the worst possible design. For instance, the AP you’ve mentioned would go offline if the camera breaks. Not to mention stp diameter issues that are also possible in such designs. Normally each traffic consumer should be connected to an access switch using a separate port.
Assuming that cost saving will even be a concern for the new purchase. You can be pretty sure the contract of replacing it will go to a organization/corporate that is someone associated/relative to someone in the current government.
AXIS cameras are pretty expensive, but they are definitely pretty great.
Another option is VIVOTEK which is based out of Taiwan, and make NDAA-compliant cameras. Admittedly the software is not as polished as AXIS’ and the control panel is a bit of an eyesore, but they do support all the basic and intermediate features you may want.
Avigilon, Axis, Hanwha, and i-Pro/Panasonic all manufacture their own products.
There are many good choices for non-Hikvision or non-Dahua cameras. The Hanwha A-Series is very cost competitive with the Hikvision stuff, and from a far more reputable source.
My cameras are on their own vlan, with outbound internet access disabled - so in theory they aren't sending anything anywhere else.
So is this less about the actual cameras, and more that they have been installed insecurely and not kept up to date with firmware? Or the hardware used to record the data is acutally in the cloud somewhere and that is the issue?
i dont think ive ever seen a firmware update for any of my hikvision cameras. They are only 5 years old and require IE to use the admin interface...
I would NEVER buy hikvision again because as far as im concerned their products are absolute junk. Im amazed they would even be looked at for gov/edu. I guess cheapest really does win those tenders.
I know a few people who are in the AV/low voltage installing business. They said it’s been going around that CCP can access the cameras remotely and/or get video off them. He said he actually likes installing and setting them up but they have to stop selling them due to customer pressure and “unknown” back doors.
I have no comment on the security of Hikvision devices.
However, a lot of cameras these days come with a good sized amount of processing power onboard. This can be used for object detection amongst other things. Even without network access the devices could communicate and act on the command of others in many ways. A couple of ideas. You could communicate with the IR LEDs. You could blank the video feed if a certain QR code or flashing light pattern is detected. I'm sure there are more, but you get the idea.
A lot of cameras are for sale with such additional compute, but the only people with them are developers. Corporations that want/need security tend to have large legacy camera networks that one is lucky if they support HD resolution above 720p. I worked for a leading enterprise FR video security company, and the majority of their clients are firms with anywhere from a few hundred to several tens of thousands of original generation IP cameras, which they very slowly replace with something as close to what they already have. They want to continue to use their older cameras too, often because their network and number of cameras fit, higher resolution and greater bandwidth cameras simply can't fit into their live and operating design.
This reminds me of the whole Huawei thing: no actual evidence of any problem, no economic reason, no real political gain, but "feelings". I wonder if a US CCTV provider is about to get a multi billion pound contract having recently "donated" to the groups making this "necessary" "security" decision...
Huawei is beholden to the CCP and can be coerced. So playing it safe is probably a better idea than rolling out networks which we have no idea if they contain back doors or not that the CCP could use…
That's fine, but now your only suppliers are domestic based with little to no international business. How many top flight 5G infra providers does the UK have?
Not sure why you say that? I am not convinced that 100x speed on fast 4G really makes any difference. But 5G is nice and I've never found 4G better? Im just a consumer these days though so...
I don't know what 4g is like in the US, in Asia it's about ~100mbit (I just ran a speed test and got 134mbit down, 24mbit up)
That's far more than enough to stream 4k HRD content on my laptop tethering to the phone.
5g range is limited compared to 4g. 5g is more spotty and needs more direct line of sight. A 5g base station consumes 3x more power than a 4g base station. So 5g is more of a gimick than anything else. The reality is, is there isn't any material benefit over 4g.
No, that is not likely to happen.
These bans have been developing for quite a while, based on continuous proof of major cyber security flaws in the products, and documented human rights abuses by Hikvision (and Dahua). Several other CCTV manufacturers will likely benefit from this, but so far there have been no indications that any singular company has gotten the bulk of the benefit, or been overly advocating for these bans.
I am sure they are not guessing, and know well enough who uses the backdoor access, and how often, because they are doing the same. Of course, they are not going to present it all to lowly so-called citizens, so you only get the final decision that the dangers were considered greater than the benefits, and some media-friendly hand-waving. It's also a clear signal for other companies that “extended cooperation” is the requirement of commercial success.
When those responsible for “security” actually depend on countless things being insecure crap, we will never see any real change in how things are done, only the talks about never-ending work done ad infinitum. Cheaply and insecurely made device benefits not only its maker that saves money on development, it also benefits most of those who are supposed to check them, and set better rules for them. Instead, we have various “IoT security teams”. It's like starting the fire at an oil refinery, and then announcing that you need something more than a couple of fire trucks.
I had to hunt down all of the banned devices when the 2019 ban took place on Dahua, Hikvision, and Huawei. I've never seen worse quality feeling looking software. Random cameras requiring Chrome Apps to manage, or some obscure Windows software package.
I'll take an RTSP feed from AXIS over those any day.
Possibly stupid/overly paranoid question: if most products are being made in China anyway, how do we know they’re not putting backdoors in everything including goods branded for non Chinese companies? Cables, power adapter etc all house chips nowadays. In theory couldn’t they have some kind of silent zero day virus on them, keylogger etc?
Does every product on sale get periodic testing to check for this kind of thing? It seems like they could manufacture clean devices to send to a test centre and then back door ones they release in the wild. In the case of non-brand goods such as cables it wouldn’t even really matter if they got caught because they could just spin up another drop ship company under a different name and keep selling.
> It seems like they could manufacture clean devices to send to a test centre and then back door ones they release in the wild.
Glenn Greenwald already went over how the US did this, which is to intercept the devices in transit. That way the backdoors wouldn't be there for general IT personnel or reviewers or state security agents, but they would be there for the targets.
Lol I thought as much. At this point I think most people assume that any major global government can access whatever device you own if they really want to.
> Does every product on sale get periodic testing to check for this kind of thing?
Other than in a very few intelligence-specific cases, nobody really cares very much about cybersecurity until they get ransomwared. Software everywhere is full of holes.
I'm pretty sure almost every Chinese made CCTV camera is riddled with backdoors and vulnerabilities. And almost all upload their video streams to some server in China.
The behavior of the United Kingdom looks incoherent: it wants to become a surveillance state [1], but without using cameras manufactured in China, on the grounds that China is a surveillance state.
Imagine living in a village in the far past. Your neighbors with whom you will live with for 50 years form close relationships with you. They constantly judge you. They believe in nonsense superstitions, and further judge you by that. If you ever do or convey one thing that goes against their beliefs, they will kill or exile you. You do not sound like any more of a reasonable person. Contrary to popular belief, we do not live in an enlightened time. People still have the same mundane superstitions and morals and actively seek to punish people for violating them. I do not want a village future with you. CCTV is a means of enforcing the will of the people, and only the most opinionated people. It's not worth it for whatever small benefit like a few crimes being solved or punished.
If you can catch offenders everything else is just a matter of adjusting punishments to sufficient severity that offenders are removed from the system faster than they manifest.
1) there is nothing incoherent in theoretical "we want obedient citizens under our full control, not controlled by Chinese government"
2) from your own link "But are we really a Big Brother state? You may think that the government is behind this high level of surveillance, but the BSIA found that only around 1 in 70 cameras are owned by local authorities"
And 99% of them go to the same cloud crap where a single entity can gain control of them all at once (I don't know if this is the current state, but you get the point, it's the inevitable state, be it one with 99% or maybe 5 groups with equal share. In the past all that was needed to take control of a security camera product was ../).
However, going after just a brand solves nothing; the problem is that nobody can properly audit these devices due to their closed nature.
A huge number of IP cameras and DVR/NVR devices have been either compromised for botnet installation or caught phoning home (usually somewhere in China) in the past. Unless one can purchase a fully Open Source one (including hardware and firmware), there are no guarantees that a device won't be doing nasty things, or silently waiting for remote triggers to do so, which is something that only source code inspection could guarantee against. In the meantime the solution has always been to put them behind a firewall that doesn't let them initiate connections to the outside and also filters out incoming connections from untrusted parties; this should apply to all closed connected device, not just Hikvision cameras.
The "put them behind a firewall" approach is really not adequate.
Many times these cameras are already behind a firewall of sorts, larger CCTV system will use a dual-homed server, with a dedicated LAN for the cameras, and a secondary LAN for client access to the recording server.
Even in this dual-homed setup, there is still the potential for the cameras to infect, or otherwise compromise the recording server, which itself generally has access to a much larger part of the organizations networks, if not the internet directly.
At this point, Hikvision has a well documented record of severe cyber security flaws, and countless public statements attempting to deny or downplay them. They are funded by the Chinese government as well. We have seen plenty of other examples of various governments utilizing vulnerable devices, like IP cameras, to gain access to networks, exfiltrate data, or perform other malicious acts.
There are many other good, cost-effective, alternatives to Hikvision that do not come with the legacy of vulnerabilities, and the risks of being closed tied to the Chinese government. Hikvision has brought this upon themselves.
As for how they were alerted, there have been publications documenting Hikvision's risks for years now. I started some of these back in 2017, including this from 2018: https://ipvm.com/reports/hik-hack-map
Even in this dual-homed setup, there is still the potential for the cameras to infect, or otherwise compromise the recording server
I agree that this is a potential risk.
But if the cameras themselves can't route to the internet in this scenario then how are they infecting the recording server?
Is the suggestion that they come shipped from the factory with code to compromise common recording servers? It seems like that would be very significant and something that we'd be able to see in action.
My biggest concern with CCTV networks that I manage is some sort of backdoor access to the cameras themselves. So the dual-homed server design is exactly what I'd choose in order to control things.
There’s also no reason you can’t isolate the recording server too. Don’t let it initiate connections to the internet and limit incoming connections as much as possible. IE: Only allow connections from a specific VLAN or VPN client IP range.
Is the suggestion that they come shipped from the factory with code to compromise common recording servers?
Yes. While I have not seen it happen yet, there is plenty of precedent in cyber warfare tactics in general to have trojaned devices act in this way. The likelihood may be low, but it also very possible, and Hikivsion has already shown they cannot be trusted, so why risk it?
(not working in security) Say they do infect this recording server that is not connected to the Internet. So what then, how do they send this data elsewhere? It's just infected and sitting there?
It’s very common for the recording server to have some kind of WAN/internet connectivity in larger scale systems. At a minimum the recording server usually has access to other internal networks. Would be possible to execute something similar to the centrifuge attack to disable other systems, wipe data, etc. It doesn’t have to always involve internet access to do bad things.
2Gkashmiri | 3 years ago
>Professor Sampson asks: "Do you want untrusted companies screening at airports, watching school playgrounds or on hospital wards?" He gave the example of one such company that has won awards for work monitoring children on school buses in Scotland that is now on the new ban list.
is this an actual "professor" speaking sense? what do you mean untrusted companies? either hikvision exfiltrates data from the UK to china servers and there are logs to verify that or hikvision could remotely access any device even if it was not online or was online with security but they have a bypass, both could be verified but other than these two cases, what is this pre-emptive ban that could cost the public exchequer millions or billions for what? a hunch that, as they put it, >"We are no longer asking whether certain security companies can be trusted, we now accept they can't, but we need to work out how to verify those we can trust."
so they will first ban hikvision, remove all their cameras from UK, replace that with a competitor, THEN authenticate the trustworthiness of hikvision and THEN maybe let them back in the market.
WTF thinks like that unless you have malicious intent?
intelVISA | 3 years ago
Untrusted companies are companies that aren't currently paying me in some capacity.
the-smug-one | 3 years ago
Or they're companies which are located in a country where the state can and do put heavy pressure on the companies with no real recourse for the companies. It's not really strange to me that we'd prevent Hikvision cameras from being used in any sensitive context.
_puk | 3 years ago
And trusted ones are owned by someone I know personally..
mathieuh | 3 years ago
Rishi how many times have we told you not to post online
jahnu | 3 years ago
> remove all their cameras from UK
As per the article, even though some have opted to remove them they aren't removing them all. Just banning future installations.
> The new decision by the UK government includes a ban on the future installation of any security cameras...
doix | 3 years ago
I feel this way about many security reports, they look at some very basic thing (e.g. app permissions), extrapolate what is possible and then make some claims.
Where are the in depth analysis reports? I want to see the reverse engineered code, ROM dumps, network dumps, hardware teardowns etc. I want to see what is getting collected, what is getting stored, what is getting sent and where.
gmn91 | 3 years ago
don't know if this helps, but there's been weird traffic patterns reported from Hikvision cameras in places like Italy, though i think a lot of it has to do with the moral case for working with a company linked so closely to what's happening in Xinjiang https://bigbrotherwatch.org.uk/wp-content/uploads/2022/02/Wh...
doix | 3 years ago
> though i think a lot of it has to do with the moral case for working with a company linked so closely to what's happening in Xinjiang
I think it's perfectly fine to boycott a company for unethical practices. I'm actually for boycotting them for ethical reasons. I dislike how security gets muddied with ethical things. People dislike a company and then throw whatever they can at them to see what sticks.
I read the report, it states:
> There is no direct evidence in the public domain that Hikvison or Dahua provide data to the Chinese state or that their security vulnerabilities are exploited by Beijing.
They are insecure anyway, with many exploits discovered, but a quick search tells me that is the case for many CCTV cameras. The takeaway should be that all CCTV cameras are insecure and should be setup in private networks with no access to the internet. The security should be happening at a different architectural level regardless of who the supplier is.
The choice to boycott a supplier for ethical reasons should be separate. Just my opinion of course.
[OP] TT482 | 3 years ago
yeah, tbh i think that's fair enough
Veen | 3 years ago
I think this is more to do with not buying hardware from Hikvision in the future because of its role in Uighur concentration camps.
Vt71fcAqt7 | 3 years ago
Not sure why this is downvoted. It's mentioned in the article:
>There have been growing calls for a ban on their use, particularly in sensitive and high-security areas, in part due to Hikvision’s alleged role in aiding Chinese oppression in the Xinjiang province and Tibet. Big Brother Watch’s report alleged that Hikvision and Dahua have participated in China’s oppression of the Uyghur community in Xinjiang.
trasz2 | 3 years ago
Havoc | 3 years ago
Somewhat OT but perhaps someone knows. I noted the cameras in UK airports have dual eth cables going in. Anybody know what's up with that?
allarm | 3 years ago
This is to separate the signaling traffic and the video streams traffic, so that the videostreams don’t oversaturate the control network.
Here’s some details:
https://www.securitycameraking.com/securityinfo/setting-up-y...
leethaxor | 3 years ago
If I was designing a security camera I'd have a way to connect two completely different networks to it so all my cameras don't go out in case one of the networks goes down. I do the same with my servers (+ a separate management network).
capableweb | 3 years ago
If that was the case, two different connection methods would make sense, not using Ethernet x2 which is what's happening here. Being able to daisy-chain cameras seems more likely.
leethaxor | 3 years ago
Don't think so. Having two different networks in a building is pretty common, but I haven't seen any in-building net not using Ethernet in the past 20 years. Fiber is still being terminated and turned to Ethernet usually.
Not saying it wouldn't be better - but I don't think that's what people would usually do.
Havoc | 3 years ago
That seems plausible. Thanks
gsatic | 3 years ago
They do this with public audio systems for similar reasons.
martinmunk | 3 years ago
I'd assume they were bridged, so you could either daisy-chain the cameras, or use it in-between the uplink and an AP. So you could it whereever you already have an AP without pulling new cables.
allarm | 3 years ago
No, I don’t think so. Daisy chaining in networking is the worst possible design. For instance, the AP you’ve mentioned would go offline if the camera breaks. Not to mention stp diameter issues that are also possible in such designs. Normally each traffic consumer should be connected to an access switch using a separate port.
ilyt | 3 years ago
At that scale it gotta be cheaper to pay someone to reverse-engineer them and flash with something open source ?
capableweb | 3 years ago
Assuming that cost saving will even be a concern for the new purchase. You can be pretty sure the contract of replacing it will go to a organization/corporate that is someone associated/relative to someone in the current government.
jpswade | 3 years ago
Anything is easy to do once, but maintaining that going forward is a business.
blitzar | 3 years ago
openwrt like thing for cameras - open source it and gchq / cia can keep it up to date (with their own backdoors)
drekipus | 3 years ago
Hikvision is leading cctv manufacturer. They make Swann CCTV systems as well.
I'm sure anyone the UK Gov replaces it with will be from the same factory unless they want to start manufacturing their own.
the-smug-one | 3 years ago
Or you just buy Axis which are produced in Sweden, Thailand or on Czech republic[0] and don't worry too much: https://www.axis.com/
[0] https://ipvm.com/reports/axis-china
nagisa | 3 years ago
AXIS cameras are pretty expensive, but they are definitely pretty great.
Another option is VIVOTEK which is based out of Taiwan, and make NDAA-compliant cameras. Admittedly the software is not as polished as AXIS’ and the control panel is a bit of an eyesore, but they do support all the basic and intermediate features you may want.
brk | 3 years ago
Avigilon, Axis, Hanwha, and i-Pro/Panasonic all manufacture their own products.
There are many good choices for non-Hikvision or non-Dahua cameras. The Hanwha A-Series is very cost competitive with the Hikvision stuff, and from a far more reputable source.
bennyp101 | 3 years ago
My cameras are on their own vlan, with outbound internet access disabled - so in theory they aren't sending anything anywhere else.
So is this less about the actual cameras, and more that they have been installed insecurely and not kept up to date with firmware? Or the hardware used to record the data is acutally in the cloud somewhere and that is the issue?
supermatt | 3 years ago
i dont think ive ever seen a firmware update for any of my hikvision cameras. They are only 5 years old and require IE to use the admin interface...
I would NEVER buy hikvision again because as far as im concerned their products are absolute junk. Im amazed they would even be looked at for gov/edu. I guess cheapest really does win those tenders.
bennyp101 | 3 years ago
They used to need ie for the live feed iirc, but my current colorvu ones work fine in Firefox.
For home use they suit me perfectly, but I see what you are saying, I too thought that there was a more “pro” brand that govs would use.
wil421 | 3 years ago
I know a few people who are in the AV/low voltage installing business. They said it’s been going around that CCP can access the cameras remotely and/or get video off them. He said he actually likes installing and setting them up but they have to stop selling them due to customer pressure and “unknown” back doors.
joosters | 3 years ago
Ah, the “You’re holding it wrong” defence.
bennyp101 | 3 years ago
More the “belt and braces” idea. There’s no proof as such, so SOP would be to firewall things?
mywacaday | 3 years ago
Who makes your network hardware?
quantum_state | 3 years ago
The UK government is behaving more and more adolescent like … Not good for the kingdom …
stedaniels | 3 years ago
I have no comment on the security of Hikvision devices.
However, a lot of cameras these days come with a good sized amount of processing power onboard. This can be used for object detection amongst other things. Even without network access the devices could communicate and act on the command of others in many ways. A couple of ideas. You could communicate with the IR LEDs. You could blank the video feed if a certain QR code or flashing light pattern is detected. I'm sure there are more, but you get the idea.
bsenftner | 3 years ago
A lot of cameras are for sale with such additional compute, but the only people with them are developers. Corporations that want/need security tend to have large legacy camera networks that one is lucky if they support HD resolution above 720p. I worked for a leading enterprise FR video security company, and the majority of their clients are firms with anywhere from a few hundred to several tens of thousands of original generation IP cameras, which they very slowly replace with something as close to what they already have. They want to continue to use their older cameras too, often because their network and number of cameras fit, higher resolution and greater bandwidth cameras simply can't fit into their live and operating design.
LatteLazy | 3 years ago
This reminds me of the whole Huawei thing: no actual evidence of any problem, no economic reason, no real political gain, but "feelings". I wonder if a US CCTV provider is about to get a multi billion pound contract having recently "donated" to the groups making this "necessary" "security" decision...
philliphaydon | 3 years ago
Huawei is beholden to the CCP and can be coerced. So playing it safe is probably a better idea than rolling out networks which we have no idea if they contain back doors or not that the CCP could use…
trasz2 | 3 years ago
LatteLazy | 3 years ago
That's fine, but now your only suppliers are domestic based with little to no international business. How many top flight 5G infra providers does the UK have?
philliphaydon | 3 years ago
5g isnt even good... 4g is better in most cases.
LatteLazy | 3 years ago
Not sure why you say that? I am not convinced that 100x speed on fast 4G really makes any difference. But 5G is nice and I've never found 4G better? Im just a consumer these days though so...
philliphaydon | 3 years ago
I don't know what 4g is like in the US, in Asia it's about ~100mbit (I just ran a speed test and got 134mbit down, 24mbit up)
That's far more than enough to stream 4k HRD content on my laptop tethering to the phone.
5g range is limited compared to 4g. 5g is more spotty and needs more direct line of sight. A 5g base station consumes 3x more power than a 4g base station. So 5g is more of a gimick than anything else. The reality is, is there isn't any material benefit over 4g.
nivenkos | 3 years ago
Yeah, the whole of Europe is a just an American colony at this point.
Supporting American protectionism, even when the US effectively has a trade war with Europe with the Inflation Reduction Act.
brk | 3 years ago
No, that is not likely to happen. These bans have been developing for quite a while, based on continuous proof of major cyber security flaws in the products, and documented human rights abuses by Hikvision (and Dahua). Several other CCTV manufacturers will likely benefit from this, but so far there have been no indications that any singular company has gotten the bulk of the benefit, or been overly advocating for these bans.
LatteLazy | 3 years ago
>continuous proof of major cyber security flaws
That no one has seen. Huawei must be the most examined manufacturer in history by this point and no one has found any actual security flaw yet...
brk | 3 years ago
What do you mean no one has seen? There are many documented vulnerabilities in Hikvision cameras: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hikvision
LatteLazy | 3 years ago
Well I was talking specifically about Huawei...
Are Hikvision significantly worse than the alternative?
ogurechny | 3 years ago
I am sure they are not guessing, and know well enough who uses the backdoor access, and how often, because they are doing the same. Of course, they are not going to present it all to lowly so-called citizens, so you only get the final decision that the dangers were considered greater than the benefits, and some media-friendly hand-waving. It's also a clear signal for other companies that “extended cooperation” is the requirement of commercial success.
When those responsible for “security” actually depend on countless things being insecure crap, we will never see any real change in how things are done, only the talks about never-ending work done ad infinitum. Cheaply and insecurely made device benefits not only its maker that saves money on development, it also benefits most of those who are supposed to check them, and set better rules for them. Instead, we have various “IoT security teams”. It's like starting the fire at an oil refinery, and then announcing that you need something more than a couple of fire trucks.
hhh | 3 years ago
I had to hunt down all of the banned devices when the 2019 ban took place on Dahua, Hikvision, and Huawei. I've never seen worse quality feeling looking software. Random cameras requiring Chrome Apps to manage, or some obscure Windows software package.
I'll take an RTSP feed from AXIS over those any day.
rcarr | 3 years ago
Possibly stupid/overly paranoid question: if most products are being made in China anyway, how do we know they’re not putting backdoors in everything including goods branded for non Chinese companies? Cables, power adapter etc all house chips nowadays. In theory couldn’t they have some kind of silent zero day virus on them, keylogger etc?
Does every product on sale get periodic testing to check for this kind of thing? It seems like they could manufacture clean devices to send to a test centre and then back door ones they release in the wild. In the case of non-brand goods such as cables it wouldn’t even really matter if they got caught because they could just spin up another drop ship company under a different name and keep selling.
faeriechangling | 3 years ago
> It seems like they could manufacture clean devices to send to a test centre and then back door ones they release in the wild.
Glenn Greenwald already went over how the US did this, which is to intercept the devices in transit. That way the backdoors wouldn't be there for general IT personnel or reviewers or state security agents, but they would be there for the targets.
https://www.theguardian.com/books/2014/may/12/glenn-greenwal...
rcarr | 3 years ago
Lol I thought as much. At this point I think most people assume that any major global government can access whatever device you own if they really want to.
worldsavior | 3 years ago
It would be a very stupid thing to do.
pjc50 | 3 years ago
The more prevalent the back door is, the more likely it is to be spotted.
The UK has a specific intelligence service review process for Huawei: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/t...
> Does every product on sale get periodic testing to check for this kind of thing?
Other than in a very few intelligence-specific cases, nobody really cares very much about cybersecurity until they get ransomwared. Software everywhere is full of holes.
UltraViolence | 3 years ago
Why just HikVision? And why only certain models?
I'm pretty sure almost every Chinese made CCTV camera is riddled with backdoors and vulnerabilities. And almost all upload their video streams to some server in China.
jeffalyanak | 3 years ago
Time to watch the government auction sites for cheap cameras.
EarthMephit | 3 years ago
You don't want HikVision cameras - Unreliable junk. There's a reason that they are so cheap.
tingle | 3 years ago
The behavior of the United Kingdom looks incoherent: it wants to become a surveillance state [1], but without using cameras manufactured in China, on the grounds that China is a surveillance state.
[1] <https://www.cctv.co.uk/how-many-cctv-cameras-are-there-in-th...>
nivenkos | 3 years ago
CCTV is incredibly useful, we need far more cameras not less.
I guess you've never been burgled or mugged?
khiqxj | 3 years ago
Imagine living in a village in the far past. Your neighbors with whom you will live with for 50 years form close relationships with you. They constantly judge you. They believe in nonsense superstitions, and further judge you by that. If you ever do or convey one thing that goes against their beliefs, they will kill or exile you. You do not sound like any more of a reasonable person. Contrary to popular belief, we do not live in an enlightened time. People still have the same mundane superstitions and morals and actively seek to punish people for violating them. I do not want a village future with you. CCTV is a means of enforcing the will of the people, and only the most opinionated people. It's not worth it for whatever small benefit like a few crimes being solved or punished.
pessimizer | 3 years ago
I have been, and I agree that a few cameras pointed at your house would make me feel safer.
the_only_law | 3 years ago
I got mugged in the bathroom, so I’m putting cameras up all in there. Guy attacked me from the stall so make sure to install them in there.
vorpalhex | 3 years ago
Just a few more cameras and not a single uncleaned dog turd will escape her majesties security services!
https://www.cnet.com/news/privacy/u-k-turns-cctv-terrorism-l...
CCTV doesn't prevent crime. It might sometimes help find and punish the offenders later.
ryfdgfr74y | 3 years ago
If you can catch offenders everything else is just a matter of adjusting punishments to sufficient severity that offenders are removed from the system faster than they manifest.
vorpalhex | 3 years ago
So we just make the punishment for all crimes the death penalty?
Offenders don't do punishment calculus. They assume they won't be caught.
matkoniecz | 3 years ago
1) there is nothing incoherent in theoretical "we want obedient citizens under our full control, not controlled by Chinese government"
2) from your own link "But are we really a Big Brother state? You may think that the government is behind this high level of surveillance, but the BSIA found that only around 1 in 70 cameras are owned by local authorities"
khiqxj | 3 years ago
And 99% of them go to the same cloud crap where a single entity can gain control of them all at once (I don't know if this is the current state, but you get the point, it's the inevitable state, be it one with 99% or maybe 5 groups with equal share. In the past all that was needed to take control of a security camera product was ../).
[Deleted] | 3 years ago
andrewstuart | 3 years ago
Love the utterly irrelevant denial from Hikvision:
"Hikvision cannot transmit data from end-users to third parties, we do not manage end-user databases, nor do we sell cloud storage in the UK."
squarefoot | 3 years ago
They probably were alerted by this.
https://www.fortinet.com/blog/threat-research/mirai-based-bo...
However, going after just a brand solves nothing; the problem is that nobody can properly audit these devices due to their closed nature. A huge number of IP cameras and DVR/NVR devices have been either compromised for botnet installation or caught phoning home (usually somewhere in China) in the past. Unless one can purchase a fully Open Source one (including hardware and firmware), there are no guarantees that a device won't be doing nasty things, or silently waiting for remote triggers to do so, which is something that only source code inspection could guarantee against. In the meantime the solution has always been to put them behind a firewall that doesn't let them initiate connections to the outside and also filters out incoming connections from untrusted parties; this should apply to all closed connected device, not just Hikvision cameras.
https://www.wsj.com/articles/hackers-infect-army-of-cameras-...
https://hacked.camera/
brk | 3 years ago
The "put them behind a firewall" approach is really not adequate. Many times these cameras are already behind a firewall of sorts, larger CCTV system will use a dual-homed server, with a dedicated LAN for the cameras, and a secondary LAN for client access to the recording server.
Even in this dual-homed setup, there is still the potential for the cameras to infect, or otherwise compromise the recording server, which itself generally has access to a much larger part of the organizations networks, if not the internet directly.
At this point, Hikvision has a well documented record of severe cyber security flaws, and countless public statements attempting to deny or downplay them. They are funded by the Chinese government as well. We have seen plenty of other examples of various governments utilizing vulnerable devices, like IP cameras, to gain access to networks, exfiltrate data, or perform other malicious acts.
There are many other good, cost-effective, alternatives to Hikvision that do not come with the legacy of vulnerabilities, and the risks of being closed tied to the Chinese government. Hikvision has brought this upon themselves.
As for how they were alerted, there have been publications documenting Hikvision's risks for years now. I started some of these back in 2017, including this from 2018: https://ipvm.com/reports/hik-hack-map
omh | 3 years ago
Even in this dual-homed setup, there is still the potential for the cameras to infect, or otherwise compromise the recording server
I agree that this is a potential risk.
But if the cameras themselves can't route to the internet in this scenario then how are they infecting the recording server? Is the suggestion that they come shipped from the factory with code to compromise common recording servers? It seems like that would be very significant and something that we'd be able to see in action.
My biggest concern with CCTV networks that I manage is some sort of backdoor access to the cameras themselves. So the dual-homed server design is exactly what I'd choose in order to control things.
donmcronald | 3 years ago
There’s also no reason you can’t isolate the recording server too. Don’t let it initiate connections to the internet and limit incoming connections as much as possible. IE: Only allow connections from a specific VLAN or VPN client IP range.
brk | 3 years ago
Is the suggestion that they come shipped from the factory with code to compromise common recording servers?
Yes. While I have not seen it happen yet, there is plenty of precedent in cyber warfare tactics in general to have trojaned devices act in this way. The likelihood may be low, but it also very possible, and Hikivsion has already shown they cannot be trusted, so why risk it?
killingtime74 | 3 years ago
(not working in security) Say they do infect this recording server that is not connected to the Internet. So what then, how do they send this data elsewhere? It's just infected and sitting there?
brk | 3 years ago
It’s very common for the recording server to have some kind of WAN/internet connectivity in larger scale systems. At a minimum the recording server usually has access to other internal networks. Would be possible to execute something similar to the centrifuge attack to disable other systems, wipe data, etc. It doesn’t have to always involve internet access to do bad things.