Many surveillance vendors have come under increased scrutiny in recent years as critics point to the industry’s spotty record on cybersecurity.
By Neil Sutton
In Hikvision’s case, some of this criticism is deserved, according to Chuck Davis, the company’s newly-appointed director of cybersecurity. But a lot of it is not.
Davis, a veteran of IBM, joined Hikvision in October of last year. He was brought on board, according to his official bio, to oversee the company’s cybersecurity inside and out.
Davis set out on a whistlestop tour across Canada in December, making visits to Montreal, Toronto, Calgary and Vancouver to conduct lecture-style presentations for Hikvision dealers and partners. These presentations described Hikvision’s record on cybersecurity and offered a guide on how installers can become more cognizant of their — and their customers’ — cybersecurity needs.
As of 2017, approximately four billion people around the globe have access to the Internet, said Davis, and potentially, any of them could be a threat. He described the most common types of threats: viruses, worms, Trojans, spyware, adware and phishing attacks.
One of the most devastating pieces of malware in recent years was the Mirai botnet of October 2016, which manifested as multiple DDoS (Distributed Denial of Service) attacks again DNS provider Dyn.
The attacks were executed through a number of compromised devices, from IP cameras to baby monitors and other IoT technology. Davis suggested that some researchers and pundits believe this attack was actually a co-ordinated experiment.
Davis maintained that Hikvision products were not comprised by Mirai due to their hardware incompatibility with the botnet. Hikvision also says it removed the use of default user names and passwords from its equipment in 2015.
Describing another incident, Davis said that in 2014, it was reported that Telnet, a text-based virtual terminal connection, was left open on some devices and was thus accessible to outsiders — particularly where default logins were left in place. Hikvision responded by disabling Telnet in addition to its policy of no longer using default logins. “It is best practices to turn everything off that you don’t need,” explained Davis. “If you don’t need a service, turn it off.”
In another controversy, it was claimed that Hikvision cameras activated a dynamic DNS (DDNS) feature and sent information back to Hikvision’s home country of China.
While cameras may have had the ability to send out signals, he says there’s no evidence they went to China — instead the DDNS feature attempted to reach Web servers in the U.S. DDNS has since been disabled on Hikvision cameras by default.
Davis dismissed criticism of Hikvision’s Chinese government connections as fear-mongering. According to Hikvision, two state-owned enterprises own approximately 42 per cent of Hikvision stock.
He described other events in Hikvision’s recent cyber history, adding that the company has admitted to its problems and patched flaws in short order.
Davis offered a number of best practices that apply to all Internet users, regardless of device or platform: check URLs before clicking on them by hovering over the text; be suspicious of email attachments; use long, complex passwords (and/or use a password manager program); use two-factor authentication; keep OSes, browsers and anti-virus tools up-to-date; monitor everything and collect logs.
Perhaps most importantly for installers, according to Davis: “Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”
Davis added that Hikvision is hiring more cybersecurity experts and creating an educational awareness campaign that would include more events like the one hosted by Davis as well as blogs and webinars.
Future developments could include cybersecurity certification programs, additional third-party product testing, and a full review of Hikvision’s documentation and training processes. “I’m here to support the sales team,” said Davis, “but my goal here is to create good, secure products and make people aware.”