- Messages
- 3,235
- Points
- 113
I just received the following from Hikvision. I'll share this here as no doubt many will see this program and wonder "is my system secure?". A better question might be "is my firmware up to date?" No network connected device will ever be fit and forget - security vulnerabilities are found and patched regularly whether that's Windows, Mac OS, iOS, Android or indeed Hikvision firmware
The details:
To Whom It May Concern
Dear Valued Partner,
In our previous letters, Hikvision committed to providing you with the latest updates on the conversations the company is having across the UK and Ireland to clarify misconceptions about our products and operations.
We wanted to share with you that today (Monday 26 June 2023 at 8PM), BBC Panorama intends to broadcast a programme which purports to investigate Chinese companies operating in the surveillance industry. We have been engaging with the producers of this programme, and have grave concerns regarding the integrity and content of the broadcast.
The BBC will broadcast a ‘hack’ of a six-year-old Hikvision camera to exploit a vulnerability that was identified in 2017, but was patched and publicly disclosed less than one week after it was brought to the company’s attention. To claim that this stunt has uncovered a security breach or an intentional backdoor in June 2023 is farcical. It sensationalises a problem that was already fixed to universally recognised CVE standards. Furthermore, this test has not been conducted on a typical network, but rather an unsecured one. This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC have run.
Hikvision was not given any information in advance about the specifications of the hack to be carried out.
We repeatedly asked the BBC for more information about its planned ‘hack’, but were ignored until we asked our lawyers to intervene. Indeed the BBC repeatedly refused to clarify the following: which camera model and serial number would be used; what version of firmware was installed; whether the camera included was UK firmware; whether the camera would be tested on a closed circuit or connected to a network; how any network would be secured; if the hack would include port forwarding; if the camera was still being sold in the UK; and, how the camera was obtained.
We now know that the camera was in fact supplied by, and compromised with the collaboration of IPVM, an organisation with a vendetta against Hikvision.
Hikvision’s conduct with regards to this vulnerability has followed all internationally accepted standards of best practice. When made aware of the vulnerability in March 2017, Hikvision patched it in less than one week. The vulnerability – and Hikvision’s patch – were subject to further scrutiny in the US with the then-Chairman of the US House of Representatives Small Business Committee noting in a public hearing that Hikvision’s work with the US Department of Homeland Security on this vulnerability meant that any continuing issues resulting from unpatched equipment would lie with ‘small businesses that do not engage with the government or the DHS regularly’.
Going further, the Deputy Assistant Secretary for the US Department of Homeland Security Office of Cybersecurity and Communications said they ‘worked with the company’ to resolve the problem and that ‘standard practice was followed’.
There is no reason to believe that circumstances would be any different in the UK. After all, the vast majority of public sector organisations have processes in place to respond to vulnerabilities and regularly update their firmware. It is virtually certain that every public sector organisation in the UK has patched its cameras since 2017 and therefore no reason to assume there is any risk today.
The BBC had all the information above ahead of broadcast. The BBC has been misled by IPVM and will now, in turn, mislead others.
Hikvision knows that you, as surveillance industry professionals, will understand this test simply cannot be taken seriously. It is not representative of the security of Hikvision cameras on the market today. However, the general public may not understand.
As we seek redress for this egregious and irresponsible broadcast, we continue to reserve all of our rights, including legal action. Please accept my apologies for any inquiries you receive from your customers or the public at this stage. We are working tirelessly to dispel these untruths with both the media and government, and if you need any help whatsoever in reassuring your own stakeholders, please do not hesitate to contact me, and we will render any and all assistance that we can.
Your support and continued business at this time is deeply appreciated.
Yours faithfully,
Justin Hollis
Marketing Director – Hikvision UK & Ireland
The details:
To Whom It May Concern
26 June 2023
Dear Valued Partner,
In our previous letters, Hikvision committed to providing you with the latest updates on the conversations the company is having across the UK and Ireland to clarify misconceptions about our products and operations.
We wanted to share with you that today (Monday 26 June 2023 at 8PM), BBC Panorama intends to broadcast a programme which purports to investigate Chinese companies operating in the surveillance industry. We have been engaging with the producers of this programme, and have grave concerns regarding the integrity and content of the broadcast.
The BBC will broadcast a ‘hack’ of a six-year-old Hikvision camera to exploit a vulnerability that was identified in 2017, but was patched and publicly disclosed less than one week after it was brought to the company’s attention. To claim that this stunt has uncovered a security breach or an intentional backdoor in June 2023 is farcical. It sensationalises a problem that was already fixed to universally recognised CVE standards. Furthermore, this test has not been conducted on a typical network, but rather an unsecured one. This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC have run.
Hikvision was not given any information in advance about the specifications of the hack to be carried out.
We repeatedly asked the BBC for more information about its planned ‘hack’, but were ignored until we asked our lawyers to intervene. Indeed the BBC repeatedly refused to clarify the following: which camera model and serial number would be used; what version of firmware was installed; whether the camera included was UK firmware; whether the camera would be tested on a closed circuit or connected to a network; how any network would be secured; if the hack would include port forwarding; if the camera was still being sold in the UK; and, how the camera was obtained.
We now know that the camera was in fact supplied by, and compromised with the collaboration of IPVM, an organisation with a vendetta against Hikvision.
Hikvision’s conduct with regards to this vulnerability has followed all internationally accepted standards of best practice. When made aware of the vulnerability in March 2017, Hikvision patched it in less than one week. The vulnerability – and Hikvision’s patch – were subject to further scrutiny in the US with the then-Chairman of the US House of Representatives Small Business Committee noting in a public hearing that Hikvision’s work with the US Department of Homeland Security on this vulnerability meant that any continuing issues resulting from unpatched equipment would lie with ‘small businesses that do not engage with the government or the DHS regularly’.
Going further, the Deputy Assistant Secretary for the US Department of Homeland Security Office of Cybersecurity and Communications said they ‘worked with the company’ to resolve the problem and that ‘standard practice was followed’.
There is no reason to believe that circumstances would be any different in the UK. After all, the vast majority of public sector organisations have processes in place to respond to vulnerabilities and regularly update their firmware. It is virtually certain that every public sector organisation in the UK has patched its cameras since 2017 and therefore no reason to assume there is any risk today.
The BBC had all the information above ahead of broadcast. The BBC has been misled by IPVM and will now, in turn, mislead others.
Hikvision knows that you, as surveillance industry professionals, will understand this test simply cannot be taken seriously. It is not representative of the security of Hikvision cameras on the market today. However, the general public may not understand.
As we seek redress for this egregious and irresponsible broadcast, we continue to reserve all of our rights, including legal action. Please accept my apologies for any inquiries you receive from your customers or the public at this stage. We are working tirelessly to dispel these untruths with both the media and government, and if you need any help whatsoever in reassuring your own stakeholders, please do not hesitate to contact me, and we will render any and all assistance that we can.
Your support and continued business at this time is deeply appreciated.
Yours faithfully,
Justin Hollis
Marketing Director – Hikvision UK & Ireland