01304 827609 info@use-ip.co.uk Find us

Is Hikvision watching us?

Ken Welham

Active Member
Messages
36
Points
8
In today's Daily Telegraph is an article suggesting that the widespread use of Hikvision CCTV cameras by about 60% of UK public bodies is perhaps not as safe as it might be. It is suggested that Hikvision has the capability of remotely controlling such cameras, should they wish to, by for example, turning on a hidden microphone to listen in. Can Use-IP offer we users of Hikvision security cameras that our cameras are safe from such intrusion? Is anyone at Use-IP employed by Hikvision and can perhaps offer an insider view on this?
 
To answer your last question first - nobody at use-IP is employed by Hikvision; we are independent, and offer IP cameras from a broad range of manufacturers.

I do not believe that there are hidden microphones that can be remotely activated.

I do not believe that Hikvision are watching their cameras.
 
in any case, you should control with a firewall / VLAN what goes in and out, for any IoT and I include IP camera in that

plug & play / UPNP is bad, be in control and know what happen
 
If the Hikvision minions are watching what's happening outside my house they're going to get bored, real quick.
 
Thanks for your quick reply, Phil, and thanks to the other two contributors although I have to admit to not understanding the post from Spirch.
Fullboogie, I am also not bothered about someone else seeing what my camera is viewing from the front door. However, my concerns arose from the possibility of my internal camera being hacked or having a hidden microphone turned on. Even worse, if it's possible would be the thought that someone could hack into my computer via my IP cameras.
 
Wouldn't they need your camera password to be able to see the feed?
 
Wouldn't they need your camera password to be able to see the feed?
I've no idea. There are far cleverer people than me out there when it comes to internet technology. My original query seems to have morphed into two or three strands/ideas. My original fear was that my household could be listened to (eavesdropped) without our knowledge. My language, in the privacy of my own home could be seen by "the easily offended" as not being very woke or politically correct. I wasn't concerned about being seen illicitly. I then wondered whether my computer was safe from hacking via my my cameras. I first became uneasy about this a few years ago when I was idly looking at stored footage from my cameras just to see how one accessed footage in the event it was needed. You can imagine my surprise when I saw a still of someone else's driveway. How was this even possible? I once gave it a passing mention in these forums but it has never been explained to me.
 
Wouldn't they need your camera password to be able to see the feed?
Absolutely not.

I won't go into great length, as this is a huge topic with many facets, but bluntly, there are many actors that one needs to be aware of. For example, you need to protect against someone that has close proximity to your network/devices and can attempt to gain access over time. Then there are remote actors that do not have physical access to your network but have time and resources, and then take as Ken asks, what about HikVision themselves i.e. the manufacture of equipment. That is yet another level of actor to protect against.

In case 1 & 2 (local and remote attackers), they need to social engineer the passwords from you, hack your network, or exploit a vulnerability and they would gain access. In the latter case i.e. a manufacture, they are the owners of a closed system which they own all the code to and which is not reviewed by external sources. Thus they could include backdoors, or anything of this nature, to view your cameras, enable microphones, etc. This is why people prefer open source software when it comes to security, because anyone can both write the code but also makes it available for others to review.

This is true of any manufacture, and I will not go into which may and may not have nefarious intentions. My point is generic.

The truth is, each one of us needs to weigh up the risk profile of yourself and your appetite for using technology. No one will be interested in viewing my driveway, even if Hikvision (or other) manufacture had access, but then they may have interest in you, or someone else because they are valuable target.

Simply put, you can invest in locking your network down, only using internal lan/vpn and making sure to avoid manufacture platforms like HikConnect, but then costs increase and so does effort. Always worth saying, nothing is 100% secure, and the most secure method is airgaps i.e. not connecting your devices to any public network AT ALL.
 
Absolutely not.

I won't go into great length, as this is a huge topic with many facets, but bluntly, there are many actors that one needs to be aware of. For example, you need to protect against someone that has close proximity to your network/devices and can attempt to gain access over time. Then there are remote actors that do not have physical access to your network but have time and resources, and then take as Ken asks, what about HikVision themselves i.e. the manufacture of equipment. That is yet another level of actor to protect against.

In case 1 & 2 (local and remote attackers), they need to social engineer the passwords from you, hack your network, or exploit a vulnerability and they would gain access. In the latter case i.e. a manufacture, they are the owners of a closed system which they own all the code to and which is not reviewed by external sources. Thus they could include backdoors, or anything of this nature, to view your cameras, enable microphones, etc. This is why people prefer open source software when it comes to security, because anyone can both write the code but also makes it available for others to review.

This is true of any manufacture, and I will not go into which may and may not have nefarious intentions. My point is generic.

The truth is, each one of us needs to weigh up the risk profile of yourself and your appetite for using technology. No one will be interested in viewing my driveway, even if Hikvision (or other) manufacture had access, but then they may have interest in you, or someone else because they are valuable target.

Simply put, you can invest in locking your network down, only using internal lan/vpn and making sure to avoid manufacture platforms like HikConnect, but then costs increase and so does effort. Always worth saying, nothing is 100% secure, and the most secure method is airgaps i.e. not connecting your devices to any public network AT ALL.
Thanks nathanb for a most interesting and informative post. It doesn't make me feel any more secure, but at least I get an idea of what might be best practice.
 
@nathanb wrote the response I did not have time to - many thanks!

Some more here:
Tips for hardening Hikvision devices against cyber attacks - my tuppence on Passwords

Passwords play a big part.
It would be better if Hikvision also forced you to change the user name (as per the link above).
Other brands follow this best practice.
With the current situation where 'admin' is being used as the user name by all, then hackers already have half the answer ...

Backdoor entry is then the other commonly feared way in.
For years manufacturers engineered-in a kind of master password that would let their engineers login if all else failed.
It was a bad practice, and hopefully no longer exists in any new devices.

Most manufacturers now subject their internet devices to independent penetration testing.
These 'good hackers' are paid to identify any weaknesses.
They know (and try) all the typical tricks, weaknesses and hacks that might allow unauthorised access.

Anybody who does find a cyber weakness can report that to a manufacturer through the CVE process.

Generally, as has been discussed, those with sites that require top security have the skills and make the effort to ensure that tip-top network and device security is maintained.

If those experts spotted bad practice, bad traffic, bad activity - they would raise it ...
 
BTW - There is a strong argument that we should worry a lot more about our routers than our cameras:
ISTR 2019: Internet of Things Cyber Attacks Grow More Diverse

This article, published today, linked me to the research above:
 
Back
Top