Not safe to by Hikvision equipment since banned in US?

Not safe to by Hikvision equipment since banned?
Not any more safe or dangerous than it was BEFORE the ban frankly. And this applies to Dahua and many other China-made brands. You should isolate ALL IP cameras and IoT devices from the Internet.

Lastly, the ban applies only to cameras used on government-owned sites or sites of government funded entities. You are free to use if you like on your private property or business as long as it complies with below:

Excerpt:

Section 889 of the 2019 NDAA prohibits federal agencies, grant recipients, and contractors from using products or equipment that are banned by the United States.
.
 
I've said it before, but while I use these brands of cameras on my personal network and don't have anything to fear by doing so, I am also 100% in support of the ban.

Regardless of the political motivations for passing this ban, it actually does help improve our national security. I know a lot of people would argue that a properly set up network would prevent any harm from using these cameras (which is why I use them on my personal network), but that is a short sighted concept of the level of network security that our government and other sensitive faculties needs to be applying. Just look into the Stuxnet virus to see how advanced electronic warfare can be - especially from state sponsored groups that have the money to accomplish almost anything. Stuxnet was a single purpose virus that worked it's way into a secure facility and onto a completely isolated network (ie zero outside connections) without the hackers having physical access to the facility. Imagine how much easier it would have been to accomplish if the hackers could have loaded the virus on a device that was going to be installed in the facility - by the very people who ran the facility! By allowing these cameras into government and other sensitive facilities, we are potentially installing a real trojan horse that would make the hackers job that much easier. The hackers are state sponsored and the companies are (at least partially) state owned - it absolutely could happen and the ban is designed to be just one more layer of a very complex security scheme.

But in case I wasn't clear in the first part of the post, I have no problem using these brands in personal/private networks. This use is not going to be the intended target of a Stuxnet type attack and therefore there is no real risk as long as the devices are isolated on your network (ie they have no access to the internet of the rest of of your network).
 
Last edited:
Regardless of my avatar im not employee of hikvision, just distributer of hikvision equipment among other brands.

There's nothing online thats actually safe. This is more of an USA-China espionage prevention.

Its like saying, lets ban everything in Europe that NSA has hands on. And they have hands on anything.

But we are often taught USA are good guys and China are bad guys, so there's that.

There was a backdoor on hikvision cams around 2017 and yes alot of them are still in use, that is indeed concerning as well watchfull_IP disclosed web attack at 2021. But new equipment is as exploitable as anything else that have access to internet.

Some exploits are disclosed some are not, same goes for any other brand there is. No matter how expensive it is. It just happens to be that hikvision hold biggest market around the globe and by statistics it will be found sooner rather than later.

Thats my 2 cents about it.
 
There was a backdoor on hikvision cams around 2017 and yes alot of them are still in use, that is indeed concerning as well watchfull_IP disclosed web attack at 2021. But new equipment is as exploitable as anything else that have access to internet.

You spelt my name wrong! Super offended :P
 
I've said it before, but while I use these brands of cameras on my personal network and don't have anything to fear by doing so, I am also 100% in support of the ban.

Regardless of the political motivations for passing this ban, it actually does help improve our national security. I know a lot of people would argue that a properly set up network would prevent any harm from using these cameras (which is why I use them on my personal network), but that is a short sighted concept of the level of network security that our government and other sensitive faculties needs to be applying. Just look into the Stuxnet virus to see how advanced electronic warfare can be - especially from state sponsored groups that have the money to accomplish almost anything. Stuxnet was a single purpose virus that worked it's way into a secure facility and onto a completely isolated network (ie zero outside connections) without the hackers having physical access to the facility. Imagine how much easier it would have been to accomplish if the hackers could have loaded the virus on a device that was going to be installed in the facility - by the very people who ran the facility! By allowing these cameras into government and other sensitive facilities, we are potentially installing a real trojan horse that would make the hackers job that much easier. The hackers are state sponsored and the companies are (at least partially) state owned - it absolutely could happen and the ban is designed to be just one more layer of a very complex security scheme.

But in case I wasn't clear in the first part of the post, I have no problem using these brands in personal/private networks. This use is not going to be the intended target of a Stuxnet type attack and therefore there is no real risk as long as the devices are isolated on your network (ie they have no access to the internet of the rest of of your network).
Personally re Stuxnet .....anything that specifically targets Iranian centrifuges or other equipment is just fine by me.
 
  • Like
Reactions: VorlonFrog
Since I've been cleverly tricked here by @trempa92 I may as well give my 2 pennies starting by repeating what I said on my CVE-2021-36260 blog post.


Never trust any IoT device with Internet access (outbound nor inbound). Assume it's compromised or capable of being compromised. It doesn't matter who makes it, the nationality of that manufacturer, or who supplied it (sold it) to you.

Even just giving it a non-existent gateway is better than nothing (though of course not 100%).

Ideally said devices will be on their own restricted network even internally. Especially in a cooperate environment so that authorised devices and people can talk to them, on whatever ports needed, but the IoT is only permitted to access specific things as required.

That said, I've analysed well over 100 IoT devices by now from different manufacturers, reported many vulnerabilities.

I've never seen something I believed to be a deliberate backdoor placed by the vendor with malicious intent. Most people who found something like that will shout about it clear and loudly. That would be verifiable by others, and where proven hugely damaging to said manufacturer.

Security researchers decrypt encrypted firmware, analyse the code, test network attack surface, defeat device protections to obtain root shell and run unsigned debug tools, monitor network calls pre encryption with gdb/other methods etc. Interface with the hardware using modifications, hardware tools, logic analysers etc where needed. And there's lots of very clever people out there doing that.

A backdoor even if heavily obfuscated has a ticking clock before being publicly exposed - certainly where there are millions of said devices. Even more so where the firmware is easily available including previous versions for analysis.

I'm not saying it cannot or has not ever happen(ed). As I say always assume it is not secure.

There's a lot of media hysteria about these devices made in certain countries. But a clandestine backdoor is going to get exposed assuming it's not narrowly tagetted/deployed on a small subset of specific target devices.

It isn't always obvious if it's a backdoor or a vulnerability. But especially it is obfuscated/has extra code encryption, doesn't show access in logs, stealthed network traffic and not easily assessable (say a private RSA key or similar is needed) then that's going to be potentially disastrous if you are a multi billion dollar international manufacturer of those devices when it is exposed. Too many damn security researchers poking their noses in :p

(I place Internet network backbone devices in a much more sensitive category, given its functional role it has Internet access, and huge volumes of traffic as well as not always being available for reasonable purchase for independent security analysis).

If you are a particularly sensitive target, then a hardware supply chain attack may more likely where you are supplied with specifically compromised equipment without knowing. Countries have done that against specific targets in the past. I'd also only update offline, using firmware everyone else is using, as opposed to an online update where the device could be targeted by update servers and fed a specially compromised update.

If you are enriching uranium for potential use in nuclear weapons, yes be careful where you buy your cameras from :p
 
Last edited:
Since I've been cleverly tricked here by @trempa92 I may as well give my 2 pennies starting by repeating what I said on my CVE-2021-36260 blog post.


Never trust any IoT device with Internet access (outbound nor inbound). Assume it's compromised or capable of being compromised. It doesn't matter who makes it, the nationality of that manufacturer, or who supplied it (sold it) to you.

Even just giving it a non-existent gateway is better than nothing (though of course not 100%).

Ideally said devices will be on their own restricted network even internally. Especially in a cooperate environment so that authorised devices and people can talk to them, on whatever ports needed, but the IoT is only permitted to access specific things as required.

That said, I've analysed well over 100 IoT devices by now from different manufacturers, reported many vulnerabilities.

I've never seen something I believed to be a deliberate backdoor placed by the vendor with malicious intent. Most people who found something like that will shout about it clear and loudly. That would be verifiable by others, and where proven hugely damaging to said manufacturer.

Security researchers decrypt encrypted firmware, analyse the code, test network attack surface, defeat device protections to obtain root shell and run unsigned debug tools, monitor network calls pre encryption with gdb/other methods etc. Interface with the hardware using modifications, hardware tools, logic analysers etc where needed. And there's lots of very clever people out there doing that.

A backdoor even if heavily obfuscated has a ticking clock before being publicly exposed - certainly where there are millions of said devices. Even more so where the firmware is easily available including previous versions for analysis.

I'm not saying it cannot or has not ever happen(ed). As I say always assume it is not secure.

There's a lot of media hysteria about these devices made in certain countries. But a clandestine backdoor is going to get exposed assuming it's not narrowly tagetted/deployed on a small subset of specific target devices.

It isn't always obvious if it's a backdoor or a vulnerability. But especially it is obfuscated/has extra code encryption, doesn't show access in logs, stealthed network traffic and not easily assessable (say a private RSA key or similar is needed) then that's going to be potentially disastrous if you are a multi billion dollar international manufacturer of those devices when it is exposed. Too many damn security researchers poking their noses in :p

(I place Internet network backbone devices in a much more sensitive category, given its functional role it has Internet access, and huge volumes of traffic as well as not always being available for reasonable purchase for independent security analysis).

If you are a particularly sensitive target, then a hardware supply chain attack may more likely where you are supplied with specifically compromised equipment without knowing. Countries have done that against specific targets in the past. I'd also only update offline, using firmware everyone else is using, as opposed to an online update where the device could be targeted by update servers and fed a specially compromised update.

If you are enriching uranium for potential use in nuclear weapons, yes be careful where you buy your cameras from :p


Best thing to do is run a Wireshark session when you plug the device into the network. Set it up to be logged and then at your leisure look thru the log later after you've unplugged the device from the network for analysis. Problem is network analysis is not a simple thing and Wireshark is not intuitive but it's very, very good.

Have done this many times with TVs......why the hell does a Samsung TV need to send data to China and India? Yet, there it was, establishing a session with who knows whom.....then it's a simple...relatively......matter to set up a firewall rule to deny IP block addresses to specific places.
 
  • Like
Reactions: bigredfish
Have done this many times with TVs......why the hell does a Samsung TV need to send data to China and India? Yet, there it was, establishing a session with who knows whom.....then it's a simple...relatively......matter to set up a firewall rule to deny IP block addresses to specific places.

I have Unifi router/WIFI and there is global DNS Ad blocker + menu to show what domains where blocked and who asked..

TVs from both Sony and Samsung plus SONOS speakers ask for some domains which are blocked by this Ad blocker..
domains which names tells me that they are to send some statistics or ask for Ads to display..
 
  • Like
Reactions: bigredfish
Best thing to do is run a Wireshark session when you plug the device into the network. Set it up to be logged and then at your leisure look thru the log later after you've unplugged the device from the network for analysis. Problem is network analysis is not a simple thing and Wireshark is not intuitive but it's very, very good.

Have done this many times with TVs......why the hell does a Samsung TV need to send data to China and India? Yet, there it was, establishing a session with who knows whom.....then it's a simple...relatively......matter to set up a firewall rule to deny IP block addresses to specific places.
Devices may be contacting infrastructure anywhere in the world that may be totally legitimate. Some people will misinterpret that as phoning home for some dark purpose when it's actually totally innocent. DNS, NTP and update checking is common of course, as are checking to see if the device is registered on a remote access platform for customer use. Ideally the last should be already disabled by default and needs customer to turn on.

Having had to recently setup a new Windows 11 laptop I was appalled at how much telemetry is active even with that setting disabled. Any outbound is blocked unless I allow it on my laptop but most people are not going to do that.

Also, if I were designing a malicious IoT device, I'd likely not schedule suspicious outbound in the first few weeks of deployment, and disguise the traffic so it looked as innocent as possible. Or activating only on certain preconditions. I might use all sort of techniques that operate at a network level, after determining what kind of local network it is deployed in, using normally harmless protocols.

That is not to say this would be undetectable given very knowledgeable analysis on tightly controlled networks with high security - but just monitoring/banning certain IPs or MAC addresses wouldn't be sufficient.

Of course VLANs and physical segmentation of testing networks for untrusted devices goes a long way for such analysis and potential harm mitigation.

Unless you are actively doing security analysis of the device in secure conditions I recommend keeping it away from being able to route traffic to the Internet entirely.
 
Last edited:
  • Like
Reactions: alastairstevenson
I feel it is all about politics. Hikvision and Dahua does have some ties with the chinese government but so do other companies in other industries. Positive thing is that they are creating competition and so we are able to have an environment where we get more bang for the buck. I would say no matter what brand you pick, you would need to lock down your network anyways. They say these companies are banned and not to use them in federal funded locations.... Well... what about Pelco, Motorola, Avigilon? Those companies are owned by Lenovo which I believe does have ties with the chinese government also. Let's talk about a different field.... Talk about servers for data centers. Supermicro I read has something about some "spying" programmed into their hardware that someone found. Don't see anything about banning them. For these server/datacenter equipment, a lot more than video is going through it if someone is wanting to get information. It just seems to be all a politics game.
 
  • Like
Reactions: bigredfish
Be aware, whether you purchase Dahua, Hikvision, or any other mid-range or even no-name camera, some of the firmwares have hacks/workarounds for invalid gateways, invalid DNS, etc. There have been documented instances where these devices embed hard-coded IP addresses into their firmware, specifically for this purpose. Quite determined, they are.
 
  • Like
Reactions: bigredfish
Be aware, whether you purchase Dahua, Hikvision, or any other mid-range or even no-name camera, some of the firmwares have hacks/workarounds for invalid gateways, invalid DNS, etc. There have been documented instances where these devices embed hard-coded IP addresses into their firmware, specifically for this purpose. Quite determined, they are.
Can be said as much about any other IoT as numerous posts above explained already.

Would you be kind and share documentation or any topic regarding where was mentions of hardcoded ip addresses inside firmware? Its not that I ask for a proof of your statement is that it actually interests me, as I mainly work with hikvision.
 
Can be said as much about any other IoT as numerous posts above explained already.

Would you be kind and share documentation or any topic regarding where was mentions of hardcoded ip addresses inside firmware? Its not that I ask for a proof of your statement is that it actually interests me, as I mainly work with hikvision.

I recall there was a post a few years back where someone had changed the camera IP address subnet to something completely different than the default IP subnet and yet wireshark was showing the camera was still trying to access the internet via the 192.168.1.xxx subnet and would have had his system had that as a subnet, which most people are lazy and use the default IP address subnet the router gives them.

Now to find that thread LOL!
 
  • Like
Reactions: bigredfish
I recall there was a post a few years back where someone had changed the camera IP address subnet to something completely different than the default IP subnet and yet wireshark was showing the camera was still trying to access the internet via the 192.168.1.xxx subnet and would have had his system had that as a subnet, which most people are lazy and use the default IP address subnet the router gives them.

Now to find that thread LOL!
Thats a wierd one, heard a lot of funny stories myself, some seen myself, some were told by others(cant be confirmed).

Here is one:

User called me and said his hik connect password is not working. I told him to do a recovery via mail. He did it and after it logged in he saw entirely different NVR which was from Georgia(not USA). When he went to check user info under (me) it was generic name made by phone number.

It happened 3 times with login, and 4th time he was finally redirected to his account where his NVR was - region Croatia

I reported to hikvision with video. I never got any explanation to what really happened.
 
Can be said as much about any other IoT as numerous posts above explained already.

Would you be kind and share documentation or any topic regarding where was mentions of hardcoded ip addresses inside firmware? Its not that I ask for a proof of your statement is that it actually interests me, as I mainly work with hikvision.

 
invalid gateways, invalid DNS, etc
Setting an invalid gateway really doesn't do anything useful. It's just a false sense of security. If you're trying to protect against the camera running malicious software, an invalid gateway would be trivially bypassed by the malware by just scanning the network for routers. Also, setting an invalid gateway is not doable with IPv6, as IPv6 routes are configured using Router Advertisement broadcasts.

Cameras should always be on a separate VLAN that does not have internet access, regardless of brand or country of manufacture. The firewall on your router should be configured to allow inbound cross-VLAN connections from your regular VLAN to the camera VLAN, but not the other way around (i.e. your PC or Blue Iris server can access the camera, but the camera can't access them).
 
Setting an invalid gateway really doesn't do anything useful. It's just a false sense of security. If you're trying to protect against the camera running malicious software, an invalid gateway would be trivially bypassed by the malware by just scanning the network for routers. Also, setting an invalid gateway is not doable with IPv6, as IPv6 routes are configured using Router Advertisement broadcasts.

Cameras should always be on a separate VLAN that does not have internet access, regardless of brand or country of manufacture. The firewall on your router should be configured to allow inbound cross-VLAN connections from your regular VLAN to the camera VLAN, but not the other way around (i.e. your PC or Blue Iris server can access the camera, but the camera can't access them).
.... 2 network cards in your BI machine