Hikvision responds to BBC Panaroma investigation on cyber security vulnerabilities

Hikvision has strongly disputed claims made by the BBC Panorama investigation team about cyber security vulnerabilities found in one of its cameras.

BBC Panorama article – What’s the story?

Earlier today (Monday 26 June), the BBC Panorama reporting team published a story into an investigation it carried out into cyber security vulnerabilities into Chinese-made surveillance cameras – specifically, products from major video surveillance brands, Hikvision and Dahua.

Note: Stock image of camera above not of cameras in question in this story

The investigation says it highlighted security flaws in specific camera models made by the two companies, after it set up a series of experiments with US-based IPVM to test whether it was possible to hack their cameras.

A Hikvision camera was set up on a ‘test network’, with ‘no firewall and little protection’ explained the BBC. IPVM employees then ran a hacking experiment from the US on a model which contained a vulnerability discovered in 2017.

According to the BBC, once the hacking team had located the camera inside Broadcasting House, it took 11 seconds for the device to be accessed and controlled from the US.

The camera provided was supplied by IPVM.

The investigation carried out a similar experiment with Dahua cameras, though the test cameras were set up in IPVM’s headquarters in Pennsylvania. The testers said they were also able to find their way into the camera’s software.

Hikvision had originally explained to the BBC that its products “do not have a backdoor” and ‘were not deliberately programmed with this flaw’, adding that it released a firmware update to address it shortly after it became aware of the issue in 2017.

Dahua also explained that it “immediately conducted a comprehensive investigation” once it was made aware of the vulnerability last year, and fixed it through firmware updates.

The two companies also disputed allegations that they were threats to UK national security – something that Professor Fraser Sampson, the UK’s Biometrics and Surveillance Camera Commissioner, discusses in the BBC article.

Sampson warns the UK’s critical infrastructure “is vulnerable”, saying: “All those things rely very heavily on remote surveillance – so if you have an ability to interfere with that, you can create mayhem, cheaply and remotely”.

The BBC’s investigation follows from the news earlier in June that the UK Cabinet Office is planning to remove surveillance cameras manufactured by Chinese companies subject to its National Intelligence Law from central government departments.

Hikvision responds: “Grave concerns regarding the integrity and content of the broadcast”

Since the story was released, the Hikvision UK & Ireland team has responded in an open letter, shared on its social media channels.

In the letter, the company highlighted several “grave” concerns over the broadcast (the news story is set to feature on TV on Panorama later today). Hikvision argues that the test was not representative of cameras on the market today, that the vulnerability was patched a week after it was discovered in 2017, and that the test was not run on a typical network.

Specific concerns raised by Justin Hollis, Marketing Director of Hikvision UK & Ireland throughout the letter, include:

• The vulnerability in the camera tested was first identified in 2017, and was patched to “recognised CVE standards” and publicly disclosed less than a week after it was brought to Hikvision’s attention. The patch was said to be subject to further scrutiny in the US and government departments worked with the manufacturer to resolve the problem.
• The test was conducted on an unsecured network and therefore would not be representative of cameras in the public domain.
• The BBC had refused to clarify any information of the camera set to be used in the ‘test’, such as version of firmware installed, serial number or what type of network it would be tested on.
• The camera was “supplied by, and compromised with the collaboration of IPVM, an organisation with a vendetta against Hikvision”. The letter adds: “The BBC has been misled by IPVM and will now, in turn, mislead others”.
• Hikvision is “virtually certain” that public sector organisations would have patched their cameras since 2017 when the vulnerability was originally found.

The letter finishes with a message to its customers in the security and video surveillance industry, noting that the test should not be taken seriously and is “not representative of Hikvision cameras on the market today”.

Justin Hollis also added: “The Panorama collaboration with IPVM calls into question the integrity of the BBC’s broadcast. Anyone who has familiarity with surveillance equipment knows that this test, of an obsolete camera, says nothing about the security of Hikvision cameras on the market today and is deliberately misleading. Hikvision demands an immediate retraction.

“The camera that the BBC ‘tested’ contained a vulnerability identified six years ago, which was patched and publicly disclosed less than one week after being identified. This patch was verified by the United States Department of Homeland Security in 2017. To claim that this stunt has uncovered a security breach or an intentional backdoor is farcical. This broadcast sensationalises a problem that has already been fixed to universally recognised CVE standards.”

Read the full BBC Panorama article, here >>

Read Hikvision’s response, here >>

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

Subscribe to the newsletter ✉️