Hikvision's Director Of Cybersecurity And Privacy Says IoT Devices With Backdoors 'Can't Be Used To Spy On Companies, Individuals Or Nations'

from the O-RLY? dept

Hikvision describes itself as “an IoT solution provider with video as its core competency”. It hasn’t cropped up much here on Techdirt: it was mentioned earlier this year as one of two surveillance camera manufacturers that had been blacklisted by the US government because they were accused of being “implicated in human rights violations and abuses” in Xinjiang. Although little-known in the West, Hikvision is big: it has “more than 42,000 employees, over 20,000 of which are R&D engineers.” Given the many engineers Hikvision employs, the following comment by Fred Streefland, Director of Cybersecurity and Privacy at Hikvision EMEA (Europe, the Middle East and Africa), reported by IPVM, is rather remarkable:

even devices with backdoors can’t be used to spy on companies, individuals, or nations. The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.

Streefland expanded on why data protection laws make espionage “impossible”:

the end-users who buy these cameras are responsible for the data/video footage they generate. In other words, they’re the data custodians who process the data and control the video footage, which is legally required to be kept private. Secret access to video footage on these devices is impossible without the consent of the end-user.

An interesting theory, but not one that security guru Bruce Schneier has much time for. IPVM asked him to comment on Streefland’s statements:

I would say that only someone who doesn’t understand cybersecurity at all would say something like that. But he’s a CSO [Chief Security Officer], so he’s probably deliberately saying something that stupid in order to sell you something.

That’s a polite way to put it. As many stories on Techdirt attest, IoT products in general, and video cameras in particular, have huge security problems, often caused by backdoors, that have led to all kinds of spying at every level.

It seems that someone at Hikvision has realized just how ludicrous Streefland’s comments were. The original source for the IPVM story is an interview with Streefland published by Benchmark Magazine. That interview is taken almost verbatim from a post on Hikvision’s own blog, called “Debunking myths in the security industry.” By an amazing coincidence, both the original interview and the blog post now lead to “404 not found” messages. Happily, the Internet Archive’s indispensable Wayback Machine still has copies of both the interview and the blog post, where Streefland’s words of wisdom quoted above can be found, along with some other choice thoughts on security.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: , , , , ,
Companies: hikvision

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hikvision's Director Of Cybersecurity And Privacy Says IoT Devices With Backdoors 'Can't Be Used To Spy On Companies, Individuals Or Nations'”

Subscribe: RSS Leave a comment
ECA (profile) says:

Even a person

Of limited knowledge, given a minute or 2, it could be explained to them How it can be done.
Esp. With builtin programming to Only send to a 3rd party the data recorded.
Unless you have abit of knowledge, you would not know how to redirect it or take Full control of the device.

I prefer Full control, as well as control over WHO is an offsite storage.
The USA has this interesting law, even mentioned here. 3rd party data and info Can be searched by policing agencies. And 3rd parties May not have security Built, properly.

Scary Devil Monastery (profile) says:

Re: Even a person

"it could be explained to them How it can be done."

His job literally depends on him not realizing that fact so it’ll be uphill work convincing him.

I too could spend some time briefing that "expert" on how any IoT device can act as a bridgehead. Your OS may be hardened and firewalled against exterior intrusion but not so much when it concerns the shoddily coded app connecting to your toaster, fridge and thermostat, all of whom connect themselves to their respective OEM – which is unlikely to be all that hardened against a persistent cracker.

A few likely scenarios include;

  • The NSA knocking at your door after tracing the hack against a military facility or government contractor to your fridge.
  • Your tesla won’t start until you fork over a moderate amount of bitcoin to the people with the ransomware keys.
  • Some troll finds out how to tune every smart-TV from Grundig or Apple permanently to redtube and locks it there playing random porn clips 24/7 at max volume.
  • Your toaster hacks your laptop. Next time you log on to the corporate intranet while working from home you’ve got a trojan riding in it.

The average old school internet user accesses the internet through two weak point only – their router and their end device. 99% of the time access online is granted via browsers who are in many ways hardened by browser manufacturers long used to being the very first target of any attack. Not secure by any means but usually good enough to stand up to a casual probe.

The same can’t be said if you’ve bought goods from a hundred different OEM’s, many of whom won’t be security experts or have bothered to secure their goods in any way, shape or form.

If I were a betting man I’d put money on there already being national efforts made by every country and computer-savvy criminals, to perfect and optimize script-attacking badly secured IoT devices én másse, for a multitude of uses.

Anon E. Mous (profile) says:

The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.

You have to be kidding. The only way Streefland truly believes the spin in how comment he made is if there are two men named Mr. Rourke and Tattoo standing behind him

You have to be living in Fantasy Land to be thinking that leaving a backdoor open isnt an issue, if you leave a backdoor open bad guys will take advantage of it.

Scary Devil Monastery (profile) says:

Re: Re: Re:

The one leads to the other.

The WCry virus was originally part of the NSA online espionage kit but was "liberated" and leaked to the online community as a whole by russian hackers. Cue networks all over the world locking up when script kids started pushing out a hundred trojan variants using that mode of attack.

Even in this, the best of all possible worlds, my dear Tartúffe, where government is wholly benevolent and their alphabet soup agencies composed of idealists…You are still screwed if the nice guy in the NSA obtains the keys to the kingdom.

Because if they obtain the keys to everyone’s devices that information always ends up in the WRONG hands eventually.
It’s something you can’t solve by nerding harder either, which is why when some US intel puke stands up and screams they want <manufacturer X> to build a backdoor only the cops can use, they’re lying. That backdoor will eventually become the private preserve of organized crime.

drew (profile) says:

It's ok, I locked it...

As a reputable supplier of back doors I can guarantee you that there’s nothing to worry about, you see our back doors are fitted with locks.
And it is absolutely inconceivable that a malicious actor, with a long history of picking locks or kicking down doors, could possibly get past this.

[insert Princess Bride meme here]

Scary Devil Monastery (profile) says:

Re: It's ok, I locked it...

"And it is absolutely inconceivable that a malicious actor, with a long history of picking locks or kicking down doors, could possibly get past this."

You forgot to add "…We guarantee the only people we provided with skeleton keys to said backdoors are law enforcement officials, national security officials, medical officials, insurance auditors, city health and safety regulation officials, fire safety officials, various key personnel serving the departments mentioned above. None of which have ever reported a skeleton key missing or copied. Trust us."

Dickson Coleman says:


It’s good to take risk sometimes. I’ve realized that people who do great exploits are people who take risk. Nothing good comes or happens easily. You may be battling with your bad credit, negative items and different bills but if care is not taken depression might set in. I want to introduce CREDIT TRINITY CARE to you guys and trust me, he’s gonna help you fix your credit ASAP. He’ll delete all the negatives and boast your credit score. He boasted my credit score from 400 to 790+ within few days. I read about him on credit blog and discovered that he’s not one of those usual names, so I contacted him via creditscoretrinity @ gmail . com I’m forever grateful to CREDIT TRINITY CARE. I wish I can say everything here which is not possible but all I know is that he can be trusted

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...