Hikvision's Director Of Cybersecurity And Privacy Says IoT Devices With Backdoors 'Can't Be Used To Spy On Companies, Individuals Or Nations'
from the O-RLY? dept
Hikvision describes itself as "an IoT solution provider with video as its core competency". It hasn't cropped up much here on Techdirt: it was mentioned earlier this year as one of two surveillance camera manufacturers that had been blacklisted by the US government because they were accused of being "implicated in human rights violations and abuses" in Xinjiang. Although little-known in the West, Hikvision is big: it has "more than 42,000 employees, over 20,000 of which are R&D engineers." Given the many engineers Hikvision employs, the following comment by Fred Streefland, Director of Cybersecurity and Privacy at Hikvision EMEA (Europe, the Middle East and Africa), reported by IPVM, is rather remarkable:
even devices with backdoors can't be used to spy on companies, individuals, or nations. The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.
Streefland expanded on why data protection laws make espionage "impossible":
the end-users who buy these cameras are responsible for the data/video footage they generate. In other words, they're the data custodians who process the data and control the video footage, which is legally required to be kept private. Secret access to video footage on these devices is impossible without the consent of the end-user.
An interesting theory, but not one that security guru Bruce Schneier has much time for. IPVM asked him to comment on Streefland's statements:
I would say that only someone who doesn't understand cybersecurity at all would say something like that. But he's a CSO [Chief Security Officer], so he's probably deliberately saying something that stupid in order to sell you something.
That's a polite way to put it. As many stories on Techdirt attest, IoT products in general, and video cameras in particular, have huge security problems, often caused by backdoors, that have led to all kinds of spying at every level.
It seems that someone at Hikvision has realized just how ludicrous Streefland's comments were. The original source for the IPVM story is an interview with Streefland published by Benchmark Magazine. That interview is taken almost verbatim from a post on Hikvision's own blog, called "Debunking myths in the security industry." By an amazing coincidence, both the original interview and the blog post now lead to "404 not found" messages. Happily, the Internet Archive's indispensable Wayback Machine still has copies of both the interview and the blog post, where Streefland's words of wisdom quoted above can be found, along with some other choice thoughts on security.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, cybersecurity, fred streefland, iot, privacy, surveillance
Companies: hikvision
Reader Comments
Subscribe: RSS
View by: Time | Thread
Certainly makes the decision to not use their products an even easier sell!
[ link to this | view in chronology ]
Even a person
Of limited knowledge, given a minute or 2, it could be explained to them How it can be done.
Esp. With builtin programming to Only send to a 3rd party the data recorded.
Unless you have abit of knowledge, you would not know how to redirect it or take Full control of the device.
I prefer Full control, as well as control over WHO is an offsite storage.
The USA has this interesting law, even mentioned here. 3rd party data and info Can be searched by policing agencies. And 3rd parties May not have security Built, properly.
[ link to this | view in chronology ]
Re: Even a person
"it could be explained to them How it can be done."
His job literally depends on him not realizing that fact so it'll be uphill work convincing him.
I too could spend some time briefing that "expert" on how any IoT device can act as a bridgehead. Your OS may be hardened and firewalled against exterior intrusion but not so much when it concerns the shoddily coded app connecting to your toaster, fridge and thermostat, all of whom connect themselves to their respective OEM - which is unlikely to be all that hardened against a persistent cracker.
A few likely scenarios include;
The NSA knocking at your door after tracing the hack against a military facility or government contractor to your fridge.
Your tesla won't start until you fork over a moderate amount of bitcoin to the people with the ransomware keys.
Some troll finds out how to tune every smart-TV from Grundig or Apple permanently to redtube and locks it there playing random porn clips 24/7 at max volume.
The average old school internet user accesses the internet through two weak point only - their router and their end device. 99% of the time access online is granted via browsers who are in many ways hardened by browser manufacturers long used to being the very first target of any attack. Not secure by any means but usually good enough to stand up to a casual probe.
The same can't be said if you've bought goods from a hundred different OEM's, many of whom won't be security experts or have bothered to secure their goods in any way, shape or form.
If I were a betting man I'd put money on there already being national efforts made by every country and computer-savvy criminals, to perfect and optimize script-attacking badly secured IoT devices én másse, for a multitude of uses.
[ link to this | view in chronology ]
Lemme guess...
He "promoted" from Sales/Marketing.
[ link to this | view in chronology ]
The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.
You have to be kidding. The only way Streefland truly believes the spin in how comment he made is if there are two men named Mr. Rourke and Tattoo standing behind him
You have to be living in Fantasy Land to be thinking that leaving a backdoor open isnt an issue, if you leave a backdoor open bad guys will take advantage of it.
[ link to this | view in chronology ]
Re:
I am far less afraid of the "bad guys" than I am of the "good guys" in the government.
[ link to this | view in chronology ]
Re: Re:
The one leads to the other.
The WCry virus was originally part of the NSA online espionage kit but was "liberated" and leaked to the online community as a whole by russian hackers. Cue networks all over the world locking up when script kids started pushing out a hundred trojan variants using that mode of attack.
Even in this, the best of all possible worlds, my dear Tartúffe, where government is wholly benevolent and their alphabet soup agencies composed of idealists...You are still screwed if the nice guy in the NSA obtains the keys to the kingdom.
Because if they obtain the keys to everyone's devices that information always ends up in the WRONG hands eventually.
It's something you can't solve by nerding harder either, which is why when some US intel puke stands up and screams they want <manufacturer X> to build a backdoor only the cops can use, they're lying. That backdoor will eventually become the private preserve of organized crime.
[ link to this | view in chronology ]
Occam's razor
Yep, Fred Streefland is a complete fucking moron.
[ link to this | view in chronology ]
I can't decide if this is a perfect example of Hanlon's Razor, or if it's actual evil. Given that a corporate mouthpiece is spouting this insanity, it really could go either way.
[ link to this | view in chronology ]
Wow, awesome. So just making something illegal makes it impossible to do?
We really are wasting money on cops and courts if all it takes is making something illegal to stop people doing things society (well, the legislature) doesn't want them to do.
[ link to this | view in chronology ]
It's ok, I locked it...
As a reputable supplier of back doors I can guarantee you that there's nothing to worry about, you see our back doors are fitted with locks.
And it is absolutely inconceivable that a malicious actor, with a long history of picking locks or kicking down doors, could possibly get past this.
[insert Princess Bride meme here]
[ link to this | view in chronology ]
Re: It's ok, I locked it...
"Prepare to die!" ?!?
[ link to this | view in chronology ]
Re: It's ok, I locked it...
...and we got this open.
LPL
[ link to this | view in chronology ]
Re: It's ok, I locked it...
"And it is absolutely inconceivable that a malicious actor, with a long history of picking locks or kicking down doors, could possibly get past this."
You forgot to add "...We guarantee the only people we provided with skeleton keys to said backdoors are law enforcement officials, national security officials, medical officials, insurance auditors, city health and safety regulation officials, fire safety officials, various key personnel serving the departments mentioned above. None of which have ever reported a skeleton key missing or copied. Trust us."
[ link to this | view in chronology ]