Hikvision's Director Of Cybersecurity And Privacy Says IoT Devices With Backdoors 'Can't Be Used To Spy On Companies, Individuals Or Nations'
from the O-RLY? dept
Hikvision describes itself as “an IoT solution provider with video as its core competency”. It hasn’t cropped up much here on Techdirt: it was mentioned earlier this year as one of two surveillance camera manufacturers that had been blacklisted by the US government because they were accused of being “implicated in human rights violations and abuses” in Xinjiang. Although little-known in the West, Hikvision is big: it has “more than 42,000 employees, over 20,000 of which are R&D engineers.” Given the many engineers Hikvision employs, the following comment by Fred Streefland, Director of Cybersecurity and Privacy at Hikvision EMEA (Europe, the Middle East and Africa), reported by IPVM, is rather remarkable:
even devices with backdoors can’t be used to spy on companies, individuals, or nations. The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.
Streefland expanded on why data protection laws make espionage “impossible”:
the end-users who buy these cameras are responsible for the data/video footage they generate. In other words, they’re the data custodians who process the data and control the video footage, which is legally required to be kept private. Secret access to video footage on these devices is impossible without the consent of the end-user.
An interesting theory, but not one that security guru Bruce Schneier has much time for. IPVM asked him to comment on Streefland’s statements:
I would say that only someone who doesn’t understand cybersecurity at all would say something like that. But he’s a CSO [Chief Security Officer], so he’s probably deliberately saying something that stupid in order to sell you something.
That’s a polite way to put it. As many stories on Techdirt attest, IoT products in general, and video cameras in particular, have huge security problems, often caused by backdoors, that have led to all kinds of spying at every level.
It seems that someone at Hikvision has realized just how ludicrous Streefland’s comments were. The original source for the IPVM story is an interview with Streefland published by Benchmark Magazine. That interview is taken almost verbatim from a post on Hikvision’s own blog, called “Debunking myths in the security industry.” By an amazing coincidence, both the original interview and the blog post now lead to “404 not found” messages. Happily, the Internet Archive’s indispensable Wayback Machine still has copies of both the interview and the blog post, where Streefland’s words of wisdom quoted above can be found, along with some other choice thoughts on security.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Filed Under: backdoors, cybersecurity, fred streefland, iot, privacy, surveillance
Companies: hikvision
Comments on “Hikvision's Director Of Cybersecurity And Privacy Says IoT Devices With Backdoors 'Can't Be Used To Spy On Companies, Individuals Or Nations'”
Certainly makes the decision to not use their products an even easier sell!
Even a person
Of limited knowledge, given a minute or 2, it could be explained to them How it can be done.
Esp. With builtin programming to Only send to a 3rd party the data recorded.
Unless you have abit of knowledge, you would not know how to redirect it or take Full control of the device.
I prefer Full control, as well as control over WHO is an offsite storage.
The USA has this interesting law, even mentioned here. 3rd party data and info Can be searched by policing agencies. And 3rd parties May not have security Built, properly.
Re: Even a person
"it could be explained to them How it can be done."
His job literally depends on him not realizing that fact so it’ll be uphill work convincing him.
I too could spend some time briefing that "expert" on how any IoT device can act as a bridgehead. Your OS may be hardened and firewalled against exterior intrusion but not so much when it concerns the shoddily coded app connecting to your toaster, fridge and thermostat, all of whom connect themselves to their respective OEM – which is unlikely to be all that hardened against a persistent cracker.
A few likely scenarios include;
The average old school internet user accesses the internet through two weak point only – their router and their end device. 99% of the time access online is granted via browsers who are in many ways hardened by browser manufacturers long used to being the very first target of any attack. Not secure by any means but usually good enough to stand up to a casual probe.
The same can’t be said if you’ve bought goods from a hundred different OEM’s, many of whom won’t be security experts or have bothered to secure their goods in any way, shape or form.
If I were a betting man I’d put money on there already being national efforts made by every country and computer-savvy criminals, to perfect and optimize script-attacking badly secured IoT devices én másse, for a multitude of uses.
Lemme guess...
He "promoted" from Sales/Marketing.
The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.
You have to be kidding. The only way Streefland truly believes the spin in how comment he made is if there are two men named Mr. Rourke and Tattoo standing behind him
You have to be living in Fantasy Land to be thinking that leaving a backdoor open isnt an issue, if you leave a backdoor open bad guys will take advantage of it.
Re: Re:
I am far less afraid of the "bad guys" than I am of the "good guys" in the government.
Re: Re: Re:
The one leads to the other.
The WCry virus was originally part of the NSA online espionage kit but was "liberated" and leaked to the online community as a whole by russian hackers. Cue networks all over the world locking up when script kids started pushing out a hundred trojan variants using that mode of attack.
Even in this, the best of all possible worlds, my dear Tartúffe, where government is wholly benevolent and their alphabet soup agencies composed of idealists…You are still screwed if the nice guy in the NSA obtains the keys to the kingdom.
Because if they obtain the keys to everyone’s devices that information always ends up in the WRONG hands eventually.
It’s something you can’t solve by nerding harder either, which is why when some US intel puke stands up and screams they want <manufacturer X> to build a backdoor only the cops can use, they’re lying. That backdoor will eventually become the private preserve of organized crime.
Occam's razor
Yep, Fred Streefland is a complete fucking moron.
I can’t decide if this is a perfect example of Hanlon’s Razor, or if it’s actual evil. Given that a corporate mouthpiece is spouting this insanity, it really could go either way.
Wow, awesome. So just making something illegal makes it impossible to do?
We really are wasting money on cops and courts if all it takes is making something illegal to stop people doing things society (well, the legislature) doesn’t want them to do.
It's ok, I locked it...
As a reputable supplier of back doors I can guarantee you that there’s nothing to worry about, you see our back doors are fitted with locks.
And it is absolutely inconceivable that a malicious actor, with a long history of picking locks or kicking down doors, could possibly get past this.
[insert Princess Bride meme here]
Re: It's ok, I locked it...
"Prepare to die!" ?!?
Re: It's ok, I locked it...
…and we got this open.
LPL
Re: It's ok, I locked it...
"And it is absolutely inconceivable that a malicious actor, with a long history of picking locks or kicking down doors, could possibly get past this."
You forgot to add "…We guarantee the only people we provided with skeleton keys to said backdoors are law enforcement officials, national security officials, medical officials, insurance auditors, city health and safety regulation officials, fire safety officials, various key personnel serving the departments mentioned above. None of which have ever reported a skeleton key missing or copied. Trust us."
NOTHING GOOD COMES OR HAPPENS EASILY
It’s good to take risk sometimes. I’ve realized that people who do great exploits are people who take risk. Nothing good comes or happens easily. You may be battling with your bad credit, negative items and different bills but if care is not taken depression might set in. I want to introduce CREDIT TRINITY CARE to you guys and trust me, he’s gonna help you fix your credit ASAP. He’ll delete all the negatives and boast your credit score. He boasted my credit score from 400 to 790+ within few days. I read about him on credit blog and discovered that he’s not one of those usual names, so I contacted him via creditscoretrinity @ gmail . com I’m forever grateful to CREDIT TRINITY CARE. I wish I can say everything here which is not possible but all I know is that he can be trusted