Update on Privilege Escalating Vulnerability Notice-HQ

Estimados clientes y socios:

Hikvision tiene el honor de trabajar con el Centro Nacional de Integración de Ciberseguridad y Comunicaciones del Departamento de Seguridad Nacional de EE.UU. en nuestros esfuerzos continuos de mejores prácticas de ciberseguridad.

We’re pleased to announce that Hikvision’s successful progress on a privilege-escalating vulnerability has been acknowledged by ISC-CERT (Industrial Control Systems Cyber Emergency Response Team). Specifically, ISC-CERT has recognized that on March 13, 2017 Hikvision released the fixed firmware version 5.4.41/5.4.71 to address the user privilege-escalating vulnerability on those particular affected camera models.

Nos complace anunciar que el progreso exitoso de Hikvision en una vulnerabilidad de escalada de privilegios ha sido reconocido por ISC-CERT (Industrial Control Systems Cyber Emergency Response Team). Específicamente, ISC-CERT ha reconocido que el 13 de marzo de 2017 Hikvision lanzó la versión de firmware corregida 5.4.41/5.4.71 para abordar la vulnerabilidad de escalada de privilegios de usuario en esos modelos de cámara afectados en particular.

What do customers need to know about the privilege-escalating vulnerability? What steps should customers take to enhance the cybersecurity of Hikvision systems?

·Please review the March 13,2017 notice, which outlines potential cybersecurity concerns that could arise with specific cameras under certain, fairly uncommon circumstances. To date, Hikvision is not aware of any reports of malicious activity associated with this vulnerability. ·Hikvision always recommends a systematic, multi-step approach to enhance cybersecurity protection. To assist customers and partners, Hikvision offers a number of industry-leading cybersecurity resources. Please visit the Hikvision Security Center for more information.

·The Hikvision Network Security Hardening Guide is a new resource for installers.

·Hikvision also encourages customers to utilize ICS-CERT resources, including ISC-CERT Recommended Practices and ISC-CERT Defense in Depth.

Did ISC-CERT recommend further enhancements in future firmware upgrades?

·ISC-CERT specifically identified the area of potential concern about the “configuration file”.

Under what circumstances is there a concern with the configuration file? How will Hikvision address this concern?

·The configuration file is encrypted and is therefore not readable, and protects users’ credentials. Also, the configuration file can only be exported by the admin account. Hikvision appreciates ICS-CERT’s comment, and will enhance the private key decryption storage method in the upcoming firmware release.

Hikvision is proud to be at the forefront of the move to improve cybersecurity best practices in our industry. Cybersecurity must be top-of-mind throughout the product lifecycle, from R&D and manufacturing to installation and maintenance. Hikvision’s in-house cybersecurity experts are dedicated to constantly assessing and improving our products and our processes, and the Hikvision team provides market-leading cybersecurity education and support to our valued customers. We’re also actively engaged with our competitors and partners on collaborative cybersecurity efforts that benefit our entire industry.

Interoperability is key to the success of IP video technology. While it’s exciting to watch the ecosystem of video surveillance devices multiply, this also increases our cybersecurity challenges. Establishing interoperability standards for video surveillance should be a top priority and one that everyone in the surveillance industry needs to share.

If you have any questions or concerns about Hikvision products, please contact Hikvision branch office, representatives or consult us at overseasbusiness@hikvision.com. For technical concerns, you may contact support@hikvision.com.