Monday, September 24, 2018

Hikvision vice-president Pu Shiliang, 38, is also technical leader of a key laboratory at the Ministry of Public Security

10-1-16    Hikvision vice-president
Pu Shiliang, 38, is also technical leader of a key laboratory at the Ministry of Public Security, the feared body that has been accused of the extrajudicial arrest and detention of thousands of lawyers, activists and perceived government opponents within China every year.
Hikvision's high-tech CCTV systems can 'see in the dark', track vehicles, and count the number of people entering and leaving a building, as well as boasting unparalleled 'face-tracking' technology.  They are even able identify a person by their gait.  These capacities enable the Chinese authorities to track dissidents, activists and human-rights campaigners, who are routinely rounded up and detained.
-Chen Zongnian
11-23-16     Edward Long, a former employee of a video surveillance equipment company in Florida, recently petitioned the U.S. government with a letter warning that Hikvision cameras are sending information back to China.
   “Over the past year, [Hikvision has] ... flooded the United States with their equipment,” he wrote. “Every time one of their machines is plugged into the internet, it sends all your data to three servers in China.  With that information the Chinese government can log in to any camera system, anytime they want.”
   Frank Fisherman, a general manager for Long’s former employer, IC Realtime Security Solutions, tells VOA that Hikvision devices are engineered for effortless hacking.  “They have their encrypted information set up so they can access even if you change the admin [passwords] and the firewall,” he said, adding that Hikvision may have set aside a "backdoor" in the production process, such that the manufacturer can monitor devices remotely without the users being aware.
4-25-18   Vangelis Stykas and his partner resorted to using Ezviz.  So what is Ezviz?  According to the about page, it “is the consumer and residential-focused subsidiary of Hikvision, the world’s largest manufacturer of video surveillance solutions.  Ezviz builds upon Hikvision’s expertise and knowledge to bring robust, commercial-quality video products to consumers and the smart-home market.”
They discovered that one of the features on Ezviz allowed then to “mark a user as a friend with no interaction needed by the other user just by knowing the email or phone that the other user used upon registration.”
After “friending” someone without their knowledge or acceptance, then they could get the user ID they were after.  Stykas wrote, “So now we can login as any user as long as we have his email, phone number or username (endpoint was also returning data for username although there was no UI for it) and impersonate him.”
Poking around to learn what could be done with Hik-connect and Ezviz, they determine the bug could be exploited to:
  • See devices of the users, live video and playback from the device.
  • Change the user’s email, phone number and password to effectively lock them out of their device.
  • Take over the user’s account after resetting their password. After that, even if the user tried factory resetting their device, it would not be “unbound” from the attacker’s account without contacting Hikvision. Stykas added, “If we change the password we can use the devices menu on the Hik-connect android app and manage the device (update firmware and brick it or do whatever we want) without any password given.”
  • A stealthy option is for an attacker to add a share on their account so that the victim would be clueless that someone else was also watching what happened on their devices.    
  • ...The vulnerability report was sent on Saturday, and Hikvision released a fix on Tuesday, April 24.

11-15-17   Forty-two percent of Hikvision is owned by the Chinese government and many security vendors in the U.S. have banned the sale of their cameras over fears they could be used to spy on Americans.
the NSO Group prices its surveillance tools by the number of targets, starting with a flat $500,000 installation fee.  To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal.
You can pay for more targets.  One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.
What that gets you, NSO Group documents say, is “unlimited access to a target’s mobile devices.”  In short, the company says:  You can “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.”  And, its proposal adds, “It leaves no traces whatsoever.”
7-24-18    Many parts of Africa are now essentially reliant on Chinese companies for their telecoms and digital services.  Transsion Holdings, a Shenzhen-based company, was the No. 1 smartphone company in Africa in 2017. ZTE, a Chinese telecoms giant, provides the infrastructure for the Ethiopian government to monitor its citizens’ communications. Hikvision, the world’s leading surveillance camera manufacturer, has just opened an office in Johannesburg.
The latest is CloudWalk Technology, a Guangzhou-based start-up that has signed a deal with the Zimbabwean government to provide a mass facial recognition will enable Zimbabwe, a country with a bleak record on human rights, to replicate parts of the surveillance infrastructure that have made freedoms so limited in China.  And by gaining access to a population with a racial mix far different from China’s, CloudWalk will be better able to train racial biases out of its facial recognition systems—a problem that has beleaguered facial recognition companies around the world and which could give China a vital edge.   According to a report in the Chinese state newspaper Science and Technology Daily, smart financial systems, airport, railway, and bus station security, and a national facial database will all be part of the project.  The deal—along with dozens of other cooperation agreements between Harare and Chinese technology and biotech firms—was signed in April. Like every other foreign deal done by a Chinese firm of late, it has been wrapped into China’s increasingly all-encompassing Belt and Road Initiative.

No comments:

Post a Comment