President Trump has signed the John S. McCain National Defense Authorization Act for fiscal year 2019. It means that a new law which will ban the use of Dahua and Hikvision products and their OEMs (Original Equipment Manufacturer) in US government and US government-funded contracts becomes effective from August 2019.

From IPVM Group: Risk – Hikvision / China Government Access
The escalating attention towards Hikvision’s China government ownership and Genetec’s removal of Hikvision due to cyber security concerns has triggered increased scrutiny of Hikvision devices.

Hikvision’s ‘phone home’ feature is raising particular fears as users evaluate Hikvision devices, attempting to understand what is happening and what risks this raise.

The risk is Hikvision misusing these connections inside of private networks. Hikvision could potentially look at internal video or use that device to access other devices inside a LAN. This automatic tunnel-out connection could be used to setup a reverse shell or quasi-VPN, letting outsiders tunnel in to the network, using the camera as an ad-hoc router. This is a risk of any provider with such access, though magnified for many due to Hikvision’s government ownership.

A report from research group Freedonia explains that the ban includes specifically telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, or video surveillance equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company. There is also wording that suggests the barring of the purchase of any such equipment produced by an entity believed to be owned or controlled by the Chinese government.

Additionally, beginning in August 2020, these government agencies will also be barred from entering into, extending, or renewing a contract with an entity that uses any of the above-mentioned telecommunication and video surveillance equipment.

This second provision is most concerning to the specified firms, uncertain about how broadly the ban will be interpreted.

The South China Morning Post reported that both Dahua and Hikvision share prices took a dive on the basis of this news, and that Hikvision stated: “The ban itself will not have substantial impact on the company’s business. But due to its unclear points and semantic ambiguity in some terms, the bill might generate broader interpretations, which could extend the ban from federal agencies to non-federal installations [from using our products].”

According to Jennifer Mapes-Christ, Senior Analyst and Manager of the Consumer & Commercial Goods group at the Freedonia Group, “The US government market for video surveillance systems is expected to exceed $700 million by 2021.”

“China-based firms are becoming increasingly important suppliers to the US video surveillance market. Hangzhou Hikvision has been a rapidly growing player, rising to one of the top 5 firms by 2016, due to its ability to compete on both price and quality.” Mapes-Christ continues, “The manufacture of video surveillance products has largely shifted to Asian countries. Imports – the lion’s share of which come from China – now account for the nearly all of the video surveillance equipment sold in the US.”

The wider impact in terms of the confidence of international markets has to be a further consideration, as the bill will almost certainly make other authorities consider the question of the integrity of these products.

Dahua’s main and public response has so far been based around the fact that the company is not a “government owned entity” as it is publicly traded on the Shenzhen stock exchange.

Hikvision, on the other hand, according to Freedonia, is said to be setting up a team to provide a more accurate interpretation of the bill and determine possible ramifications. The report also says that Hikvision claims the bill’s ban is based on insufficient evidence, review or investigation.

Bottom Line: Both official Hikvision devices and OEM brands selling Hikvision hardware are affected. The brands include, for example, some models from ADI, Annke, Digital Watchdog, Honeywell, Hunt, Lorex, Swann, TrendNet and so many more. Check out this link for their complete OEM list:
https://ipvm.com/reports/hik-oems-dir