Hikvision Now Requires Installers To Update Firmware On A Regular Basis

JH
John Honovich
Nov 02, 2017
IPVM

Hikvision now requires installers to update firmware on a regular basis according to Hikvision's VP of Sales at the Security Industry Association's Securing New Ground Conference:

Hikvision itself refused to respond to IPVM's multiple requests for comment.

We suspect this cannot be a requirement, since enforcing it would be hard (how could they prove it? what penalties would they enforce if the installer did not?). Moreover, there could be real practical problems, e.g., newer versions of firmware may not work properly with 3rd party systems being used with, etc. Also, there is the time involved to check new firmware upgrades, validate no problems occur, roll them out to each client, etc.

On the other hand, Hikvision's cybersecurity problems have been so significant perhaps they need to go to such extreme ends to fix their issues.

Hikvision dealers we spoke with said they had not heard of this. It could be this is happening but just another instance of bad communication with their dealers or Hikvision may be willingly allowing false information to be published by SIA just to spite IPVM.

Each Hikvision dealer will, unfortunately, have to find out themselves.

That noted, what do you think about requiring installers to update firmware?

(1)
(2)
UI
Undisclosed Integrator #1
Nov 02, 2017

Interesting approach similar to one adopted by the alarm industry.

Alarm contracts typically require the subscriber to test their system into the monitoring station at least monthly.   Of course it’s a great idea for proper testing and operation. 

It has a substantial benefit to the alarm company when it turns out for some reason the account hasn’t been transmitting alarms for an extended period, like 10 years and the subscriber asks for a refund for services not provided. 

Sorry, we will give you a credit for (X) months, but you failed to test it.  Usually 1 to 3 months of credit. 

Hey, sorry you suffered a major hacking event, but we require you to check for new firmware and update your accounts monthly.  How many cameras did you install last month?

Hmmmmmm.....

(2)
LT
Larry Tracy
Nov 02, 2017

You can't get anyone to clean cameras much less upgrade firmware 

(4)
(7)
MM
Michael Miller
Nov 02, 2017

Who is going to update all the gray market Hikvision cameras?

(1)
(1)
JH
John Honovich
Nov 02, 2017
IPVM
In reply to Michael Miller

The gray market Hikvision, by definition, are not being sold to Hikvision authorized partners and would therefore not fall under such a requirement.

Though it is certainly a good point, more generally. There continues to be plenty of gray market cameras being sold and those, by design and Hikvision's indifference, cannot be upgraded without being bricked or reverting back to Chinese, etc., and therefore are prime targets for hacks.

(4)
U
Undisclosed #2
Nov 02, 2017

Why not just demand all their integrators learn to fox trot?

Enforcement efforts would be identical.

(4)
(5)
UM
Undisclosed Manufacturer #3
Nov 02, 2017

Sounds like a publicity stunt to simply limit liability.  Question is...will it hold up if challenged legally?

(2)
U
Undisclosed #4
Nov 02, 2017

Perhaps the whole story is more than a tweet long. What they could do is give out "Certified Hikvision Integrator" badges for those who follow useful procedures to make the effort of securing the cameras, and making sure all that is documented nicely.

UI
Undisclosed Integrator #5
Nov 02, 2017

In the alarm industry there are lots of warnings and admonitions printed on installation manuals along with various stickers to be applied to keypads and alarm panels that read "test weekly."  To comply with UL there is a testing frequency as well. Alarm contracts contain language that puts a responsibility on the end user to frequently test their alarm system. I don't know who really follows these warnings or complies with the contract language and test their equipment on a routine basis.

It's apparent that security equipment manufacturers and integrators  put these warnings in their documents in an attempt to limit their liability and they, most likely, realize few people if any will test at such frequent intervals.  But, a printed warning may shift the burden onto the user to discover a malfunction or other issue.    No doubt Hikvision is aiming for the same legal concession along with a mitigating response in the face of bad publicity.

(1)
U
Undisclosed #4
Nov 02, 2017
In reply to Undisclosed Integrator #5

I wonder why they can't just test themselves... 🤔

UI
Undisclosed Integrator #5
Nov 02, 2017
In reply to Undisclosed #4

Alarms systems do test themselves, to a certain degree.  There is a communication test that automatically sends what is called a "test timer" signal to the central station.  There is bell output supervision, supervised zones, rf jamming supervision, smoke detector sensitivity supervision, telephone line fault supervision, etc. 

But, if a magnetic contact sticks closed, these supervision features will not detect the inability of the contact to open.  Will the smoke detector actually detect smoke and will it's contacts work to trigger the alarm?  Will the motion detector see motion at it's rated distance or has it drifted to less than half the distance?  Will a glass break function when necessary?  A lot of these issues can only be tested manually rather than through firmware and software.

(1)
(1)
UI
Undisclosed Integrator #1
Nov 02, 2017
In reply to Undisclosed Integrator #5

In the old dial up days, local lines were cheap but central stations charged for daily or weekly test timers, therefore many were turned off.   Open/Close status cost, also turned off most times. 

Along with the added cost to the dealer that an end user didn’t appreciate or want to pay for, there was the inconvenience of the phone line disconnecting to send the message. 

These all sound silly with today’s technology, but it was an issue when sending events over POTS lines.

Some dealers sent all regardless, for their own protection and just logged them. 

(1)
UI
Undisclosed Integrator #6
Nov 02, 2017

Hmm... From my experience it takes about 10 minutes to remotely upgrade the firmware for a single camera and then confirm settings.

I currently have ~1500 HikVision cameras nation wide that my team is responsible for. 

  • A Little Math:
  • (10 Minutes per Camera)*(1500 Cameras)=15000 Minutes
  • (15000 Minutes)/(60 Minutes) = 250 Man Hours
  • (250 Man Hours)*(~15.00 Dollar per Hour) = $3750

That is just the rough estimate of what it took to get the cameras to v5.4.5 for the most recent exploit. Now they want me to try and pull this s*** every time they f*** up. Really makes you wonder why we have slowed (I really want to say stopped, but one large customer fell in love with their cameras) down selling your brand HikVision.

 

(1)
(2)
UI
Undisclosed Integrator #7
Nov 02, 2017
In reply to Undisclosed Integrator #6

Can Hikvision cameras not upgrade in parallel? 

UI
Undisclosed Integrator #6
Nov 02, 2017
In reply to Undisclosed Integrator #7

Yes, HikVision Cameras can be upgraded in a parallel manner over the LAN.

  • You can use the 'Batch Upgrade Tool' to upgrade multiple cameras of the same model.
  • You can also chain update the cameras. (IE- Start Camera 1, Then Camera 2...)

The only issue with upgrading multiple cameras at the same time is I risk crashing the network in my current environment. If I was on the LAN it wouldn't be an issue, but most of the cameras I have are spread across all 50 states in the U.S. 

 

*Begin Rant*

It would be really nice if I could load firmware to the NVR and then have the NVR push the firmware to the cameras. It would also be really nice if you could pre-load a version of the firmware to the camera and then run the firmware update once it has finished loading.

*End Rant*

(3)
MM
Michael Miller
Nov 02, 2017
In reply to Undisclosed Integrator #6

*Begin Rant*

It would be really nice if I could load firmware to the NVR and then have the NVR push the firmware to the cameras. 

*End Rant*

 

Avigilon has been doing this for years.

(2)
UI
Undisclosed Integrator #7
Nov 05, 2017
In reply to Michael Miller

Remember the Hikvision and other Chinese developers had hacked a iOS/Android malware push of early 2015 with their latest update.  Avigilon is a different, more trusted source for the firmware update.

(1)
UI
Undisclosed Integrator #1
Nov 05, 2017
In reply to Michael Miller

I have watched the update process be too automatic.  The company was testing a camera on a new server and then had to install on a large system who was s version behind.

i believe Lenel does a great job by identifying old versions and allowing you to schedule when the update will happen on mercury controllers. 

(1)
MM
Michael Miller
Nov 05, 2017
In reply to Undisclosed Integrator #1

I have done this hundreds of times and not had any issues.  Would the cameras not connect with the newer firmware?   If you know how to manage the firmware folder on the server you can stop the automatic upgrades from happening or make it push a specific firmware out to the cameras. 

UE
Undisclosed End User #8
Nov 02, 2017
In reply to Undisclosed Integrator #6

This why the VMS platforms needs to adopt Federated Camera Patching Management, yes each camera supplier has their own tool and some do it better than others but when you manage 100k+ devices from multiplier suppliers it just becomes unmanageable.

Not saying a top tier VMS needs to go every single device out there but use the camera APIs and take advantage of you strategic camera partnerships.  Put yourself in the shoes of a VERY LARGE user who has mandates to keep patching current.

(3)
UM
Undisclosed Manufacturer #9
Nov 02, 2017
In reply to Undisclosed End User #8

Check out onvif device manager. It can perform firmware updates on some devices using a standard and not a manufacturer specific tool. 

(1)
(1)
UI
Undisclosed Integrator #10
Nov 05, 2017

Used ONVIF myself and agree it is nice for some issues, not all.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions