Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

JH
John Honovich
Nov 29, 2017
IPVM

This is an open letter to Chuck Davis, Director of Cyber Security at Hikvision USA.

A Hikvision document states that Hikvision has disabled ONVIF by default for 'security reason':

screen shot 2017-11-29 at 2 05 45 am

We are hoping you can help. When you started, you said that you intended to improve communication with the public. This would be a good topic since Hikvision is effectively criticizing ONVIF and raising concerns about the industry's de facto interoperability standard.

Questions:

  • What is the 'security reason' here? Is the security reason inherent in ONVIF or is it simply Hikvision's own implementation?
  • If there is a 'security reason' to disable it by default, does enabling it create a vulnerability?

Answering this would not only help your partners and customers but would establish greater credibility for Hikvision as it attempts to repair its 'PR problem'.

(12)
U
Undisclosed #1
Nov 29, 2017
IPVMU Certified

I’m not Chuck Davis but if you don’t mind my thoughts are:

Is the security reason inherent in ONVIF or is it simply Hikvision's own implementation?

Perhaps neither; disabling ONVIF by default can be viewed as an attempt to reduce the attack surface.

On the other hand, they could have let it be enabled if it was already enabled, and merely changed it to disabled after soft/factory reset, but they didn’t.

A possible reason that they didn’t is that since ONVIF was enabled by default, it likely would still be enabled on most cameras in the field, even though it may never been used because they are often sold with/for their own recorders.

Leaving it enabled (and ensuring that it continue functioning after the upgrade) would have required them to duplicate the native user credentials into a new ONVIF one, which might seem strange for users that weren’t even using ONVIF.

But doing it the way they did it ensures that ONVIF is off for cameras not using it, which is likely a large portion of the total out there.

Of course this has the side effect of fouling-up everything for people who were using ONVIF.

Finally, don’t mistake my explanation as an apologetic for Hik; there are better ways to handle the situation, for instance, when upgrading (non-batch mode), it could ask you, “Do you want ONVIF enabled?” and if yes, then duplicate the users.

 

UM
Undisclosed Manufacturer #2
Nov 29, 2017
In reply to Undisclosed #1

What about not duplicating the users and just have 1 set of credentials that work across their API & ONVIF?

Having multiple sets of credentials increases the attach surface, as it makes it easy to forget about a set of credentials, even after changing/disabling specific accounts, since there are 2 databases.

(5)
(1)
JH
John Honovich
Dec 19, 2017
IPVM

Update: still no comment anywhere from Hikvision about this but ONVIF responded to our question online, copied below:

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions