Guy Spends $500 And Hours Fixing Hikvision ONVIF Upgrade Break

JH
John Honovich
Nov 20, 2017
IPVM

An interesting follow up to our report from 3 weeks ago: Hikvision Upgrade Breaks ONVIF VMS Integration

A guy posted to IPCamTalk:

The cameras I tested with originally had/have 5.4.5 on them and work as expected. I have been scouring through the forums trying to find any solution. The most recent cameras I puchased all have 5.5.0 on them. If there is anyone that can help me with a process to downgrade them to 5.4.5 there is $500 reward. 

This is resolved after someone points out 5.5.0 disables ONVIF and the guy confirms that he is using Hikvision's cameras with Geovision's NVRs.

These negative experiences clearly hurt customers impacted and are likely to hurt future Hikvision sales as these customers factor in such problems.

And in the 3 weeks since we drew attention to this issue, Hikvision has done nothing publicly to clarify or help their customers being impacted by this nor have they attempted an explanation of why this very rare move was needed.

Feel free to counter that everyone should read release notes and everyone should test firmware prior to rolling it out, but the reality is that many or most do not. Hikvision either needs to recognize this or they can continue punishing their customers with their systems mysteriously breaking.

I think Hikvision and their customers would be better off avoiding that, but if Hikvision is determined to punish their customers, so be it. 

 

U
Undisclosed #1
Nov 20, 2017
IPVMU Certified

Incidentally, is there actually a Hik restriction about downgrading firmware?  Just for this version?

UD
Undisclosed Distributor #2
Nov 20, 2017

So why doesn't he simply enable ONVIF as per the readme notes and be done with it. Genetec removes Hikvision from camera list and that's good for the industry, Hikvision creates another layer of protection on their cameras and it's a conspiracy.

Avatar
Brian Karas
Nov 20, 2017
IPVM

I asked this in another thread about the Hikvision/ONVIF topic:

Is Hikvision claiming that ALL implementations of ONVIF are insecure, and should be off by default, or are they only claiming their OWN implementation of ONVIF is insecure and should be off by default?

 

(1)
(1)
Avatar
Sean Nelson
Nov 20, 2017
Nelly's Security

This may sound alarming but nothing new in the world of tech support. Even before the Onvif requirement, there were still steps we had to take to add Hikvision and/or Dahua cameras to 3rd party recorders. The "illegal login lock" is one to name a few. You will get exhausted posting every technical support issue one has with a product.

Unfortunately, jumping thru hoops to improve security is the world we live in. In other words, adding security layers oftentimes means adding inconvenience. Just think about all the ridiculous passwords and security questions you have to remember in your daily travels. And lets not forget Genetec's "security feature" which bans Hikvision cameras by default, that is arguably way more inconvenient than what Hikvision just did with Onvif.

If this makes a more secure product, I'm ok with it and good move by Hikvision. 

(1)
(1)
JH
John Honovich
Nov 21, 2017
IPVM

If this makes a more secure product, I'm ok with it and good move by Hikvision.

Does it? Still waiting for any form of a statement from Hikvision. It is a shame that they hire a cybersecurity professional like Chuck Davis and then prevent him from doing his job.

Regardless of security, one thing is for sure. Each of these moves increases the average time and complexity of setting up and troubleshooting Hikvision systems, which is a real business concern.

Avatar
Jon Dillabaugh
Nov 21, 2017
Pro Focus LLC

Honestly, all of these types of issues (ONVIF, Illegal Login Lock, Platform Access, UPnP, etc) can easily be solved with a config import. I generally have a current export of the base settings we use on a day to day basis. This saves time turning on/off all of the mundane settings, setting up date/time/dst/ntp/etc. I will have an export for each model. It saves tons of time.

Step 1 - set IP

Step 2 - update firmware

Step 3 - import config

Step 4 - verify everything

Step 5 - aim and focus

Step 6 - connect to VMS

(1)
(3)
UI
Undisclosed Integrator #3
Jan 30, 2018

The main issue with this is the fact the batch config tool does not copy the Onvif settings in FW 5.5. from the master camera.

This means having to do it manually for each camera.

Causes headaches for techs with Onvif test monitors also.

They need to update the batch tool to cope as a minimum, no fun when you have hundreds of cameras to commission.

(2)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions