#1, thanks for sharing. We are looking into the details of this. The idea sounds good, trying to understand how it is implemented and what restrictions or issues might exist. We will need at least a few days to research. Thanks again.
U1, I find this interesting and positive move by Hikvision.
Only one question, how can you know that the firmware binaries is actually built from the reviewed source code? Can that be verified somehow?
Jeffery’s letter today invites “government agencies in the United States and Canada to review the source code for a wide array of select IP cameras and NVRs sold by Hikvision.”
While I don’t personally know bashis, I think I’m secure in assuming he doesn’t work for any US or Canadian gov agencies. I could be wrong.
This is more hollow cyber security commitment from Hikvision, all appearance and no substance.
Hikvision, and their defendants, will point to this as "proof" that the company is secure and open, embraces cyber security, etc.
I see number of issues with this:
It is only available to governments? They do not even welcome or allow cyber security researchers?
The average government organization does not have any cyber security developers on staff that could properly audit source code for embedded devices (particularly at the level of smaller cities and similar entities that Hikvision has been able to attract).
You have to make a request and then spend money to go out to CA (though Hikvision would probably agree to pick up the tab for larger potential customers). This is disruptive and would put most researchers at a disadvantage, unless they are allowed to bring in multiple laptops, have unfettered internet access, etc.
No mention of what happens if when a vulnerability is found. Do people have to sign an NDA preventing them from any form of responsible disclosure of discovered vulnerabilities? Does Hikvision think they will be able to just silently patch things and not make customers aware of newly discovered vulnerabilities (and this WILL happen if they allow any competent people in to review the code).
What form of checksumming can be done by the customers to ensure the code they run in production is exactly the same as what was reviewed?
Who is really going to go for this anyway? Anyone who distrusts their code already is unlikely to go out to CA and spend several days doing Hikvision's QA work for them.
I do give Hikvision credit, this is a clever way to continue to claim they take cyber security seriously without actually doing much heavy lifting.
Some of the Nay Sayers are funny. Hikvision is allowing the US govt to view their source code and you are "skeptical"? We keep hearing that Hikvision is so shady and they hide this and that and blah blah blah! Now here is Hikvision saying "Hey US govt, you think we are spying on you? Here is our dam source code, Have at it and show us where we are spying on you! Donald, Here look!!!"
At any rate, its been 12 days and I am awaiting the week long IPVM headline on this article. I find it funny that we have to wait several days for something like this to make a headline but the critical headlines are put up on a weekly basis in 0 seconds flat. IPVM could have even designed several hack maps within this time frame.
I do have to make a suggestion for the headline. "Hikvision openly invites the US Govt unadulterated access to their source code, proving they are the industry leader in cyber security" I know its a long headline but it gets the point across..........
How could you even twist this story? This is 100% positive no doubt about it! Boom Shocka Locka!
With abated breath I will continue to wait.....
So the answer is "no they are not happy now."
From David Fitches:
Looks like HikVision are taking BIG steps to try and recover the reputational damage done by their recent spate of security flaws/"back doors" which have been aired on MANY sites (this one included).
For those who don't want to click the link:
HikVision are opening a Source Code Transparency Centre where, with an appointment and signature on an NDA, Government agencies and interested parties can review the source code for HikVision products.
The model they're using seems aimed at providing access to their NVR and Camera source code, whilst still protecting their Intellectual Property - and I personally think it's a bold move which should be applauded.
As anyone who knows anything about Open Source will tell you, one of it's strengths has been the fact that anyone can review the source code to a project and thus it is almost impossible to have hidden back doors in open source software. It also means that anyone can examine the code for flaws and vulnerabilities. End result - you get code which is as safe and secure as the community can collectively make it.
So while not making their source code 'open source' - by opening this centre, and thus their code, to review by others, HikVision obviously hope to prove that their code is as safe and secure as they can make it, and thus their PRODUCTS are safe and secure for use by others, and NOT open to state paid actors to penetrate at will.
I think HikVision deserve credit for this. Time will tell if the reputation payoff is what they hope it will be!
David had posted this in a new thread. I've copied it here so all discussion is in one place.
Update: Hikvision corporate has provided IPVM a response to questions raised in this thread. I am doing a final follow up to verify some information and I expect a post by early next week at the latest.
Even if you examine the source code . It does not mean their are not deliberate back doors in camera. For example their are multiple levels of source code in a camera. Are they including the source code for the SOC (microcode)? Would also need to include code for the design of the (all) silicon chips too. And my 1st question , would be, does camera use a OS (Operating System ) and what is it? To make sure no backdoors in camera - the task is too complex. I have all ready shown their are several levels that would need validation. The above, does not include code ( at any level ) that creates deliberate security vulnerability. It would be foolish to think that source code disclosure is of much value.