Subscriber Discussion

How To Really Protect The Channel...

U
Undisclosed #1
May 16, 2015
IPVMU Certified

Price shopping consumers are squeezing every last dime out of the hardworking men in the middle because of high availability of Internet pricing.

Is it really beyond the control of manufacturers to keep branded product off the likes of Amazon, eBay, alibaba and aliexpress?

What about this approach?

Every camera would get a unique QR code and a unique root password, when manufactured. The root password would not be recorded anywhere except on the manufacturers servers.

Authorized dealers could download a mobile application that could scan the QR code and retrieves from the manufacturers servers the root password and displays it. Once unlocked the camera would be the same as any standard camera. Application would not allow more than a certain number of unlocks over a given time period, to prevent mass unlockings.

Manufacturer would buy units from any internet venues offering product below MAP. If they were delivered unlocked, the manufacturer would de-authorize the dealer whose code was used to unlocked it.

Authorized dealers would need resale certs. and credit terms to minimize sham accounts.

End-users receiving locked product would be directed by the manufacturer to a dealer who could charge a fee to unlock the camera.

Is anybody doing anything like this? Why not?

JH
John Honovich
May 16, 2015
IPVM

"Authorized dealers could download a mobile application that could scan the QR code and retrieves from the manufacturers servers the root password and displays it."

Dealers are likely to complain about the time and annoyance involved (where is this mobile app? what do I do? i have to do this with every single camera).

How do you make sure only authorized dealers get this mobile app? What stops the CCTV Forum guys from sharing a link to that app so they can all happily buy cameras from China for half the price?

(1)
U
Undisclosed #1
May 16, 2015
IPVMU Certified
In reply to John Honovich

What stops the CCTV Forum guys from sharing a link to that app?

A personal ethos of integrity coupled with a healthy respect for the law?

Nothing.

But much in the same way that one can't use the free Bank of America app to transfer other people's money, a valid password protected dealer account would need to be logged in before the camera's root password would be transmitted from the server to the app.

Of course a dealer could post their credentials as well as the app, and this might work for a few cameras until standard abuse detection mechanisms, (concurrent access, multiple far flung IP's) shut down the rouge cctv pirates. In any event, they still didn't get the camera for free, just below MAP.

As for the pain in the ass factor, instead of just saying 'STFU, you want channel protection or not?', I think you could actually make the process a benefit to the dealers.

How?

First off, part of the pain in the ass is having to setup each camera one by one, but this is inevitable anyway because of the dangers of default passwords are pushing manufacturers to remove them.

In addition, these all alpha passwords would be simple more akin to type, for instance, 'wruq'. Even a four letter password provides > 7 million permutations. Camera would need a reboot after say 20 incorrect guesses, so not realistic to brute force crack.

In addition the app could double as a password manager for all a dealers cameras. In addition, as Brian pointed out, the QR code could be tied to any support history as well as give a forward date for warranty claims.

I think the biggest liability is the need for smartphone/PC access to the Internet, but this seems to be the way things are going in general.

(1)
U
Undisclosed #3
May 16, 2015
In reply to Undisclosed #1

I voted a funny on the first three lines. The rest of your post is deeply insightful and I was not laughing. :)

U
Undisclosed #1
May 16, 2015
IPVMU Certified
In reply to Undisclosed #3

Thanks. I just hope I don't provoke Soundy and the other cctv raiders... :)

U
Undisclosed #2
May 16, 2015
In reply to Undisclosed #1

In addition, these all alpha passwords would be simple more akin to type, for instance, 'wruq'. Even a four letter password provides > 7 million permutations.

It would take someone about 20 minutes to write a simple app that could brute-force a 4 character password quickly.

To prevent that you either need to make the password a LOT more complex, or you need to build additional stuff into the camera firmware to delay login attempts or detect brute-force attempts. This adds even more overhead to the R&D process, so that the manufacturer can ultimately sell LESS cameras.

U
Undisclosed #1
May 16, 2015
IPVMU Certified
In reply to Undisclosed #2

It would take someone about 20 minutes to write a simple app that could brute-force a 4 character password quickly.

It would take someone about 20 seconds to set the FAIL_DELAY parameter of /etc/login.defs. :)

But your point is not denied in any event, since writing a secure, robust mobile unlocking app, together with a reliable back-end password server would be a real development expense, not to be minimized.

Would it be worth it? Again, if any manufacturer truly sees worth in creating a controllable channel where they are not constantly fighting with their dealers over product visibility and availability issues, then maybe.

I didn't quibble with you 'sell cameras' charter before, but I'm sure you would agree that more foundationally it would be stated as 'make money'.

And therefore a well controlled channel with predictably fat margins might attract motivated dealers, sick of the double-speak and excuses coming out of their current partners. Both the dealer's and the manufacturer's margins would benefit, possibly creating greater profits on less units.

But I, agree, to fully implement a controlled channel would take more commitment than most mfr's are likely to give. Though I would opine the reason they won't do it is more about the lost sales oppurtunities than the system developments costs. Would you agree?

U
Undisclosed #2
May 16, 2015
In reply to Undisclosed #1

It would take someone about 20 seconds to set the FAIL_DELAY parameter of /etc/login.defs. :)

In most cases you're not loging into the actual OS of the camera, and the standard user auth processes are not what are authenticating your login. Many times your credentials are being validated by a proprietary daemon/process that is part of the camera's "app" stack, not the "OS" stack.

For what you describe, there would need to be a massive re-write of internal software to manage all of this, and to do it *properly*.

I think it's mostly a thought exercise, but IMO what you propose would end up being a fairly significant undertaking, and I'm still not clear that it has any benefit to the manufacturer directly or indirectly.

The security "channel" is essentially a collective of people (dealers) that are all saying "if you do business this particular way (restricted product access) then WE will do business with you". However when the end-users demanind direct access to product outweigh (or match) the collective dealer channel the dealers will lose their voice/influence in how things go to market.

Nobody cares about "the channel", they care about selling the most amount of product overall. They will bow to the will of the largest customer. One day that is going to be the end-user, not the integrator.

(2)
U
Undisclosed #1
May 17, 2015
IPVMU Certified
In reply to Undisclosed #2

...your credentials are being validated by a proprietary daemon/process that is part of the camera's "app" stack, not the "OS" stack.

Whose homegrown authenticator doesn't contain any FAIL_DELAY type logic? Are you sure about that? It's the most basic form of brute-force protection, well-known by any system programmer worth his 'salt' and also the simplest to implement. For instance:

if(login_failed) sleep(1);

...

Nobody cares about "the channel"

So it would seem.

U
Undisclosed #2
May 16, 2015

Is anybody doing anything like this? Why not?

Nobody is likely to do that.

Why?

Because when a "channel" needs that much protecting it's an indication the market has shifted.

Honestly, the manufacturers don't care *that* much. Their charter is to sell cameras. If providing some amount of friction to online sales/etc. help them gain more dealer support, they will do so. If protecting the dealer becomes so difficult that they have to setup special manufacturer processes and "secret buyer" programs, then it's time to think about what the Market (the end-user) really wants.

Any business has to create their own value. A dealer/integrator needs to add enough value that the customer sees the benefit in purchasing through them. It's not sustainable to create artificial markup by choking the supply chain.

(6)
U
Undisclosed #1
May 16, 2015
IPVMU Certified
In reply to Undisclosed #2

Honestly, the manufacturers don't care *that* much. Their charter is to sell cameras.

That is their charter, for sure. Some seem to care more than others: You can't find much if any, new Avigilon product online. This must come at some degree of effort. Sony, Axis, Hikvision, Dahua, (in that order?), though have more and more product and pricing out there.

So I would actually agree with you though that most don't seem to care enough. That what I am really saying, not that I have some novel idea that will save the channel, rather that if you really wanted to protect the channel, like is often heard, this is one way.

The fact that no manufacturers are doing it, or something similar, could be cynically explained as wanting to have their channel and eat it too.

JH
John Honovich
May 16, 2015
IPVM
In reply to Undisclosed #1

"The fact that no manufacturers are doing it, or something similar, could be cynically explained as wanting to have their channel and eat it too."

Yes.

Though, I would add, within manufacturers the picture is more nuanced. From my interactions, usually RSMs are fairly adamant against online / non-dealer sales. If it was up to them, they would ban them, which makes sense given their relationships / quota / etc. However, it seems the higher up one goes in management, the less urgent an issue this is. That said, this does not describe every manufacturer, but I think it's a fairly common pattern.

(1)
U
Undisclosed #1
May 16, 2015
IPVMU Certified
In reply to John Honovich

From my interactions, usually RSMs are fairly adamant against online / non-dealer sales...

Is that because the RSM's have to deal with the ire of the dealers on a person by person basis, whereas the upper levels of management are only dealing with it as an abstract concept?

(1)
JH
John Honovich
May 16, 2015
IPVM
In reply to Undisclosed #1

Yes, that is my theory. I wouldn't go so far as 'abstract concept' for upper management but it is certainly less of a day to day pain for them.

(2)
U
Undisclosed #2
May 16, 2015
In reply to John Honovich

The typical RSM also gets no credit for online/web sales (though they will often get credit for sales through distribution in the current model).

RSM's have little, if any, incentive to support online sales, unless the sale is coming via one of their regional dealers. But that regional dealer is typically a non-value middleman in this case. It would be easier for the manufacturer to just sell/ship direct in that case.

If RSM's got some commissions for any product shipped into their region via any sales method, they'd more likely support online/web sales.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions