We Need A US Camera Testing Standard For Firmware Security

While I certainly echo your sentiment, there's so many complications to this. For every test tool, there would be a missed line of code, or unforeseen issue, for the best example, look outside the security industry: Spectre and Meltdown. Those were vulnerabilities no one was aware of for 20 years, and were applicable to billions of devices. I just don't know how feasible a firmware based testing platform would be. Its possible there would be someone from a manufacturer product design background that might be able to comment with a lot more experience.

You know what Urks me? Answer: Who cares!

Agree, and no joke from my side.

Seriously, we bemone security problems with our voting system, with our cyber, with everything

Welcome to reality, always been there, and will always be there.

yet we take no steps to check systems like surveillance systems

I have, and trying to do with some of them

most of them being produced in China or in some way are connected with China in their production chain.

Vulnerabilities and/or backdoors exist in non China products as well

 Dahua recently had the coding vulnerability that caused widespread goofiness. 

Yup, I know

Several other manufacturers have had issues.

Very true

Why cant we check the stuff before it goes on the market? Cant we mandate this?

For instance, using pure OpenSource - that is continuously and non-stop under review by OpenSource Community. Unfortunately I don't know any manufactures with pure OpenSource, but there are indeed few manufacturers who trying to get away from their legacy/in-house binaries, but that will be very hard to be pure OpenSource - if the manufacture are not willing to share their code. (Binaries doesn't count as OpenSource)

 I’m at a crossroads and I want to sell and install products that I know are not tainted in the firmware. How about you?

Guess everybody does, very hard to find any manufacture w/o any known, and more importantly (yet) unknown issues (publicly)

My 0.02$

What you're asking about sounds a lot like UL 2900

In a previous generation, we had NTSC standards. They were more about compatibility than security, but the application is similar, and by the way, the compatibility issues between of IP cameras and recording devices continues to mount. The FCC had the teeth to established standards to protect the American consumer and they had the ability to enforce their standards.  We have no such organization today. None. Zero. The watchdog groups have completely abdicated their responsibility to the consumer. The UL standard is a nice start. But who here honestly thinks it will pass?  Other UL standards about security have failed miserably. The biggest detractors?  Integrators. 

Do we need a government organization? I would like to think not, but the evidence says otherwise. I would like to think Manufacturers (and there are a lot of well-meaning people in that group) and integrators would put out the safest product possible, but how's that working? I would like to think consumers would educate themselves, but c'est la vie.  It is just not on their agenda. 

This is my whole problem with ONVIF. No enforcement capability. We as integrators have to come up with a completely different way of thinking about the security of security products.  They have just become another appliance, which really is what the IT industry wanted from the beginning, to commoditize security. But again I would ask, how is that working?

Go to the discussion group or board of your choice and for every one conversation about the security of security, there are 10 conversations about profitability. 

Until something or someone is given the authority to punish sloppy work, one way or another, it will not change. Consumers, for the most part sure don't seem to mind. If it affects price, they just don't want to hear it and if it requires work and study, they want to know who is going to cover that cost.  They just don't want life to get in the way of their family soccer outings. 

I would ask anyone this: Image quality aside (and that is not even close), are we safer with IP cameras than with Analog or Analog HD?  I have never, ever seen a map of Analog devices that were compromised posted on the internet. 

I am not a stick in the mud.  I am not advocating rolling back the clock "to the good ole days".  That is a useless stance, and I enjoy the IoT.  I like living in the here and now. But we seriously need to rethink what we do and how we do it. 

If we don't do something, and I mean soon, we are all going to pay that cost, and we will pay it the hard way. 

Rant over. 

First of all most analog cameras are IP cameras, that 1 foot long ethernet cable coming out of your 12 year old Pelco encoder still counts as a network. So don't assume you're not a cyber target if you only touch coax connectors.  I don't think the question is about IP vs. analog, it's about "does the vendor supply chain get it we expect a secure infrastructure".  Use of analog is a head-in-the-sand approach way too often.

Customers are acting.  There are people out there who will no longer tolerate shoddy devices on their networks.  P.s. that's  a country-of-origin-neutral comment.  That whole "you didn't get the purchase order" thing works to get vendor's attention, at least some of the time.

There are some government activities that relate.  As a package, they suck.  The safety act seems to certify bad stuff (because things past their secret test process doesn't mean it's safe, just means you're less likely to get sued.)  On the other hand it looks like any product that came out of the Fort Huachuca test labs with a decent score probably really is ok.  The FICAM process is happy to certify bad crypto and all sorts of other sins as long as you pass this week's version of the APL test process.  But, if you've got a camera that has a STIG and works in the context of DIARMF and 800-171 you may be fine.