ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved]

Avatar
Duc Tran
Published Mar 09, 2016 05:00 AM

More than a year after massive hacks against Hikvision was disclosed; More than 9 months after Hikvision issued improved security firmware, mega distributor and Hikvision OEM ADI still refuses to fix the well-known security risk.

ADI is still shipping W-Box IP Cameras using the exploited 5.2 firmware, with no option for the improved 5.3 release. We repeatedly encouraged ADI to fix this, with a public notice more than 5 months ago.

ADI's ******** '***'

*** *** ***** **** **** **** a '*****' *** *** ***** ** primarily * ***-** *******, ***** ******** *** weak ******* ********, ******* *** ******** ******** enhancements **** ********* *** ******** ** 5.3.

 

*** ****** **** **** "***** ******** **** seriously" *** ***** '*****' ***** *********. We ********* ***** ***** *-*** ***** and ****** **** ***** *** ******** measures **** ********* ********** *** **** other ********* **** **** *******.

Risks ******** ****** *******

*** ** * ******* ****** **** division ** *********, ** ******** ******** traded ******* **** ** $** ******* market *********.

*** ** ****** **** ******** ********** ********** *******, *********, *** ********** ** **** ******** that ***** ******* ******** *** ****** risky.

***** *** ********* ****** ********* ** cyber ******** ***** *** ***'* ******* to **** ****** *** **** * long ******, **** ******* ***** ****** company ** ********* ********* *** ***** customers ** ******** ********.

Background ** ********* *****

***** ******** ******* ** ***** ****, when ** *** ********* **** ********* was ****** ****** ******* ********** ********, following ******** ******* ** ********* ***** hacked ****** *** ***** (***: ********* ******* *********). ******, **** ********* ************* **** and *********'* ***** ******* *** ** be *********** ********* ** **** **** the ******.

Upgrade ********* *+ ****** ***

** ******** ** ****, ********* ************* improved ***** ******** ** ***** *** the **** ***** *** *********** **** exposures ** ***** *.* ******* **** April / *** ****. ******* ***** [**** no ****** *********] *** *** *.*.* ******** on ********** ******* **** *** ******** improvements.

***** ** ** ******* ** * Hikvision ****** **** *** ******** *.* software **** ********* ***** ** '******' security:

** ********, *** *** *-*** ****** that ***** **** *** *.* ******** is ******** ** ********* ** '*****':

ADI '***' ************ **** ** ***********

**** ** *** **** *** ***** has *** ***** ***** **** ** a "************", ********* ** ****** ******** goods, ******* **** ** ******* *** **** ***** ********* ** ***** *******.  

*** ***** ** ****, *** **************, associated **** * ***** * ************* supplier ** *******-********* ******* **** * camera ** ******** ** ****. **** ******** more *********** **** **** ****** * logo *** ******.

Warning ** *** *+ ****** ***

*********, *** **** (** ****** ** aware ** ****). ******,**** ****** * ******* ** **** ** September ****, ** **** **** ***, ***** dealers *** *** ***** ** ***** of **** ****. ** ********* ***'* President **** **** *** *** **** *** they *** ******* ** * ******** but ** ******* **** *** **** shared.

******** ********* ********* ***** **** * ***** answer ** ********* ********* *-***** *** ******** vulnerabilities, ** *** ** ****** ***.

Risk *** *** ******* ** ** ******** *** *****

******** ******** ***** ************, ********** *** budget-oriented ******** **** *-***, *** ****. The "** ** ***'* *****, ***'* fit **" **** ** *** ******* here, ****** ** **** **** *** cameras *** *********** "******".  ********* **** W-Box ******* *** *** ******* *** attack ******* ******* *** *** *-*** cameras, **** *** ***** * **** exploitable ******** ** *** ********'* *******.  In *** ****, ********* **** **** been ****** ** ****** ******* ******* ******, ****** ******* ***** ** *** to ******* *****, *********** ******** ***** functionality.  ** ***** **** ** ********** simple ** **** * ****** ****** replace **** ***** **** ****** ****** images, ** ****** ******** ****** ** a ***** ******.

******* ** ****, ***** *** ******* may ******** ** ***** ********* ******* *** 5 ** **** ** *****, *********** to ******** **** **** *** **** considered ***.

Other **** (********* ***-**) **** **** *****

*** ** ***'* ****** ***********, *******'* Tri-Ed *** ***, *** **** *** Hikvision, **** ***** / ******** ** the *.* ********. ***** ********* *** myriad ****, *** ** ** ********** to ****** ***, ***** ***** **** that ****** ** ******* ********* **** been **** ** ******* ****.

OEMing ********* **** ********

******* ********* ** *** ******* ******** of ******* ** *** *****, *** ADI ** *** ** *** ******* distributors ** *** *****, **** ***** their ******* ***** ********** *** ******* to ******, *** **** ******* ** the ****** ***** ***** *** *** sheer **** ** ***** ******* ********.

----

UPDATE ***** ** ****:

*** ********* ******* **** *** ******* a ***** *** *.* **** ******** fixes, **** ******** ******** *** ** full ** *****:

*** ***** ***** ******** **** ********* and ** ***** ****** *** ******** we ****.  ** ******* ******** ******* as ******** ******* *** ********** *** patches *** ***** *** ******* ** manufacturers. ** ****, ** ******** *** 5.2 ********** ***** **** ********* ** December ****, *** *********** **** ** available ** ********* ** ***********.**********.

** ******** ** **** *********:

*) ** ***** *** ****** **** current ** ******** ******* (**** * months) *-*** ******* ****** ** ******** to *.*?

*** **** ********* *** ** ******** via ******** *******. *** *.* ******** patch, ***** ** *** ***** ** your *******, *** ******** *** ****** to ***********.********** ** ********. ** *** ***** had **** ********* ** **** ******, and **** ******** ********** ** *** patch **********, *** ****** ***** ******* strong ********. 

*) **** ** *** ********* *** staying ** *.* ******* ** ********* to *.*?

*.* ** * ******* ******* **** included *** ******** ** **** ** a ******** *******. ** ******* ** issue * ***** ** ******* ********. 

*) **** *** ****** ** ***** 5.3 (** * ***** ******* ** in *** *****) ****** *** **** 30 ****? 

*** ************ ******* *** ******* **** and  ************ *** ******* ******** *********.

*) **** *** ****, ** **** to ***********, * **** ** ****** for ******* ** ** **** **** future ******** ******** *** *-***? 

** ******* ******** ******* ** ******** impacts *** ********** *** ******* *** ready *** *******. *** ******** ***** for **** ***** *** ******** ** December, **** ** ******** **. 

******* [*** *********]

*** ******** **** **** **** *-*** firmware **** *** ******* *** **** security ** *********'* *** *.* ********:

** ********** *** ******* ******** **** ****://********.***/********/***-********.*** [link ** ****** *********] *** ********* **** firmware ** * *-*** **** ****.  

 

** **** ******* *** ** *** for ********** ************* *** **** ****** with *** ********.

UPDATE ***** **, ****

** **** *** ******** *** ********** ******** from ***, ******* ******** ******** *** questions ** ****.  *** ******** ** ADI's ******* *.* ******** ******* ** still **** *** ******** * **** effort ** ***'* **** ** **** "cyber ******** **** *********".  ***** ** W-Box ******* ****** **** ********** *********** to ***** ****** ******* ******** ********* to *** ********.

UPDATE **** *, ****

*** *** ******* ***** *** *****, upgrading ** *.*. **** ** ****** *************** ****.* ********.

**** **** ***** *** ********** ******* now ******** ** *** *** *********, rejecting *** *** ******* ******** ** "wbox123", ********* * ********** *** ******* characters.

Comments (13)
Avatar
John Bazyk
Mar 09, 2016
Command Corporation • IPVMU Certified

One of ADI's regional managers asked me about the wbox yesterday and if I wanted to use it. This was in the list of reasons not to.

DMP recently started white labeling Hikvisions IP cameras, an 8 channel NVR and 4 channel TVI encoder. They load their own settings in the firmware (and do not allow you to change them) and create a tunnel to DMPs Virtual Keypad Servers. They've basically created their own version of EZVIZ that isn't going to China and it's a lot easier to use.

(2)
(1)
JH
John Honovich
Mar 09, 2016
IPVM

John, good feedback!

Related, how did the ADI rep position W-Box vs Hikvision or other branded products they sell?

(1)
Avatar
John Bazyk
Mar 09, 2016
Command Corporation • IPVMU Certified

He believed w-box was a lower cost/quality alternative to Hikvision.

It seems like w-box is Hikvision leftovers from a couple of years ago. The hardware doesn't have many of the improvements hikvision has made over the last couple of years. Small things like the IR illumination, the ring around the lens to prevent clouding from the IR at night. The overall build quality isn't as good.

It's also interesting to note, DMP's cameras are the latest from Hikvision and don't appear to be leftovers. ADI seems to be scraping the barrel with the w-box brand. Although, I really like the LCD monitors they sell.

(3)
Avatar
Ethan Ace
Mar 10, 2016

Which cameras are you comparing, out of curiosity? The bullets we have, aside from the housing shape, are nearly identical in construction to Hikvision labeled Hikvision. I do recall the IR pattern of the W Box being very slightly hotter in the middle than the Hik equivalent but that was about it.

(1)
UI
Undisclosed Integrator #3
Mar 11, 2016

Ethan, I agree.

I have been offered to OEM hikvision cameras and have been sent some for sampling, side by side with the WBOX they are almost one in the same. The only plus side my ADI rep gave me for the WBOX was that they could be acquired at a cheaper price point.

UI
Undisclosed Integrator #1
Mar 09, 2016

W-Box does have some good products under it - cheap HDMI cables that work well (out to 50'), monitors, etc. However, this is a glaring, well publicized issue that seems easy enough to remedy. Is it that Hikvision must be paid to release firmware updates? I'm wondering if it is like dedicated laptop video cards used to be a few years back -- if Dell/HP/whomever wanted driver updates they had to pay the OEM for the new drivers. Therefore, laptop drivers tended to be woefully out of date without third party workarounds.

JH
John Honovich
Mar 09, 2016
IPVM

"Is it that Hikvision must be paid to release firmware updates?"

I do not know but I have never heard anyone cite that as an obstacle. Also, since it is a security fix for a Hikvision issue, I doubt Hikvison is trying to make money off of this. And, even if that was the case, ADI is so huge they can certainly afford it.

U
Undisclosed #2
Mar 09, 2016
IPVMU Certified

Can the buyer just upgrade w-box using Hikvision 5.3 firmware from the Hik site?

If so, it sounds like the ADI feet dragging is related to a cost issue of touching each unit in inventory to upgrade.

If not, perhaps there is something about these units, as J.B. alludes that is different (new old stock), that prevents the obvious upgrade.

Avatar
Ethan Ace
Mar 10, 2016

No, Hik firmware fails on W Box (and Northern, and likely other OEMs) cameras. Maybe you can do it with TFTP as people have alluded to elsewhere, but you can't simply load it.

(1)
(1)
U
Undisclosed #2
Mar 10, 2016
IPVMU Certified

That sounds like it could be the answer. If ADI has a large inventory of unlabeled Hiks with old firmware that can only be upgraded to 5.3 by someone in this country opening the boxes one by one and manually using the tftp process, that's likely to eliminate most of the profit on a $60 camera, no?

And you can't really expect ADI to take a bath just for the sake of another 10,000 vulnerable cameras in the wild, can you? ;)

(3)
Avatar
John Bazyk
Jun 03, 2016
Command Corporation • IPVMU Certified

Just got this in the mail. I noticed the wbox website had some new firmware the other day. It's a 3 page document.

(1)
Avatar
Ethan Ace
Jun 03, 2016

Thanks, John, for the heads up! They've put that notice on their website, as well, along with the activation procedure. I'll get a camera out to confirm things as well.

Avatar
Ethan Ace
Jun 06, 2016

I just updated a W Box bullet to 5.3 and confirmed. Here's the activation dialog:

(1)