ADI Finally Fixes Hikvision OEM'd Security Risk

Author: John Honovich, Published on Jun 09, 2016

After refusing for months to fix the obvious security risks, ADI has given in and fixed it.

Two important lessons here:

  • ADI knows little about technology or information security
  • Speaking up publicly about problems is key to getting them fixed

ADI Refuses at First

Not only did ADI refuse to fix it, their justification was shockingly incompetent.

Even though we alerted them to this in September 2015, when we followed up in March, it took them days and, according to them, "working with multiple engineering groups to confirm [their] response."

Their response was bizarre, emphasizing a 'patch':

If the patch had been installed in your camera, and your password configured as the patch recommends, the camera would reflect strong security.

Obviously Not Strong

The problem was the patch was simply an ignorable pop-up, not an actual fix to the underlying issues, like their supplier Hikvision did and the other OEMs implemented.

Obviously, an ignorable pop-up is not the 'strong security' that they claimed, something that Hikvision even made clear to them.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Now that ADI is a 'manufacturer', you would hope they could understand such basics. Unfortunately not.

Speaking Up / Fixing It

Our March 2016 article, ADI Refuses to Fix Their OEM'd Hikvision Security Risks, evidently was enough to push them to make the change. Between the thousands that read it on IPVM and the tens of thousands who received it in our newsletter, the word was out.

In May 2016, ADI finally rolled out the fix, and in their instructions, changing their position and admitting that with the new version:

The system will check the password strength; “Risky” passwords will not be accepted.

Their previous 'patched' version was clearly not 'strong', like they had claimed, and the risk remained. This new version at least brings ADI up to the level of current Hikvision.

It is all to easy for mega corporations like ADI to ignore private complaints but when concerns are raised publicly, the exposure helps raise enough attention and inquires that companies need to review their approaches and do better.

1 report cite this report:

Honeywell Dahua Backdoor Statement on Mar 14, 2017
Honeywell OEMs Dahua video surveillance products and has been affected by the Dahua backdoor, confirmed by Honeywell and IPVM testing. Here is...
Comments (0) : PRO Members only. Login. or Join.

Most Recent Industry Reports

May 2018 Camera Course on Apr 20, 2018
Save $50 on early registration until this Thursday, the 26th. Register now (save $50) for the Spring 2018 Camera Course This is the only...
Global Real-Time Video Surveillance - EarthNow on Apr 20, 2018
A new company, EarthNow, with backing from Bill Gates, Airbus and more, is claiming that: Users will be able to see places on Earth with a delay...
Dedicated Vs Converged Access Control Networks (Statistics) on Apr 20, 2018
Running one's access control system on a converged network, with one's computers and phones, can save money. On the other hand, hand, doing so can...
April 2018 IP Networking Course on Apr 19, 2018
This is the last chance to register for our IP Networking course. Register now. NEW - 2 sessions per class, 'day' and 'night' to give you double...
Rare Video Surveillance Fundraising - Verkada $15 Million on Apr 19, 2018
Fundraising in video surveillance (and the broader physical security market) has been poor recently. Highlights are few and far in between...
'Best In Show' Fails on Apr 19, 2018
ISC West's "Best In Show" has failed. For more than a decade, it has become increasingly irrelevant as the selections exhibit a cartoon level...
Security Camera Cleaning Frequency Statistics on Apr 18, 2018
150+ integrators told IPVM how often they clean cameras on customer's sites and why.  Inside we examine their answers and break down feedback...
Worst Access Control 2018 on Apr 18, 2018
Three access control providers stood out as providing the most problems for integrators. In this report, we analyze the answers to: "In the...
Axis VMD4 Analytics Tested on Apr 17, 2018
Axis is now on its 4th generation of video motion detection (VMD), which Axis calls "a free video analytics application." In this generation, Axis...
Arecont CEO And President Resign on Apr 17, 2018
This is good news for Arecont. Arecont's problems have been well known for years (e.g., most recently Worst Camera Manufacturers 2018 and starting...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact