ADI Finally Fixes Hikvision OEM'd Security Risk

Author: John Honovich, Published on Jun 09, 2016

After refusing for months to fix the obvious security risks, ADI has given in and fixed it.

Two important lessons here:

  • ADI knows little about technology or information security
  • Speaking up publicly about problems is key to getting them fixed

ADI Refuses at First

Not only did ADI refuse to fix it, their justification was shockingly incompetent.

Even though we alerted them to this in September 2015, when we followed up in March, it took them days and, according to them, "working with multiple engineering groups to confirm [their] response."

Their response was bizarre, emphasizing a 'patch':

If the patch had been installed in your camera, and your password configured as the patch recommends, the camera would reflect strong security.

Obviously Not Strong

The problem was the patch was simply an ignorable pop-up, not an actual fix to the underlying issues, like their supplier Hikvision did and the other OEMs implemented.

Obviously, an ignorable pop-up is not the 'strong security' that they claimed, something that Hikvision even made clear to them.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Now that ADI is a 'manufacturer', you would hope they could understand such basics. Unfortunately not.

Speaking Up / Fixing It

Our March 2016 article, ADI Refuses to Fix Their OEM'd Hikvision Security Risks, evidently was enough to push them to make the change. Between the thousands that read it on IPVM and the tens of thousands who received it in our newsletter, the word was out.

In May 2016, ADI finally rolled out the fix, and in their instructions, changing their position and admitting that with the new version:

The system will check the password strength; “Risky” passwords will not be accepted.

Their previous 'patched' version was clearly not 'strong', like they had claimed, and the risk remained. This new version at least brings ADI up to the level of current Hikvision.

It is all to easy for mega corporations like ADI to ignore private complaints but when concerns are raised publicly, the exposure helps raise enough attention and inquires that companies need to review their approaches and do better.

1 report cite this report:

Honeywell Dahua Backdoor Statement on Mar 14, 2017
Honeywell OEMs Dahua video surveillance products and has been affected by the Dahua backdoor, confirmed by Honeywell and IPVM testing. Here is...
Comments (1): PRO Members only. Login. or Join.

Most Recent Industry Reports

Instant Cloud For Hikvision - Manything on Apr 28, 2017
One ISC West exhibitor had a very specific and clear pitch - cloud for Hikvision: In this note, we examine their offering, key differentiators,...
Milestone GPU Enhanced VMD Tested on Apr 28, 2017
In their 2017 XProtect release, Milestone announced support for hardware accelerated video motion detection, touting a 2X increase in server...
Burglar Alarm Zoning Guide on Apr 28, 2017
The function of an alarm panel is to gather information from sensors and respond to this information by triggering actions. While it is possible to...
Avigilon Discontinuing Rialto Analytics Line on Apr 27, 2017
Avigilon is informing dealers/partners that the legacy VideoIQ Rialto products have been discontinued, recommending the newer ACC ES Analytics...
A Marketing Home Run For Knightscope - Man Attacks Robot on Apr 27, 2017
We criticize Knightscope regularly - their lack of revenue, their trying to fool mom 'n pop investors, their associating themselves with a clueless...
The World's First Fashion IP Camera From Amazon on Apr 27, 2017
Some analytics cameras can tell you if a person is jumping a fence, or loitering in a secure area, but none of them can tell you if the person...
Last Day - IP Networking Course May 2017 on Apr 26, 2017
Today is the last day to register for the May IP Networking Course. This is the only networking course designed specifically for video...
Hikvision EZVIZ Amazon Scam Revealed on Apr 26, 2017
Hikvision is violating US Federal Trade Commission guidelines and Amazon rules with a "Honest" Review Program scheme that provides gift cards to...
Anixter CEO Admits Price Deflation and Non-Exclusive Integrator Sales on Apr 26, 2017
Anixter's CEO has admitted to (1) price deflation impacting IP camera sales and (2) not always being 'exclusive' with security integrators. In...
Xandem Next Gen Intrusion Tested on Apr 26, 2017
Xandem's "full coverage motion tracking technology" is unlike any intrusion technology we have seen. We bought their new system and tested it...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact