ADI Finally Fixes Hikvision OEM'd Security Risk

By: John Honovich, Published on Jun 09, 2016

After refusing for months to fix the obvious security risks, ADI has given in and fixed it.

Two important lessons here:

  • ADI knows little about technology or information security
  • Speaking up publicly about problems is key to getting them fixed

ADI Refuses at First

Not only did ADI refuse to fix it, their justification was shockingly incompetent.

Even though we alerted them to this in September 2015, when we followed up in March, it took them days and, according to them, "working with multiple engineering groups to confirm [their] response."

Their response was bizarre, emphasizing a 'patch':

If the patch had been installed in your camera, and your password configured as the patch recommends, the camera would reflect strong security.

Obviously Not Strong

The problem was the patch was simply an ignorable pop-up, not an actual fix to the underlying issues, like their supplier Hikvision did and the other OEMs implemented.

Obviously, an ignorable pop-up is not the 'strong security' that they claimed, something that Hikvision even made clear to them.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Now that ADI is a 'manufacturer', you would hope they could understand such basics. Unfortunately not.

Speaking Up / Fixing It

Our March 2016 article, ADI Refuses to Fix Their OEM'd Hikvision Security Risks, evidently was enough to push them to make the change. Between the thousands that read it on IPVM and the tens of thousands who received it in our newsletter, the word was out.

In May 2016, ADI finally rolled out the fix, and in their instructions, changing their position and admitting that with the new version:

The system will check the password strength; “Risky” passwords will not be accepted.

Their previous 'patched' version was clearly not 'strong', like they had claimed, and the risk remained. This new version at least brings ADI up to the level of current Hikvision.

It is all to easy for mega corporations like ADI to ignore private complaints but when concerns are raised publicly, the exposure helps raise enough attention and inquires that companies need to review their approaches and do better.

1 report cite this report:

Honeywell Dahua Backdoor Statement on Mar 14, 2017
Honeywell OEMs Dahua video surveillance products and has been affected by the Dahua backdoor, confirmed by Honeywell and IPVM testing. Here is...
Comments (0) : PRO Members only. Login. or Join.

Most Recent Industry Reports

US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party)...
Pelco Sarix Pro3 Camera Tested on Oct 16, 2019
Pelco has released their Sarix Professional Series 3 cameras, claiming "more security detail in challenging scenes with excellent low light and...
IPVM Camera Calculator User Manual / Guide on Oct 16, 2019
Learn how to use the IPVM Camera Calculator. The guide below includes instructions, images, gifs, and videos demonstrating and explaining the...
Altronix Claims Tango 'Eliminates Electricians' on Oct 15, 2019
Power supply provider Altronix claims its new Tango power supply 'eliminates the need for an electrician, dedicated conduit and wire runs'. In...
Pelco CEO Out, Seeking New Industry CEO, New CEO Found on Oct 15, 2019
Just 2 months after Pelco was sold, Pelco's CEO is out, with Pelco bringing in an outside President and searching for a new CEO from the industry,...
Hikvision Dissolves North American Business Unit, Splits Canada and USA on Oct 15, 2019
Hikvision has dissolved its North American Business Unit, splitting up US and Canada operations as the PRC-government owned manufacturer faces...
Camera Focusing Tutorial on Oct 14, 2019
Camera focus is fundamental to quality imaging. Mistakes can significantly reduce details, making cameras less effective. In this guide, we...
"UL Has Blood On Their Hands" Alleges The Interceptor / Keith Jentoft on Oct 14, 2019
"UL has blood on their hands" alleges Keith Jentoft of "The Interceptor Project". We examined The Interceptor in-depth last year, see: The...
Access Control Course Fall 2019 - Last Chance on Oct 14, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
Axis HD Analog Encoder Tested on Oct 11, 2019
Two years after declaring "Everything is IP", Axis has released their first HD analog encoder, the P7304, with support for AHD, CVI, TVI, and SD...