ADI Finally Fixes Hikvision OEM'd Security Risk

Author: John Honovich, Published on Jun 09, 2016

After refusing for months to fix the obvious security risks, ADI has given in and fixed it.

Two important lessons here:

  • ADI knows little about technology or information security
  • Speaking up publicly about problems is key to getting them fixed

ADI Refuses at First

Not only did ADI refuse to fix it, their justification was shockingly incompetent.

Even though we alerted them to this in September 2015, when we followed up in March, it took them days and, according to them, "working with multiple engineering groups to confirm [their] response."

Their response was bizarre, emphasizing a 'patch':

If the patch had been installed in your camera, and your password configured as the patch recommends, the camera would reflect strong security.

Obviously Not Strong

The problem was the patch was simply an ignorable pop-up, not an actual fix to the underlying issues, like their supplier Hikvision did and the other OEMs implemented.

Obviously, an ignorable pop-up is not the 'strong security' that they claimed, something that Hikvision even made clear to them.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Now that ADI is a 'manufacturer', you would hope they could understand such basics. Unfortunately not.

Speaking Up / Fixing It

Our March 2016 article, ADI Refuses to Fix Their OEM'd Hikvision Security Risks, evidently was enough to push them to make the change. Between the thousands that read it on IPVM and the tens of thousands who received it in our newsletter, the word was out.

In May 2016, ADI finally rolled out the fix, and in their instructions, changing their position and admitting that with the new version:

The system will check the password strength; “Risky” passwords will not be accepted.

Their previous 'patched' version was clearly not 'strong', like they had claimed, and the risk remained. This new version at least brings ADI up to the level of current Hikvision.

It is all to easy for mega corporations like ADI to ignore private complaints but when concerns are raised publicly, the exposure helps raise enough attention and inquires that companies need to review their approaches and do better.

Comments (1): PRO Members only. Login. or Join.

Most Recent Industry Reports

"WTF?!?!? Who is Brian Karas?!?" Exclaims Knightscope on Oct 21, 2016
Knightscope co-founder Stacy Stephens emailed us: He may not have intended to send it us and he probably can figure out who Brian Karas is,...
Security Consultants Speak Episode 1 - Protus3 on Oct 21, 2016
This is a first of a series of conversations with security consultants. If you are a security consultant that wants to talk and can share frank...
Sony and Samsung Breaking VBR on Oct 21, 2016
For years, users have known variable bitrate (VBR) as one thing only: bandwidth varies, compression stays the same. This is not an accident but an...
Pelco Matrix End Of Life - End Of An Era on Oct 20, 2016
Pelco Matrix switchers, once the pinnacle of large SD analog installations, are now literally impossible to build. The Matrix products were not...
Axis Video Revenue Down on Oct 20, 2016
An important milestone. Axis revenue for video products is down year over year. But Axis is now focusing on 'diversification'. In this report, we...
Worst Access Control 2016 on Oct 19, 2016
Two access control providers stood out as being the worst to work with for integrators. In this report, we analyze the answers to: "In the past...
Hacked DVRs Surge To 400,000 on Oct 19, 2016
The global internet is under attack from record breaking botnets. And it is getting worse, Mirai doubled in size in the last month. Shamefully,...
China "Unswerving Leadership Over State-Owned Enterprises" Like Hikvision on Oct 18, 2016
The PR agency of the Chinese government declared: President Xi Jinping stressed the Communist Party of China's (CPC) unswerving leadership over...
Move Aside Cisco, Axis Has A Network Switch For Integrators on Oct 18, 2016
Cisco is a common choice for network switches, including in our Favorite Network Switches survey, but now Axis is releasing a 16 port PoE+ switch...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact