Problems of OEMing: How ADI Silently Switched From Hikvision To Dahua To Sunell

The explosive arrest of a Dahua partner who allegedly defrauded the government with hidden NDAA-banned products has drawn attention to a broader problem facing buyers - how do they know what they are truly buying?

This broader problem of OEMing or relabelling (that is, one company passing off another company's product without substantial transformation) is an ongoing, critical problem. Hundreds of US companies do this (e.g., see OEM directories of Dahua, Hikvision, and Uniview). Typically, they change nothing more than the logo on the software and the camera case.

Mega security distributor ADI, a division of publicly traded Resideo, exemplifies this problem as, over the last decade, they have OEMed Hikvision, Dahua, and Sunell, and at no point directly disclosed these relationships. Nonetheless, IPVM has verified this in our ongoing testing.

In this note, we examine ADI's moves and how they show the problems that buyers face when buying from USA companies but receiving IoT products from PRC companies.

Background

For background, see IPVM test reports over the years that exposed each one:

• ADI's W Box Camera / NVR Gen 1 (Hikvision) Tested
• ADI Secretly Relabels Dahua and ADI Stops Relabeling Dahua
• ADI W-Box Dropping Hikvision, Using Sunell (Tested)

End users of these products may be confused into thinking they are buying from a multi-billion dollar American company, not a PRC one.

OEMers Embrace Deceit

When IPVM discovered that ADI's Capture Cameras, its new "exclusive brand" at the time, were, in fact, made by Dahua, ADI refused to confirm, saying, "This information is proprietary and competitively sensitive."

This is a typical response from OEMers, who believe this information is somehow sensitive, proprietary, or confidential when it is fundamental information that is being hidden from people.

In the best case, OEMing is designed to allow a company to pretend that it makes its own products. At worst, it helps sellers obscure that they are sourcing from controversial, insecure, or banned manufacturers.

Even large and well-known companies like Honeywell engage in this practice. For years, Honeywell hid that its cameras and software were actually from Dahua. Like many OEMers, they claimed to improve their products' security independently but were still impacted by the same vulnerabilities that impacted Dahua.

Why This is a Problem

OEMing is a problem for federal government buyers (or those using federal funds) in particular. The NDAA ban prohibits them from purchasing Dahua or Hikvision products, some of the most widely OEMed manufacturers. But there is little way for these end-users to tell when products are relabeled, often short of disassembling them, unless sellers provide disclosure.

IPVM has reported on multiple cases of relabeled Dahua and Hikvision products being installed by federal or military agencies (e.g., 1, 2, 3).

Whether covered by the NDAA ban or not, buyers have a right to know where their products come from, irrespective of manufacturer. But for Dahua and Hikvision in particular, they should be able to consider the ethical and cybersecurity concerns raised, which OEMers benefit from hiding.

This differs from country of origin, where US law requires disclosing where a product is made. This helps greatly, though we are seeing a rise in worrisome, deceptive practices here as well, e.g., PRC China TVT / Taiwan Hi Sharp / USA DW Manufacturing Relationship Investigated and How Dahua Avoids US Tariffs With Vietnam Assembly.

While it may be common in some industries, like commodities, to source from various manufacturers without disclosure, this is not acceptable for IoT products. IoT products are part of computer networks and are deployed for many years, rather than simply being consumed and disposed of, greatly increasing the risks.

This new arrest of a NJ dealer rightfully is bringing substantial attention to this concern, but it is important to keep in mind that OEMing and relabeling extend to even the biggest multi-billion entities in security, such as ADI.