ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved]

By Brian Karas, Published Mar 09, 2016, 12:00am EST (Info+)

More than a year after massive hacks against Hikvision was disclosed; More than 9 months after Hikvision issued improved security firmware, mega distributor and Hikvision OEM ADI still refuses to fix the well-known security risk.

ADI is still shipping W-Box IP Cameras using the exploited 5.2 firmware, with no option for the improved 5.3 release. We repeatedly encouraged ADI to fix this, with a public notice more than 5 months ago.

ADI's ******** '***'

*** *** ***** **** **** **** a '*****' *** *** ***** ** primarily * ***-** *******, ***** ******** *** weak ******* ********, ******* *** ******** ******** enhancements **** ********* *** ******** ** 5.3.

 

*** ****** **** **** "***** ******** **** seriously" *** ***** '*****' ***** *********. We ********* ***** ***** *-*** ***** and ****** **** ***** *** ******** measures **** ********* ********** *** **** other ********* **** **** *******.

Risks ******** ****** *******

*** ** * ******* ****** **** division ** *********, ** ******** ******** traded ******* **** ** $** ******* market *********.

*** ** ****** **** ******** ********** ********** *******, *********, *** ********** ** **** ******** that ***** ******* ******** *** ****** risky.

***** *** ********* ****** ********* ** cyber ******** ***** *** ***'* ******* to **** ****** *** **** * long ******, **** ******* ***** ****** company ** ********* ********* *** ***** customers ** ******** ********.

Background ** ********* *****

***** ******** ******* ** ***** ****, when ** *** ********* **** ********* was ****** ****** ******* ********** ********, following ******** ******* ** ********* ***** hacked ****** *** ***** (***: ********* ******* *********). ******, **** ********* ************* **** and *********'* ***** ******* *** ** be *********** ********* ** **** **** the ******.

Upgrade ********* *+ ****** ***

** ******** ** ****, ********* ************* improved ***** ******** ** ***** *** the **** ***** *** *********** **** exposures ** ***** *.* ******* **** April / *** ****. ******* ***** [**** no ****** *********] *** *** *.*.* ******** on ********** ******* **** *** ******** improvements.

***** ** ** ******* ** * Hikvision ****** **** *** ******** *.* software **** ********* ***** ** '******' security:

** ********, *** *** *-*** ****** that ***** **** *** *.* ******** is ******** ** ********* ** '*****':

ADI '***' ************ **** ** ***********

**** ** *** **** *** ***** has *** ***** ***** **** ** a "************", ********* ** ****** ******** goods, ******* **** ** ******* *** **** ***** ********* ** ***** *******.  

*** ***** ** ****, *** **************, associated **** * ***** * ************* supplier ** *******-********* ******* **** * camera ** ******** ** ****. **** ******** more *********** **** **** ****** * logo *** ******.

Warning ** *** *+ ****** ***

*********, *** **** (** ****** ** aware ** ****). ******,**** ****** * ******* ** **** ** September ****, ** **** **** ***, ***** dealers *** *** ***** ** ***** of **** ****. ** ********* ***'* President **** **** *** *** **** *** they *** ******* ** * ******** but ** ******* **** *** **** shared.

******** ********* ********* ***** **** * ***** answer ** ********* ********* *-***** *** ******** vulnerabilities, ** *** ** ****** ***.

Risk *** *** ******* ** ** ******** *** *****

******** ******** ***** ************, ********** *** budget-oriented ******** **** *-***, *** ****. The "** ** ***'* *****, ***'* fit **" **** ** *** ******* here, ****** ** **** **** *** cameras *** *********** "******".  ********* **** W-Box ******* *** *** ******* *** attack ******* ******* *** *** *-*** cameras, **** *** ***** * **** exploitable ******** ** *** ********'* *******.  In *** ****, ********* **** **** been ****** ** ****** ******* ******* ******, ****** ******* ***** ** *** to ******* *****, *********** ******** ***** functionality.  ** ***** **** ** ********** simple ** **** * ****** ****** replace **** ***** **** ****** ****** images, ** ****** ******** ****** ** a ***** ******.

******* ** ****, ***** *** ******* may ******** ** ***** ********* ******* *** 5 ** **** ** *****, *********** to ******** **** **** *** **** considered ***.

Other **** (********* ***-**) **** **** *****

*** ** ***'* ****** ***********, *******'* Tri-Ed *** ***, *** **** *** Hikvision, **** ***** / ******** ** the *.* ********. ***** ********* *** myriad ****, *** ** ** ********** to ****** ***, ***** ***** **** that ****** ** ******* ********* **** been **** ** ******* ****.

OEMing ********* **** ********

******* ********* ** *** ******* ******** of ******* ** *** *****, *** ADI ** *** ** *** ******* distributors ** *** *****, **** ***** their ******* ***** ********** *** ******* to ******, *** **** ******* ** the ****** ***** ***** *** *** sheer **** ** ***** ******* ********.

----

UPDATE ***** ** ****:

*** ********* ******* **** *** ******* a ***** *** *.* **** ******** fixes, **** ******** ******** *** ** full ** *****:

*** ***** ***** ******** **** ********* and ** ***** ****** *** ******** we ****.  ** ******* ******** ******* as ******** ******* *** ********** *** patches *** ***** *** ******* ** manufacturers. ** ****, ** ******** *** 5.2 ********** ***** **** ********* ** December ****, *** *********** **** ** available ** ********* ** ***********.**********.

** ******** ** **** *********:

*) ** ***** *** ****** **** current ** ******** ******* (**** * months) *-*** ******* ****** ** ******** to *.*?

*** **** ********* *** ** ******** via ******** *******. *** *.* ******** patch, ***** ** *** ***** ** your *******, *** ******** *** ****** to ***********.********** ** ********. ** *** ***** had **** ********* ** **** ******, and **** ******** ********** ** *** patch **********, *** ****** ***** ******* strong ********. 

*) **** ** *** ********* *** staying ** *.* ******* ** ********* to *.*?

*.* ** * ******* ******* **** included *** ******** ** **** ** a ******** *******. ** ******* ** issue * ***** ** ******* ********. 

*) **** *** ****** ** ***** 5.3 (** * ***** ******* ** in *** *****) ****** *** **** 30 ****? 

*** ************ ******* *** ******* **** and  ************ *** ******* ******** *********.

*) **** *** ****, ** **** to ***********, * **** ** ****** for ******* ** ** **** **** future ******** ******** *** *-***? 

** ******* ******** ******* ** ******** impacts *** ********** *** ******* *** ready *** *******. *** ******** ***** for **** ***** *** ******** ** December, **** ** ******** **. 

******* [*** *********]

*** ******** **** **** **** *-*** firmware **** *** ******* *** **** security ** *********'* *** *.* ********:

** ********** *** ******* ******** **** ****://********.***/********/***-********.*** [link ** ****** *********] *** ********* **** firmware ** * *-*** **** ****.  

 

** **** ******* *** ** *** for ********** ************* *** **** ****** with *** ********.

UPDATE ***** **, ****

** **** *** ******** *** ********** ******** from ***, ******* ******** ******** *** questions ** ****.  *** ******** ** ADI's ******* *.* ******** ******* ** still **** *** ******** * **** effort ** ***'* **** ** **** "cyber ******** **** *********".  ***** ** W-Box ******* ****** **** ********** *********** to ***** ****** ******* ******** ********* to *** ********.

UPDATE **** *, ****

*** *** ******* ***** *** *****, upgrading ** *.*. **** ** ****** *************** ****.* ********.

**** **** ***** *** ********** ******* now ******** ** *** *** *********, rejecting *** *** ******* ******** ** "wbox123", ********* * ********** *** ******* characters.

Comments (13)

One of ADI's regional managers asked me about the wbox yesterday and if I wanted to use it. This was in the list of reasons not to.

DMP recently started white labeling Hikvisions IP cameras, an 8 channel NVR and 4 channel TVI encoder. They load their own settings in the firmware (and do not allow you to change them) and create a tunnel to DMPs Virtual Keypad Servers. They've basically created their own version of EZVIZ that isn't going to China and it's a lot easier to use.

Agree
Disagree
Informative: 2
Unhelpful: 1
Funny

John, good feedback!

Related, how did the ADI rep position W-Box vs Hikvision or other branded products they sell?

Agree: 1
Disagree
Informative
Unhelpful
Funny

He believed w-box was a lower cost/quality alternative to Hikvision.

It seems like w-box is Hikvision leftovers from a couple of years ago. The hardware doesn't have many of the improvements hikvision has made over the last couple of years. Small things like the IR illumination, the ring around the lens to prevent clouding from the IR at night. The overall build quality isn't as good.

It's also interesting to note, DMP's cameras are the latest from Hikvision and don't appear to be leftovers. ADI seems to be scraping the barrel with the w-box brand. Although, I really like the LCD monitors they sell.

Agree
Disagree
Informative: 3
Unhelpful
Funny

Which cameras are you comparing, out of curiosity? The bullets we have, aside from the housing shape, are nearly identical in construction to Hikvision labeled Hikvision. I do recall the IR pattern of the W Box being very slightly hotter in the middle than the Hik equivalent but that was about it.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Ethan, I agree.

I have been offered to OEM hikvision cameras and have been sent some for sampling, side by side with the WBOX they are almost one in the same. The only plus side my ADI rep gave me for the WBOX was that they could be acquired at a cheaper price point.

Agree
Disagree
Informative
Unhelpful
Funny

W-Box does have some good products under it - cheap HDMI cables that work well (out to 50'), monitors, etc. However, this is a glaring, well publicized issue that seems easy enough to remedy. Is it that Hikvision must be paid to release firmware updates? I'm wondering if it is like dedicated laptop video cards used to be a few years back -- if Dell/HP/whomever wanted driver updates they had to pay the OEM for the new drivers. Therefore, laptop drivers tended to be woefully out of date without third party workarounds.

Agree
Disagree
Informative
Unhelpful
Funny

"Is it that Hikvision must be paid to release firmware updates?"

I do not know but I have never heard anyone cite that as an obstacle. Also, since it is a security fix for a Hikvision issue, I doubt Hikvison is trying to make money off of this. And, even if that was the case, ADI is so huge they can certainly afford it.

Agree
Disagree
Informative
Unhelpful
Funny

Can the buyer just upgrade w-box using Hikvision 5.3 firmware from the Hik site?

If so, it sounds like the ADI feet dragging is related to a cost issue of touching each unit in inventory to upgrade.

If not, perhaps there is something about these units, as J.B. alludes that is different (new old stock), that prevents the obvious upgrade.

Agree
Disagree
Informative
Unhelpful
Funny

No, Hik firmware fails on W Box (and Northern, and likely other OEMs) cameras. Maybe you can do it with TFTP as people have alluded to elsewhere, but you can't simply load it.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

That sounds like it could be the answer. If ADI has a large inventory of unlabeled Hiks with old firmware that can only be upgraded to 5.3 by someone in this country opening the boxes one by one and manually using the tftp process, that's likely to eliminate most of the profit on a $60 camera, no?

And you can't really expect ADI to take a bath just for the sake of another 10,000 vulnerable cameras in the wild, can you? ;)

Agree
Disagree
Informative
Unhelpful
Funny: 3

Just got this in the mail. I noticed the wbox website had some new firmware the other day. It's a 3 page document.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Thanks, John, for the heads up! They've put that notice on their website, as well, along with the activation procedure. I'll get a camera out to confirm things as well.

Agree
Disagree
Informative
Unhelpful
Funny

I just updated a W Box bullet to 5.3 and confirmed. Here's the activation dialog:

Agree
Disagree
Informative: 1
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports