ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved]

By: Brian Karas, Published on Mar 09, 2016

More than a year after massive hacks against Hikvision was disclosed; More than 9 months after Hikvision issued improved security firmware, mega distributor and Hikvision OEM ADI still refuses to fix the well-known security risk.

ADI is still shipping W-Box IP Cameras using the exploited 5.2 firmware, with no option for the improved 5.3 release. We repeatedly encouraged ADI to fix this, with a public notice more than 5 months ago.

ADI's Supposed 'Fix'

ADI did issue what they call a 'patch' but the patch is primarily a pop-up warning, still allowing the weak default password, without the stronger security enhancements that Hikvision has deployed in 5.3.

 

ADI claims they take "cyber security very seriously" but their 'patch' shows otherwise. We recommend users avoid W-Box until and unless they adopt the security measures that Hikvision recommends and that other Hikvision OEMs have adopted.

Risks Publicly Traded Company

ADI is a billion dollar plus division of Honeywell, an American publicly traded company with an $83 billion market valuation.

ADI is buying from a Chinese government controlled company, Hikvision, and continuing to ship software that their Chinese supplier has deemed risky.

Given the increased public awareness of cyber security risks and ADI's refusal to take action for such a long period, this exposes their parent company to potential liability and their customers to security breaches.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Background of Hikvision Hacks

These problems emerged in March 2015, when it was disclosed that Hikvision was hacked inside Chinese government networks, following numerous reports of Hikvision being hacked around the world (see: Hikvision Hacking Incidents). Indeed, this generated international news and Hikvision's stock trading had to be temporarily suspended to deal with the crisis.

Upgrade Available 9+ Months Ago

In response to this, Hikvision significantly improved their firmware to close out the most basic and significant risk exposures in their 5.3 release from April / May 2015. Release notes [link no longer available] for the 5.3.0 firmware on Hikvisions website note the security improvements.

Below is an example of a Hikvision camera with the improved 5.3 software that Hikvision rates as 'strong' security:

By contrast, the ADI W-Box camera that still only has 5.2 software is reported by Hikvision as 'risky':

ADI 'New' Manufacturer Must Be Responsible

Only in the past few years has ADI tried their hand as a "manufacturer", primarily by OEMing finished goods, ranging from IP cameras to 6 Zone Metal Detectors to piezo buzzers.  

The level of risk, and responsibility, associated with a being a conscientious supplier of network-connected devices like a camera or recorder is high. This requires more involvement than just adding a logo and markup.

Warning to ADI 5+ Months Ago

Certainly, ADI must (or should be aware of this). Indeed, IPVM issued a warning on this in September 2015, to help both ADI, their dealers and end users be aware of this risk. We contacted ADI's President four days ago and they say they are working on a response but no details have yet been shared.

Security conscious companies would have a ready answer to questions regarding 9-month old security vulnerabilities, if not an actual fix.

Risk for ADI Cameras To Be Insecure For Years

Firmware upgrades after installation, especially for budget-oriented products like W-Box, are rare. The "if it ain't broke, don't fit it" rule is the mindset here, though in this case the cameras are technically "broken".  Customers with W-Box product may not realize the attack surface exposed via the W-Box cameras, each one being a tiny exploitable computer on the customer's network.  In the past, Hikvision NVRs have been hacked to become pitiful bitcoin miners, hacked cameras could be put to similar tasks, potentially reducing their functionality.  It would even be relatively simple to have a hacked camera replace live video with stored static images, or upload periodic images to a rouge server.

Because of this, these ADI cameras may continue to leave customers exposed for 5 or even 10 years, potentially to exploits that have not been considered yet.

Other OEMs (Including Tri-Ed) Have Been Fixed

Two of ADI's direct competitors, Anixter's Tri-Ed and LTS, who also OEM Hikvision, have fixed / upgraded to the 5.3 firmware. While Hikvision has myriad OEMs, and it is impossible to verify all, these cases show that others in similar situation have been able to resolve this.

OEMing Hikvision Adds Bullseye

Because Hikvision is the largest supplier of cameras in the world, and ADI is one of the largest distributors in the world, this makes their devices quite attractive for hackers to target, not only because of the widely known flaws but the sheer mass of these cameras deployed.

----

UPDATE March 11 2016:

ADI responded stating they had created a patch for 5.2 with security fixes, that response unedited and in full is below:

ADI takes cyber security very seriously and we stand behind the products we sell.  We release firmware updates as security impacts are identified and patches are ready for release by manufacturers. In fact, we received the 5.2 corrective patch from Hikvision in December 2015, and immediately made it available to customers on the wboxtech.com website.

In response to your questions:

1) Is there any reason that current or recently shipped (last 9 months) W-Box cameras cannot be upgraded to 5.3?

The Wbox equipment can be upgraded via firmware upgrade. The 5.2 security patch, which is the basis of your article, was released and posted to thewboxtech.com website in December. If the patch had been installed in your camera, and your password configured as the patch recommends, the camera would reflect strong security. 

2) What is the rationale for staying on 5.2 instead of upgrading to 5.3?

5.3 is a version release that included new features as well as a security upgrade. We elected to issue a patch to enhance security. 

3) Does ADI intend to offer 5.3 (or a newer version if in the works) within the next 30 days? 

ADI consistently reviews our product line and  incorporates new product features regularly.

4) Does ADI have, or plan to incorporate, a plan or policy for staying up to date with future firmware releases for W-Box? 

We release firmware updates as security impacts are identified and patches are ready for release. The security patch for this issue was released in December, when we received it. 

Michael [ADI President]

Our findings show that this W-Box firmware does not enforce the same security as Hikvision's own 5.3 firmware:

We downloaded the current firmware from http://wboxtech.com/firmware/IPC-firmware.zip [link no longer available] and installed this firmware on a W-Box test unit.  

 

We have reached out to ADI for additional clarification and will update with any response.

UPDATE March 16, 2016

We have not received any additional followup from ADI, despite multiple attempts and questions to them.  The security in ADI's patched 5.2 firmware release is still weak and reflects a poor effort on ADI's part to take "cyber security very seriously".  Users of W-Box cameras should take additional precautions to avoid having cameras directly connected to the Internet.

UPDATE June 2, 2016

ADI has finally fixed the issue, upgrading to 5.3. Here is the new instructions and the 5.3 firmware.

This clip shows the activation process now required in the web interface, rejecting the old default password of "wbox123", requiring 8 characters and special characters.

2 reports cite this report:

Hacked Dahua Cameras Drive Massive Mirai Cyber Attack on Sep 27, 2016
Cyber attacks are accelerating and IP cameras are behind many of...
ADI Finally Fixes Hikvision OEM'd Security Risk on Jun 09, 2016
After refusing for months to fix the obvious security risks, ADI has given in...
Comments (13) : Members only. Login. or Join.

Related Reports

Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
InVid Flaunts Violating FDA Guidelines on Aug 28, 2020
InVid Tech is showcasing an open violation of FDA fever screening guidelines...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
FDA "Does Not Intend to Object" To Unapproved Fever Detection Cameras If No 'Undue Risk' on Apr 17, 2020
The US FDA has declared it will not go after the many companies marketing...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
ADI Branch Burglary on Apr 03, 2020
A security systems distributor branch is an odd target for burglary but that...
Sunell Panda Cam Body Temperature Measurement Camera Tested on May 14, 2020
Sunell is far less well known than its gargantuan domestic competitors Dahua...
The Guide To The NDAA Video Surveillance Ban / Blacklists on Aug 24, 2020
This 25-page guide provides a reference to the NDAA ban and blacklist. The US...
Pivot3 Mass Layoffs on Mar 27, 2020
Pivot3 has conducted mass layoffs, the culmination of grand hopes, a quarter...
Warning: Panasonic i-PRO Deceives About NDAA Compliance on Aug 18, 2020
IPVM has determined that Panasonic i-PRO has deceived about its NDAA...

Recent Reports

FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Avigilon Elevated Temperature Detection Camera Tested on Sep 17, 2020
Avigilon has entered the temperature screening market with the release of...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Huawei HiSilicon Production Shut Down on Sep 17, 2020
Huawei HiSilicon chips are no longer being manufactured or supplied to...
Virtual ISC West and GSX+ Exhibiting Contrasted on Sep 17, 2020
Both ISC West and ASIS GSX are going virtual this year, just weeks apart, but...
X.Labs Sues FLIR on Sep 16, 2020
X.Labs, the maker of Feevr, has sued FLIR, the publicly traded thermal...
Video Surveillance 101 September Course - Last Chance on Sep 16, 2020
Today is the last chance to sign up for the Fall Video Surveillance 101...
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Costar Technologies / Arecont H1 2020 Financials Examined on Sep 16, 2020
Costar's financial results have been hit by the coronavirus with the company...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...