Avigilon CEO Attacks Asian Companies Cyber Insecurity

By: IPVM Team, Published on Aug 18, 2017

Avigilon CEO is taking aim at their Asian competitors.

And he is going directly after these company's cyber security issues.

In this note, we examine his claim, analyze its accuracy and examine how this fits in a broader pattern of Western companies fighting back against the ongoing race to the bottom.

******** *** ** ****** *** at ***** ***** ***********.

*** ** ** ***** directly ***** ***** *******'* cyber ******** ******.

** **** ****, ** examine *** *****, ******* its ******** *** ******* how **** **** ** a ******* ******* ** Western ********* ******** **** against *** ******* **** to *** ******.

[***************]

CEO *********

** ******* **** ******** ****, Avigilon's *** ******:

*** **** ** **** is *** ******* ***** polarized ****** ******* ** and ******* ****** ***** manufacturers *** * ***** it's *********** **** ******** knows ** **** ***** that *** ******** ** not *** ** *** Asian ************* *** ******* with ***** **** *** cyber ******** ******** *** design **********

**** *** ** ******** to ** ******** ****** about *** *********** ***********, and **** ******** *** offer, ******* *********, ** that ******.

********'* *** **** ******* remarks ** * ******** TV interview.

Poll / ****

*******?

******* ** ********* * strong ****, **** *** that ** ********* ** measure. ***** ** ***** 'plagued', ***** *** ******* undertones, ** **********, ************ ** ***** ************ Cybersecurity *************** ** ******* *********** ** Asian *************. 

Role Of Hikvision *** *****

********'* *** ***** *********** threat ** ********* ********* and ** * **** lesser ****** *****, ***** those ********* ********** ********* into ********'* **** ***********. And ***** *** ********* clearly ******** ** ****** from ******* ************* ********. Those ******** *** ******** a *** *********** ***** and ********* ******, ********** for *** ****** ********* that ******* ************* **** Avigilon **** ********* *****. 

Axis **** *****, **** ****** ********

**** *** **** ****** a ******* ******** ** promoting ***** ******** ** a **************, ****** ***** Swedish, **** * **** ***** / ****** ****.**** *** ********** ***** OEMs, ******* **** **** a***% ***** ** ***** security, *** **** *** ** the***** ************* ** ******* a ********* *****, ********* ***** ******** still *** *** ****.

Genetec ***** ******** ********

***, ** ******, ****** Canadian ************ ******* *** been ***** ***** ***** cybersecurity ******, **** ** the ****** *********** ***** ********* *** Huawei *******, ******* **** ** a ******* ***** ********.

Avigilon ***** ******** ******

** ********'* *****, *** company **** **** * positive ***** ****** **** it ***** ** ******** vulnerabilities. *** ***************** ******** ******* ** Avigilon was **** **** ****, *** ********* ** ACC ************* **** ******* a **** **** * valid ***** ** ****** any **** ** *** server. **** *** ******* patched *** ******* ******** released.******** *** **** ******** by *** ***** *************, ****** ** ***** exploits **** *********.

** ****, ** ******** ** ******** cameras **** **** ****** published, ****** **** * good ***** *** ********* their ******** ** * more ****** *********** ** other ******.

Avigilon ********* ***** ***** *******

******* ** ************* **********, Avigilon *** ********** ********'* local ***** ******** ************* as * **************, ******:

** *** **** ** the ******* ***** ** the ******** * ***** it ** ****** ** a ****** ***** **** this ******* **** *** more ** ********** ***** in ***** ** ******* to ****** **** **** product **** ******** ************* are ********* ** *** securing ********** *** **** they're ********* ** ***** customers *** *** ******* one ******** ******* ***** creating *******. **, *** demand *** ******* **** product *** ******* ************ product ** **** **** and ******** ** ********* being **** ****** *** marketplace.

*** **** ** ** outlier. *** ********* '**** ** ***** America' *****, ******** *****:

Competing ** **** ** *************

********* ** **** ** something **** ******** *** other ******* ************* ****** struggle ** ****** ** do. Cyber ******** ** ** area **** **** ***. Given *** ****** ********, hardware ***** / ******** secondary ******** ****** **** Asian *************, ***** ******** will ****** ****** * major ***** *** ****. And ***** ***** ******** is *** ** ********* factor ** *** *** end ** *** ******, it ** ********* **** larger ****** *** **** concerned, *** ** ******* that ***** **** ******** counter *** ***** ********* their ***** *********** *** willing ** *******.

Comments (24)

Selling on fear is never a good strategy.

Several reasons:

  • Modus Ponens (mode that affirms) – making such a statement requires an assumption that AVO does not have any cyber security risks. However, if/when a security issue arises with AVO software and hardware, not only would this make the statement null and void, but could also erode the integrity of future statements. After all, nothing is completely secure.
  • If/when the Chinese companies fix and address their cyber security issues, this argument is no longer valid, leaving the market to go back to buying low-cost options. Selling on fear is short term.
  • Buying is an emotional action. Buying on a bad feeling, such as fear, never leaves a positive experience for the consumer. This can decrease repeat business. The buying experience must be positive.

Suggestions for camera manufactures selling against the China imports:

  • Focus on your own attention to cyber security and less on the competitors lack of cyber security. Tell your story on how your engineers spend considerable time testing against cyber security issues. It needs to be a positive story about your value, not a negative story about their issues.
  • Sell on the value of the overall solution. Cameras are becoming a commodity, yes, but not all cameras in all applications. Focus on the value of the solution you are providing, a key part of that is support and the long term answer to the customer’s needs.
  • Sell your support and service. Sell yourself, your integrator partners, the level of technical resources, the ability to help design a system that brings value in cost and performance.

There is nothing wrong in capitalizing on the weakness of your competitors, but do not make that the only story you tell. Tell your story on how you are delivering value and answering the growing risk associated with cyber security.

Selling on fear will only go so far.

Selling on fear is short term

To play devil's advocate, has not the home security industry been doing that for decades?

What about how accurate is the 'fear'? Is fear less bad or more if what is feared is genuinely an issue?

 

Valid argument. One that could be used to describe the security industry as a whole.

However, I would argue that there is a difference between selling a solution that answers a problem, in the case of home security, safety and security, versus selling a product based on the negative review of your competitor’s product.  

It’s more in how the story is told. For example:

“We test our cameras against cyber security threats, provide firmware updates regularly at no cost and are constantly working to ensure that we are not a weak point on your network. We love and value the feedback from our customers to ensure we continue to be a partner in the overall security of your operation.”

Vs.

“Competitor camera X has cyber security issues and your network will be exposed to the Chinese government if you buy it. Here is the IPVM article that shows all the issues they have.”

(I wonder how many times your articles have been printed in used in sales pitches)

Telling the story around the value you provide is different than scaring a customer away from another product. One is a sale based on a positive emotion, the other is based on a negative emotion.

I agree about the second fear case you present.

But how about a middle position? For example:

Hikvision has a history of recent, serious cybersecurity issues, e.g., see the US DHS ICS-CERT vulnerability where Hikvision scored a worse possible 10.0, etc., etc.

A user who did not know that (and many surely do not) may be fearful about that? But a competitor who does that - is that fear mongering or eduction?

Btw, a note about IPVM articles being used in sales pitches. That is against our Terms of Service and we have and will suspend or bar companies from accessing IPVM who do that. Anyone who has experience or knowledge of this, please email me john@ipvm.com

John-

Does that work in both directions? My question is someone pointing out a negative Hikvision story (plenty to choose from) posted on IPVM and using it to defend Avigilon for example as american made vs Chinese made products?

Are you for or against this practice? It seems to me you are saying that NO ONE is to use IPVM posts either way, correct?

It seems to me you are saying that NO ONE is to use IPVM posts either way, correct?

No one is allowed to use IPVM promotionally, for or against any manufacturer, including Hikvision. I repeat, that is against our Terms of Service and we have and will suspend or bar companies from accessing IPVM who do that. Anyone who has experience or knowledge of this, please email me john@ipvm.com

I have never used IPVM articles as apart of my sales pitch. However, I am surprised at the number of times IPVM comes up when talking with end-users. Especially larger, enterprise customers, as they tend to take more time to learn and understand the industry. 

I do not think this is bad, in fact, the conversations usually are very positive. I wonder if at times the customer is testing to see if I know the industry or just peddling a product. 

Have others experienced this as well? 

NOTICE: This comment has been moved to its own discussion: End Users Mentioning IPVM In Sales Meetings

Not sure what Chinese manufacturer you represent or support but everything stated about Chinese Cyber Security is simply true and why should that be 'wrapped up' in a more political fashion? IPVM has been buzzing with endless discussions in relation to Cyber Security and other issues with relation to Hik, Dahua and several other mostly Chinese manufacturers. Nobody is selling on 'fear' here, it is simply confirming what is happening in the market.

Certain Chinese manufacturers including the State owned one put Sales first and everything else second based on their appalling track record when it comes to Cyber Security, shaky firmware etc. Their 'fixes' aren't even up to scratch and are 'broken' days after they are introduced. I don't think there is any concern that the issues with Chinese manufactured kit will be 'permanently' solved anytime soon so the argument that 'it won't stand when the issue is fixed' is a very long shot.

 

UM2 – I do not represent or support any Chinese manufactures. I do not have a dog in this fight of AVO vs. Chinese manufactures. If anything, I lean much more towards AVO in support of their products, go-to-market and sales strategies.

Nor are my statements about the validity of the argument about cyber security issues with Chinese based products, but are about using fear tactics as a sales tool. I agree that it is has been clearly stated in multiple ways, at multiple times, that there are issues of integrity in regards to Chinese products in the PhySec market, especially when it comes to cyber security. This is not in question.

My point is about using sales tactics that center around fear.

Going back to our early days of learning how to sell, we learned that buying is an emotional experience. This is most obvious in how advertisers create ads. Everyone add attempts to tell a story that evokes an emotional response.  For example, the McDonald’s slogan, “I’m lovin it” is meant evoke emotions of happiness that is gained from eating their food (not the only thing gained).

The same applies for enterprise, solutions based, technology sales, like most of us are in. Even in the most sterile of sales transactions, the RFP process, there is a level of emotion involved.

Understanding that emotion plays a factor in buying decisions, using the emotion of fear as a primary buying emotion is not good sales strategy. Most of us are trained to overcome buyer fear in our sales process. Even if a customer buys our product, but lacks a positive experience or positive emotional connectedness but instead decided to buy because I made them scared of the competitor’s product, this is a negatively driven, sales decision.

So to John’s question: I do believe that there is a place for honest conversations, a middle ground. But these conversations, specifically about cyber security, should be based around the value my product, not about the failures of my competition. Using Cyber Security as a talking point is good… and one everyone in our industry should talking about. But if our only point is “they are bad” we are setting ourselves up to fall into the same trap by our competition.

So to recap, this is about sales tactics, not about Hikvision’s lack of cyber security.

I still don't see how 'fear tactics' would/should apply here as it's simply a statements of facts. No elaborate explanation of how 10,000's of hacked cameras could be used for an attack etc, in that case yes I would've agreed with the original post.

I also agree that you should always sell your own product based on it's strengths and USP's and not spend most of your time 'slating' the competition as that is a sign of weakness imo. Yet when asked in a conference call what the current state of the market is, it is perfectly acceptable for any Sales Leader to reflect on what's happening in that market, whether you are selling security products or cars.

It's a tabloid style approach to take statements out of context and their is no need for it. Enough on that subject now.

I don't think ANY manufacturer will ever be able to maintain a 100% 'cyber risk free' track record. More important is how the manufacturer(s) deals with a threat, whether potential or active, what preventive measures are put in to place and how quick and well weighed the response to an 'attack' is delivered.

Playing a cat and mouse game with the reporting media is not the way to go about it neither is releasing 'measures' that are as poor as the software/firmware that got breached in the first place whilst trying to 'bully' the reporting entity.

I don't know what the percentage of Asian vs non-Asian manufacturers is, but I suspect there are a lot more Asian manufacturers in the security industry overall. If that is true, would it not also be true that we should expect to see them experience the majority of security vulnerabilities?

When it comes to cyber security, all are at risk. It looks like AVO have had a good run, but I doubt they have as broad exposure to the world as companies like HikVision. He is primarily attacking them, and there are some good reasons to do so. But rather than broadly claiming Asian manufacturers are bad at security, he would be better served by explaining what AVO does differently.

What are they doing from a cyber security approach to ensure their products are secure? Fear is a long used sales tactic, but I think the tactic is more effective when you do so in a positive way - highlighting your strengths. I couldn't find this statement in that 10-page transcript so maybe the excerpt is out of context and they did discuss their strengths? Not that they necessarily had to in an earnings call like this - they might take a different approach in a discussion with a customer.

It's kind of like the old "PCs get viruses because of their ubiquitous use, and MACs get ignored because they aren't" argument.  I think their is some validity to scale being attractive to hackers, but I also think part of it is due to company culture.  

That said, if Avigilon is going to put other companies on blast they better hope they don't ever have a vulnerability in the near future.  Nothing is 100% secure, and it seems this could put certain countries state sponsored black hats on a mission.  

While I do agree that scale can be a factor in some cases (PC vs. MAC) in this case I do not think scale is a contributor. If so, Axis would have taken a few headlines over the past years. 

This is not counting other international players such as Sony/Bosch, Samsung/Hanwha, Pelco (whoever they are OEMing now) etc. 

Assuming scale was a factor in this case, there would be many others with listed vulnerabilities. Unfortunately for Hikvision, they have become the global leader for listed vulnerabilities. 

If that is true, would it not also be true that we should expect to see them experience the majority of security vulnerabilities?

 

Shipping a large volume of product may make Hikvision more prone to examination, but that alone does not directly equate to them having more basic vulnerabilities in their products.

It is possible for manufacturers to dedicate resources to cyber security, and good code only needs to be developed one time, and it can be loaded on 1 camera, or 10,000,000 cameras.

In some cases, such as the Hikvision Cloud Security Vulnerability Uncovered, you could argue that if Hikvision was not such a large player the researcher behind the vulnerability would have ended up with a Dahua camera, or an Axis camera instead. But sheer volume of shipment alone did not cause Hikvision to deploy a poorly architected web service, and it would have most likely been just as prone to exploit if they had shipped 1/10th their total volume.

If anything, I would expect that a manufacturer with such a large number of products shipped, and 1,000s of engineers would have the resources and the desire to ensure that basic vulnerabilities were not in its products, certainly much more so than a company a fraction of their size.

This get me a bit inspired to walk into Avigilon's binaries and have a look, I'm sure there is something juicy too...

 

Had quick look on one specific Avigilion image the last few evenings, let me share some findings with you.
[Please note that I am running this FW image within QEMU ARM VM, so all stuff don't work]

Firmware Image: Avigilon HDH264-FW-t100_2.6.0.140 (Only version of few tested I got running within QEMU ARM VM)

# curl --digest --user admin:admin http://192.168.57.20/cgi-x/get-general
{
"firmwareVersion": "2.6.0.140",
"buildNumber": "15662",
...
}

- Share same stuff as Dahua/HIK to have to have one big binary (/usr/local/bin/CameraApp.elf) running for services (to me odd) 
- Seems not allowing access to anything, unless you been successfully logged in (good)
- HTTP Authorization with "Basic" not working, only "Digest" (good)
- Telnet daemon is by default disabled [if not specifically told go into debug mode] (good)
- Seeing "Debug Console" within the "CameraApp.elf" binary, but have not yet figured out how to access the UI

- Interesting notice, they have support for GB28181, and Google search reveals that this is Chinese-marketing-only.
- Default started into the Cams, but seems not to be enabled by default, and the default Server IP are also within private IP ranges.

# curl --digest --user admin:admin http://192.168.57.20/cgi-x/get-gb28181
{"enableGB28181":0,"defaultEnableGB28181":0,"serverIp":"192.168.3.81",

"defaultServerIp":"192.168.3.81","serverPort":"5060","defaultServerPort":"5060","serverId":"34020000002000000001","defaultServerId":"34020000002000000001",

"deviceId":"34020000001320000001","defaultDeviceId":"34020000001320000001","alarmsId":"34020000001340000001","defaultAlarmsId":"34020000001340000001",

"serverPassword":"12345678","defaultServerPassword":"12345678"}
#

Traces of China do indeed exist.

 

Overall impression so far
Quite plain and simple FW image, seems to be pretty good, have not diving into details if there would exist any flaws regarding HTTP Digest Authorization (yet)

 

SECUIRTY BY OBSCUIRTY

In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system.

 

 

 

This don't fly no more but yet I see it everyday.   Like said above, stop worrying about what others do and evangelize how awesome your cyber awareness is. 

It's a hard argument to stick to.
Our company happily promoted how we had avoided security issues without resorting to pointing out others inadequacies.

1. Customers didn't change their opinion, cheap with security issues is still better than mid price apparently.

2. We were contacted by a cyber-security firm who pointed out major issues for us to rectify. In this case we quietly slid under the radar & fixed the problems, but if we had have been a higher profile company, I am sure we would have made news somewhere...

So in other words all manufacturers are vulnerable, it's just whether you are ahead of the baddies or not as to whether you can shine your light or play in the mud with the rest. It does not take much to trip & end up in the mud.
I hope for their sake that Avigilon manage to keep their shiny exterior.

Customers didn't change their opinion

Blake, I certainly believe that many customers did not change their opinion. However, I also know, without a doubt, that a significant portion of larger customers are disqualifying manufacturers for known cybersecurity issues. And those are the types of customers that Avigilon, Axis, Genetec, etc. most want. To that end, what those companies are doing is rational.

all manufacturers are vulnerable, it's just whether you are ahead of the baddies or not

I agree that everyone is potentially vulnerable but I think that underscores the risks involved across manufacturers. 

Some manufacturers are simply much worse at cybersecurity than others. This should not be contentious, it is just like some companies are much better at software development than others.

For example, take Dahua and Axis. Axis is clearly far superior in cyber security both from a software perspective and response / communication one. Now, surely some people only care about price but for those who care about cyber security, it would be foolish to throw their hands up in the air, saying "well it's possible that anyone is vulnerable" instead of recognizing the differences between those two companies.

With 100+ votes, Avigilon CEO has overwhelming support:

I prefer tech facts than commercial circus.

 

And I think this point "cyber security breaches and design weaknesses" is really powerfull if he points out his brand efforts in that subject and lists the weakeness his company found in others; not only asian.

 

I prefer this information in terms of percentages and saying no names, but relying on real data.

I prefer this information in terms of percentages

Percentages of what?

Using the term "Asian" is potentially problematic here. It could be helpful for Mr. Fernandes and all of us in the video surveillance industry to clarify the country of origin. Specifically in this case, everyone seems to be referring to products manufactured on Mainland China (People's Republic of China). As we all know, Asia is made up of many nations, and this broad stroke is especially a disservice to manufacturers in South Korea, Japan and Taiwan (Republic of China) that do not operate under the influence of a communistic regime.

Whether they're factually correct or not, it's important to weigh their statement with the realization that they're speaking about a competing manufacturer.

It's easier for Avigilon to poke at the lower budget cameras out of China, especially with the recent issues affecting Hikvision and Dahua. 

Note: Security vulnerabilities (and camera issues) can be remedied through firmware updates, you need the firmware and access to the firmware loader. So-and-so may have fixed the vulnerability with an appropriate patch, but the cameras should still be updated. 

For some brands, you have to log in to the web client to access a firmware update page. Other brands (sony, arecont, etc) have tools and firmware loading software that assist in bulk updating firmware files. Avigilon's VMS server will push firmware updates to all their cameras whenever the server software is updated.

I don't have very much experience with Hikvision cameras or software, but it does look like they have a firmware update tool or equivalent service. 

Dahua might have that service as well, but hunting down firmware for their cameras was like pulling teeth until they decided to provide better access to firmware files on their website. 

Login to read this IPVM report.

Related Reports

Coronavirus Hits Manufacturers, Standing Now, Worse To Come on Apr 06, 2020
Coronavirus is hitting security manufacturers, though overall modestly for...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts,...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Worsen: Integrators Hit Even Harder By Coronavirus on Mar 30, 2020
Integrator's problems have worsened over the past 2 weeks, according to new...
Anyvision Layoffs on Mar 19, 2020
Anyvision has conducted a layoff, citing the impact of coronavirus, joining a...
NetPosa's Terrible Situation Worsens on May 19, 2020
NetPosa is fighting for its existence as the situation worsens for what was...
Worst NVR / VMS Manufacturers 2020 on Feb 10, 2020
For the second time in a row, a global manufacturer has been selected by...
PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020
Hackers are targeting China video surveillance manufacturers and systems,...
White House Trade Advisor Calls Hikvision "Very Evil Company" on Jun 24, 2020
White House trade advisor Peter Navarro has called Hikvision a "very evil...
Convergint Coronavirus Cuts on Mar 25, 2020
One of the world's largest security integrators, Convergint, has made a major...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that...

Recent Reports

Taiwan Lilin NDAA Compliant Cameras Tested on Aug 13, 2020
Taiwan-based manufacturer Lilin is taking direct aim at Dahua and Hikvision...
White House Expands Dahua Hikvision Blacklist To Federal Funding on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
Actual Coronavirus Testing Options Examined on Aug 13, 2020
Fever cameras have emerged as an indirect and flawed way to test for...
Video Analytics Online Show September 2020 Opened - Axis, Avigilon, Bosch, BriefCam, Genetec, Milestone + 30 More on Aug 12, 2020
IPVM's sixth online show will feature 35+ Video Analytics companies...
The German Company Powering Many China Temperature Tablets (Heimann) on Aug 12, 2020
Many fever tablet suppliers market German-made Heimann thermal sensors while...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Access Control Course Fall 2020 - Register Now on Aug 12, 2020
IPVM offers the most comprehensive access control course in the industry....
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...