Avigilon CEO Attacks Asian Companies Cyber Insecurity

By: IPVM Team, Published on Aug 18, 2017

Avigilon CEO is taking aim at their Asian competitors.

And he is going directly after these company's cyber security issues.

In this note, we examine his claim, analyze its accuracy and examine how this fits in a broader pattern of Western companies fighting back against the ongoing race to the bottom.

******** *** ** ****** *** at ***** ***** ***********.

*** ** ** ***** directly ***** ***** *******'* cyber ******** ******.

** **** ****, ** examine *** *****, ******* its ******** *** ******* how **** **** ** a ******* ******* ** Western ********* ******** **** against *** ******* **** to *** ******.

[***************]

CEO *********

** ******* **** ******** ****, Avigilon's *** ******:

*** **** ** **** is *** ******* ***** polarized ****** ******* ** and ******* ****** ***** manufacturers *** * ***** it's *********** **** ******** knows ** **** ***** that *** ******** ** not *** ** *** Asian ************* *** ******* with ***** **** *** cyber ******** ******** *** design **********

**** *** ** ******** to ** ******** ****** about *** *********** ***********, and **** ******** *** offer, ******* *********, ** that ******.

********'* *** **** ******* remarks ** * ******** TV interview.

Poll / ****

*******?

******* ** ********* * strong ****, **** *** that ** ********* ** measure. ***** ** ***** 'plagued', ***** *** ******* undertones, ** **********, ************ ** ***** ************ Cybersecurity *************** ** ******* *********** ** Asian *************.

Role Of Hikvision *** *****

********'* *** ***** *********** threat ** ********* ********* and ** * **** lesser ****** *****, ***** those ********* ********** ********* into ********'* **** ***********. And ***** *** ********* clearly ******** ** ****** from ******* ************* ********. Those ******** *** ******** a *** *********** ***** and ********* ******, ********** for *** ****** ********* that ******* ************* **** Avigilon **** ********* *****.

Axis **** *****, **** ****** ********

**** *** **** ****** a ******* ******** ** promoting ***** ******** ** a **************, ****** ***** Swedish, **** * **** ***** / ****** ****.**** *** ********** ***** OEMs, ******* **** **** a***% ***** ** ***** security, *** **** *** ** the***** ************* ** ******* a ********* *****, ********* ***** ******** still *** *** ****.

Genetec ***** ******** ********

***, ** ******, ****** Canadian ************ ******* *** been ***** ***** ***** cybersecurity ******, **** ** the ****** *********** ***** ********* *** Huawei *******, ******* **** ** a ******* ***** ********.

Avigilon ***** ******** ******

** ********'* *****, *** company **** **** * positive ***** ****** **** it ***** ** ******** vulnerabilities. *** ***************** ******** ******* ** Avigilon was **** **** ****, *** ********* ** ACC ************* **** ******* a **** **** * valid ***** ** ****** any **** ** *** server. **** *** ******* patched *** ******* ******** released.******** *** **** ******** by *** ***** *************, ****** ** ***** exploits **** *********.

** ****, ** ******** ** ******** cameras **** **** ****** published, ****** **** * good ***** *** ********* their ******** ** * more ****** *********** ** other ******.

Avigilon ********* ***** ***** *******

******* ** ************* **********, Avigilon *** ********** ********'* local ***** ******** ************* as * **************, ******:

** *** **** ** the ******* ***** ** the ******** * ***** it ** ****** ** a ****** ***** **** this ******* **** *** more ** ********** ***** in ***** ** ******* to ****** **** **** product **** ******** ************* are ********* ** *** securing ********** *** **** they're ********* ** ***** customers *** *** ******* one ******** ******* ***** creating *******. **, *** demand *** ******* **** product *** ******* ************ product ** **** **** and ******** ** ********* being **** ****** *** marketplace.

*** **** ** ** outlier. *** ********* '**** ** ***** America' *****, ******** *****:

Competing ** **** ** *************

********* ** **** ** something **** ******** *** other ******* ************* ****** struggle ** ****** ** do. Cyber ******** ** ** area **** **** ***. Given *** ****** ********, hardware ***** / ******** secondary ******** ****** **** Asian *************, ***** ******** will ****** ****** * major ***** *** ****. And ***** ***** ******** is *** ** ********* factor ** *** *** end ** *** ******, it ** ********* **** larger ****** *** **** concerned, *** ** ******* that ***** **** ******** counter *** ***** ********* their ***** *********** *** willing ** *******.

Comments (24)

Undisclosed Manufacturer #1

08/18/17 01:45pm

Selling on fear is never a good strategy.

Several reasons:

Modus Ponens (mode that affirms) – making such a statement requires an assumption that AVO does not have any cyber security risks. However, if/when a security issue arises with AVO software and hardware, not only would this make the statement null and void, but could also erode the integrity of future statements. After all, nothing is completely secure.
If/when the Chinese companies fix and address their cyber security issues, this argument is no longer valid, leaving the market to go back to buying low-cost options. Selling on fear is short term.
Buying is an emotional action. Buying on a bad feeling, such as fear, never leaves a positive experience for the consumer. This can decrease repeat business. The buying experience must be positive.

Suggestions for camera manufactures selling against the China imports:

Focus on your own attention to cyber security and less on the competitors lack of cyber security. Tell your story on how your engineers spend considerable time testing against cyber security issues. It needs to be a positive story about your value, not a negative story about their issues.
Sell on the value of the overall solution. Cameras are becoming a commodity, yes, but not all cameras in all applications. Focus on the value of the solution you are providing, a key part of that is support and the long term answer to the customer’s needs.
Sell your support and service. Sell yourself, your integrator partners, the level of technical resources, the ability to help design a system that brings value in cost and performance.

There is nothing wrong in capitalizing on the weakness of your competitors, but do not make that the only story you tell. Tell your story on how you are delivering value and answering the growing risk associated with cyber security.

Selling on fear will only go so far.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 08/18/17 01:50pm

Selling on fear is short term

To play devil's advocate, has not the home security industry been doing that for decades?

What about how accurate is the 'fear'? Is fear less bad or more if what is feared is genuinely an issue?

Undisclosed Manufacturer #1

In reply to John Honovich | 08/18/17 02:18pm

Valid argument. One that could be used to describe the security industry as a whole.

However, I would argue that there is a difference between selling a solution that answers a problem, in the case of home security, safety and security, versus selling a product based on the negative review of your competitor’s product.

It’s more in how the story is told. For example:

“We test our cameras against cyber security threats, provide firmware updates regularly at no cost and are constantly working to ensure that we are not a weak point on your network. We love and value the feedback from our customers to ensure we continue to be a partner in the overall security of your operation.”

Vs.

“Competitor camera X has cyber security issues and your network will be exposed to the Chinese government if you buy it. Here is the IPVM article that shows all the issues they have.”

(I wonder how many times your articles have been printed in used in sales pitches)

Telling the story around the value you provide is different than scaring a customer away from another product. One is a sale based on a positive emotion, the other is based on a negative emotion.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 08/18/17 03:00pm

I agree about the second fear case you present.

But how about a middle position? For example:

Hikvision has a history of recent, serious cybersecurity issues, e.g., see the US DHS ICS-CERT vulnerability where Hikvision scored a worse possible 10.0, etc., etc.

A user who did not know that (and many surely do not) may be fearful about that? But a competitor who does that - is that fear mongering or eduction?

Btw, a note about IPVM articles being used in sales pitches. That is against our Terms of Service and we have and will suspend or bar companies from accessing IPVM who do that. Anyone who has experience or knowledge of this, please email me john@ipvm.com

Marty Calhoun

IPVMU Certified | In reply to John Honovich | 08/18/17 05:20pm

John-

Does that work in both directions? My question is someone pointing out a negative Hikvision story (plenty to choose from) posted on IPVM and using it to defend Avigilon for example as american made vs Chinese made products?

Are you for or against this practice? It seems to me you are saying that NO ONE is to use IPVM posts either way, correct?

John Honovich

IPVM | In reply to Marty Calhoun | 08/18/17 05:47pm

It seems to me you are saying that NO ONE is to use IPVM posts either way, correct?

No one is allowed to use IPVM promotionally, for or against any manufacturer, including Hikvision. I repeat, that is against our Terms of Service and we have and will suspend or bar companies from accessing IPVM who do that. Anyone who has experience or knowledge of this, please email me john@ipvm.com

Undisclosed Manufacturer #1

In reply to John Honovich | 08/22/17 01:47pm

I have never used IPVM articles as apart of my sales pitch. However, I am surprised at the number of times IPVM comes up when talking with end-users. Especially larger, enterprise customers, as they tend to take more time to learn and understand the industry.

I do not think this is bad, in fact, the conversations usually are very positive. I wonder if at times the customer is testing to see if I know the industry or just peddling a product.

Have others experienced this as well?

NOTICE: This comment has been moved to its own discussion: End Users Mentioning IPVM In Sales Meetings

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #1 | 08/18/17 03:31pm

Not sure what Chinese manufacturer you represent or support but everything stated about Chinese Cyber Security is simply true and why should that be 'wrapped up' in a more political fashion? IPVM has been buzzing with endless discussions in relation to Cyber Security and other issues with relation to Hik, Dahua and several other mostly Chinese manufacturers. Nobody is selling on 'fear' here, it is simply confirming what is happening in the market.

Certain Chinese manufacturers including the State owned one put Sales first and everything else second based on their appalling track record when it comes to Cyber Security, shaky firmware etc. Their 'fixes' aren't even up to scratch and are 'broken' days after they are introduced. I don't think there is any concern that the issues with Chinese manufactured kit will be 'permanently' solved anytime soon so the argument that 'it won't stand when the issue is fixed' is a very long shot.

Undisclosed Manufacturer #1

In reply to Undisclosed Manufacturer #2 | 08/18/17 04:17pm

UM2 – I do not represent or support any Chinese manufactures. I do not have a dog in this fight of AVO vs. Chinese manufactures. If anything, I lean much more towards AVO in support of their products, go-to-market and sales strategies.

Nor are my statements about the validity of the argument about cyber security issues with Chinese based products, but are about using fear tactics as a sales tool. I agree that it is has been clearly stated in multiple ways, at multiple times, that there are issues of integrity in regards to Chinese products in the PhySec market, especially when it comes to cyber security. This is not in question.

My point is about using sales tactics that center around fear.

Going back to our early days of learning how to sell, we learned that buying is an emotional experience. This is most obvious in how advertisers create ads. Everyone add attempts to tell a story that evokes an emotional response. For example, the McDonald’s slogan, “I’m lovin it” is meant evoke emotions of happiness that is gained from eating their food (not the only thing gained).

The same applies for enterprise, solutions based, technology sales, like most of us are in. Even in the most sterile of sales transactions, the RFP process, there is a level of emotion involved.

Understanding that emotion plays a factor in buying decisions, using the emotion of fear as a primary buying emotion is not good sales strategy. Most of us are trained to overcome buyer fear in our sales process. Even if a customer buys our product, but lacks a positive experience or positive emotional connectedness but instead decided to buy because I made them scared of the competitor’s product, this is a negatively driven, sales decision.

So to John’s question: I do believe that there is a place for honest conversations, a middle ground. But these conversations, specifically about cyber security, should be based around the value my product, not about the failures of my competition. Using Cyber Security as a talking point is good… and one everyone in our industry should talking about. But if our only point is “they are bad” we are setting ourselves up to fall into the same trap by our competition.

So to recap, this is about sales tactics, not about Hikvision’s lack of cyber security.

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #1 | 08/21/17 12:10pm

I still don't see how 'fear tactics' would/should apply here as it's simply a statements of facts. No elaborate explanation of how 10,000's of hacked cameras could be used for an attack etc, in that case yes I would've agreed with the original post.

I also agree that you should always sell your own product based on it's strengths and USP's and not spend most of your time 'slating' the competition as that is a sign of weakness imo. Yet when asked in a conference call what the current state of the market is, it is perfectly acceptable for any Sales Leader to reflect on what's happening in that market, whether you are selling security products or cars.

It's a tabloid style approach to take statements out of context and their is no need for it. Enough on that subject now.

I don't think ANY manufacturer will ever be able to maintain a 100% 'cyber risk free' track record. More important is how the manufacturer(s) deals with a threat, whether potential or active, what preventive measures are put in to place and how quick and well weighed the response to an 'attack' is delivered.

Playing a cat and mouse game with the reporting media is not the way to go about it neither is releasing 'measures' that are as poor as the software/firmware that got breached in the first place whilst trying to 'bully' the reporting entity.

Undisclosed #3

08/18/17 05:15pm

I don't know what the percentage of Asian vs non-Asian manufacturers is, but I suspect there are a lot more Asian manufacturers in the security industry overall. If that is true, would it not also be true that we should expect to see them experience the majority of security vulnerabilities?

When it comes to cyber security, all are at risk. It looks like AVO have had a good run, but I doubt they have as broad exposure to the world as companies like HikVision. He is primarily attacking them, and there are some good reasons to do so. But rather than broadly claiming Asian manufacturers are bad at security, he would be better served by explaining what AVO does differently.

What are they doing from a cyber security approach to ensure their products are secure? Fear is a long used sales tactic, but I think the tactic is more effective when you do so in a positive way - highlighting your strengths. I couldn't find this statement in that 10-page transcript so maybe the excerpt is out of context and they did discuss their strengths? Not that they necessarily had to in an earnings call like this - they might take a different approach in a discussion with a customer.

Joseph Parker

In reply to Undisclosed #3 | 08/18/17 05:33pm

It's kind of like the old "PCs get viruses because of their ubiquitous use, and MACs get ignored because they aren't" argument. I think their is some validity to scale being attractive to hackers, but I also think part of it is due to company culture.

That said, if Avigilon is going to put other companies on blast they better hope they don't ever have a vulnerability in the near future. Nothing is 100% secure, and it seems this could put certain countries state sponsored black hats on a mission.

Undisclosed Manufacturer #1

In reply to Joseph Parker | 08/21/17 12:26pm

While I do agree that scale can be a factor in some cases (PC vs. MAC) in this case I do not think scale is a contributor. If so, Axis would have taken a few headlines over the past years.

This is not counting other international players such as Sony/Bosch, Samsung/Hanwha, Pelco (whoever they are OEMing now) etc.

Assuming scale was a factor in this case, there would be many others with listed vulnerabilities. Unfortunately for Hikvision, they have become the global leader for listed vulnerabilities.

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/18/17 05:43pm

If that is true, would it not also be true that we should expect to see them experience the majority of security vulnerabilities?

Shipping a large volume of product may make Hikvision more prone to examination, but that alone does not directly equate to them having more basic vulnerabilities in their products.

It is possible for manufacturers to dedicate resources to cyber security, and good code only needs to be developed one time, and it can be loaded on 1 camera, or 10,000,000 cameras.

In some cases, such as the Hikvision Cloud Security Vulnerability Uncovered, you could argue that if Hikvision was not such a large player the researcher behind the vulnerability would have ended up with a Dahua camera, or an Axis camera instead. But sheer volume of shipment alone did not cause Hikvision to deploy a poorly architected web service, and it would have most likely been just as prone to exploit if they had shipped 1/10th their total volume.

If anything, I would expect that a manufacturer with such a large number of products shipped, and 1,000s of engineers would have the resources and the desire to ensure that basic vulnerabilities were not in its products, certainly much more so than a company a fraction of their size.

Undisclosed End User #4

08/18/17 06:30pm

This get me a bit inspired to walk into Avigilon's binaries and have a look, I'm sure there is something juicy too...

Undisclosed End User #4

In reply to Undisclosed End User #4 | 08/21/17 05:59pm

Had quick look on one specific Avigilion image the last few evenings, let me share some findings with you.
[Please note that I am running this FW image within QEMU ARM VM, so all stuff don't work]

Firmware Image: Avigilon HDH264-FW-t100_2.6.0.140 (Only version of few tested I got running within QEMU ARM VM)

# curl --digest --user admin:admin http://192.168.57.20/cgi-x/get-general
{
"firmwareVersion": "2.6.0.140",
"buildNumber": "15662",
...
}

- Share same stuff as Dahua/HIK to have to have one big binary (/usr/local/bin/CameraApp.elf) running for services (to me odd)
- Seems not allowing access to anything, unless you been successfully logged in (good)
- HTTP Authorization with "Basic" not working, only "Digest" (good)
- Telnet daemon is by default disabled [if not specifically told go into debug mode] (good)
- Seeing "Debug Console" within the "CameraApp.elf" binary, but have not yet figured out how to access the UI

- Interesting notice, they have support for GB28181, and Google search reveals that this is Chinese-marketing-only.
- Default started into the Cams, but seems not to be enabled by default, and the default Server IP are also within private IP ranges.

# curl --digest --user admin:admin http://192.168.57.20/cgi-x/get-gb28181
{"enableGB28181":0,"defaultEnableGB28181":0,"serverIp":"192.168.3.81",

"defaultServerIp":"192.168.3.81","serverPort":"5060","defaultServerPort":"5060","serverId":"34020000002000000001","defaultServerId":"34020000002000000001",

"deviceId":"34020000001320000001","defaultDeviceId":"34020000001320000001","alarmsId":"34020000001340000001","defaultAlarmsId":"34020000001340000001",

"serverPassword":"12345678","defaultServerPassword":"12345678"}
#

Traces of China do indeed exist.

Overall impression so far
Quite plain and simple FW image, seems to be pretty good, have not diving into details if there would exist any flaws regarding HTTP Digest Authorization (yet)

Undisclosed End User #5

08/20/17 02:43pm

SECUIRTY BY OBSCUIRTY

In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system.

This don't fly no more but yet I see it everyday. Like said above, stop worrying about what others do and evangelize how awesome your cyber awareness is.

Blake Murphy

08/21/17 02:13am

It's a hard argument to stick to.
Our company happily promoted how we had avoided security issues without resorting to pointing out others inadequacies.

1. Customers didn't change their opinion, cheap with security issues is still better than mid price apparently.

2. We were contacted by a cyber-security firm who pointed out major issues for us to rectify. In this case we quietly slid under the radar & fixed the problems, but if we had have been a higher profile company, I am sure we would have made news somewhere...

So in other words all manufacturers are vulnerable, it's just whether you are ahead of the baddies or not as to whether you can shine your light or play in the mud with the rest. It does not take much to trip & end up in the mud.
I hope for their sake that Avigilon manage to keep their shiny exterior.

John Honovich

IPVM | In reply to Blake Murphy | 08/21/17 11:50am

Customers didn't change their opinion

Blake, I certainly believe that many customers did not change their opinion. However, I also know, without a doubt, that a significant portion of larger customers are disqualifying manufacturers for known cybersecurity issues. And those are the types of customers that Avigilon, Axis, Genetec, etc. most want. To that end, what those companies are doing is rational.

all manufacturers are vulnerable, it's just whether you are ahead of the baddies or not

I agree that everyone is potentially vulnerable but I think that underscores the risks involved across manufacturers.

Some manufacturers are simply much worse at cybersecurity than others. This should not be contentious, it is just like some companies are much better at software development than others.

For example, take Dahua and Axis. Axis is clearly far superior in cyber security both from a software perspective and response / communication one. Now, surely some people only care about price but for those who care about cyber security, it would be foolish to throw their hands up in the air, saying "well it's possible that anyone is vulnerable" instead of recognizing the differences between those two companies.

John Honovich

IPVM | 08/21/17 02:27pm

With 100+ votes, Avigilon CEO has overwhelming support:

Undisclosed #6

08/21/17 02:50pm

I prefer tech facts than commercial circus.

And I think this point "cyber security breaches and design weaknesses" is really powerfull if he points out his brand efforts in that subject and lists the weakeness his company found in others; not only asian.

I prefer this information in terms of percentages and saying no names, but relying on real data.

John Honovich

IPVM | In reply to Undisclosed #6 | 08/21/17 02:52pm

I prefer this information in terms of percentages

Percentages of what?

Mark Espenschied

08/21/17 03:51pm

Using the term "Asian" is potentially problematic here. It could be helpful for Mr. Fernandes and all of us in the video surveillance industry to clarify the country of origin. Specifically in this case, everyone seems to be referring to products manufactured on Mainland China (People's Republic of China). As we all know, Asia is made up of many nations, and this broad stroke is especially a disservice to manufacturers in South Korea, Japan and Taiwan (Republic of China) that do not operate under the influence of a communistic regime.

Max Scott

IPVMU Certified | 09/08/17 11:53am

Whether they're factually correct or not, it's important to weigh their statement with the realization that they're speaking about a competing manufacturer.

It's easier for Avigilon to poke at the lower budget cameras out of China, especially with the recent issues affecting Hikvision and Dahua.

Note: Security vulnerabilities (and camera issues) can be remedied through firmware updates, you need the firmware and access to the firmware loader. So-and-so may have fixed the vulnerability with an appropriate patch, but the cameras should still be updated.

For some brands, you have to log in to the web client to access a firmware update page. Other brands (sony, arecont, etc) have tools and firmware loading software that assist in bulk updating firmware files. Avigilon's VMS server will push firmware updates to all their cameras whenever the server software is updated.

I don't have very much experience with Hikvision cameras or software, but it does look like they have a firmware update tool or equivalent service.

Dahua might have that service as well, but hunting down firmware for their cameras was like pulling teeth until they decided to provide better access to firmware files on their website.