Axis, Pay Integrators To Fix Your Critical Defect

Isn't Axis already living up to their "self proclaimed standards"? It seems like Axis has far fewer scramble-the-techs vulnerabilities and critical upgrades than the majority of their competitors. Unless we expect Axis to produce a flawless product I would say that they are earning their price as it relates to this.

Presumably if you are an Axis fan you are also following their cyber security guide (Axis Cybersecurity Hardening Guide Examined), which recommends setting IP address filters once you get beyond "demo" or "small office" deployments.

If you have properly filtered/firewalled your cameras the probability of exploit drops dramatically. Theoretically customers are only liable to an internally-executed exploit, or a compromised VMS server being used to launch an attack against the camera. Both of these are scenarios that neither Axis, or the integrator, should really be seen as liable for.

While the ideal is non-exploitable firmware always, I do not think that is a realistic expectation. Customers and integrators need to understand that devices may need to have an emergency update done on one or more occasions over the life of the install, and set pricing for handling those issues accordingly.

Now, if this was the 3rd time Axis had a vulnerability like this in a year, I might agree that they owe integrators some recourse to justify their premium.

Semi-related, incidents like this are why integrators may want to offer service/emergency service programs to their customers. Perhaps the really savvy integrators can use Axis' weakness here as a new revenue stream for themselves.

Do you want manufacturers to keep vulnerabilities secret? Because that's how you get manufacturers to keep vulnerabilities secret.

If Axis made a statement and said, "We guarantee zero vulnerabilities." Then yes, they should pay integrators to fix the issue, because "zero vulnerabilities" was guaranteed. If they didn't make a statement similar to this, then they shouldn't have to or be expected to by their partners. As businesses, we assume certain risks, while we do our best to mitigate risk by installing quality products and hiring good people. Sometimes things happen and we have to deal with it.

Agree with it or not, every Hikvision dealer has more fuel to combat Axis. If Axis were smart, they would take council from Tylenol and get ahead of this.

Speaking of Nordstrom, I bought a $1,200 suit there a couple of years ago. Lost 30 lbs and the suit didn't fit me anymore. I went back and was shopping for another suit. I told the sales associated what happened, and he got the manager, and the manager asked me to bring the suit back. They credited my credit card and took the suit back (it was well worn for a year). Since then I have spent lots of $$$ at Nordstrom.

Should Axis pay TWICE for any integrators who have already downloaded the latest firmware, erroneously thinking this would solve their problem?

PRO TIP: When you actually are able to secure your camera, MAKE SURE TO RESET TO FACTORY DEFAULTS before upgrading the firmware. Although not mentioned by Axis, once the vulnerability is disclosed and script-kiddies probe every known Axis camera on the web, there may be nothing stopping them from making the firmware webpage non-functional except to change what is SAYS is the version.

Resetting to factory defaults, using the hard button, gives a better chance of eradicating any installed malware first. Though it should be noted that once the camera has been rooted, even the recovery partition can be corrupted, still that's unlikely to be exploited in the early days.

How does it differ from other software updates? Take Windows, for example. Granted, many/most are "functional" updates/patches, although many are security patches/updates to block/fix vulnerabilities.

While many a consumer can set their machine to update Windows automatically, many Enterprises do not allow such action, and have Network Admins who spend tons of time on installing/administering patches/updates.

Should Microsoft be reimbursing companies for Network Admin time spent applying/adminstering their constant patching? How does it differ from this situation and Axis? (and maybe others......)

Can be seen as another huge plus for using HD Coax to some extent......

With 100 votes received, integrators and manufacturers (not surprisingly) have taken opposing views here.

While 71% of integrators vote yes, only 41% of manufacturers agree.

Let's stick to the announced vulnerability. It will only be applicable to cameras (video devices) directly accessible through the net (internet). The vulnerability will be removed by just upgrading those cameras to the latest firmaware version which is downloadable for free from the axis site. Threfore the job to do is to connect with those cameras (remotely? yes, if they are not accessible there's no risk) and upgrade the firmware. So costs will only be time spending in the process rather than moving to "far away" sites.

Axis has a free tool to do that in a semi automatic way (Axis Camera Management) which can be programmed to upgrade hundreds (thousands) of units in sequence at desired times. That would reduce time spent in the process dramatically.

On the other hand, it's suppossed that the integrator will take care of maintenance (that includes firmware upgrades). Yes, this is not an improvement upgrade for new features, but an upgrade anyway.

Does anybody pay for the upgrade of those cameras which were supplied with default password in the past until most manufacturers found out it was risky and changed the firmware?

Not really sure if Axis should pay integrators to do this. I have been in the industry over 20 years and I have never seen an Integrator roll trucks to do software or firmware upgrades to products.

As far as this vulnerability we upgraded over 1600 Axis cameras in the past week. We did this with out an integrator. But we always do our own firmware upgrades.

It's the 18th, did Axis ask the researcher for more time?