Axis, Pay Integrators To Fix Your Critical Defect

Isn't Axis already living up to their "self proclaimed standards"? It seems like Axis has far fewer scramble-the-techs vulnerabilities and critical upgrades than the majority of their competitors. Unless we expect Axis to produce a flawless product I would say that they are earning their price as it relates to this.

Presumably if you are an Axis fan you are also following their cyber security guide (Axis Cybersecurity Hardening Guide Examined), which recommends setting IP address filters once you get beyond "demo" or "small office" deployments.

If you have properly filtered/firewalled your cameras the probability of exploit drops dramatically. Theoretically customers are only liable to an internally-executed exploit, or a compromised VMS server being used to launch an attack against the camera. Both of these are scenarios that neither Axis, or the integrator, should really be seen as liable for.

While the ideal is non-exploitable firmware always, I do not think that is a realistic expectation. Customers and integrators need to understand that devices may need to have an emergency update done on one or more occasions over the life of the install, and set pricing for handling those issues accordingly.

Now, if this was the 3rd time Axis had a vulnerability like this in a year, I might agree that they owe integrators some recourse to justify their premium.

Semi-related, incidents like this are why integrators may want to offer service/emergency service programs to their customers. Perhaps the really savvy integrators can use Axis' weakness here as a new revenue stream for themselves.

If Axis made a statement and said, "We guarantee zero vulnerabilities." Then yes, they should pay integrators to fix the issue, because "zero vulnerabilities" was guaranteed. If they didn't make a statement similar to this, then they shouldn't have to or be expected to by their partners. As businesses, we assume certain risks, while we do our best to mitigate risk by installing quality products and hiring good people. Sometimes things happen and we have to deal with it.

Agree with it or not, every Hikvision dealer has more fuel to combat Axis. If Axis were smart, they would take council from Tylenol and get ahead of this.

Speaking of Nordstrom, I bought a $1,200 suit there a couple of years ago. Lost 30 lbs and the suit didn't fit me anymore. I went back and was shopping for another suit. I told the sales associated what happened, and he got the manager, and the manager asked me to bring the suit back. They credited my credit card and took the suit back (it was well worn for a year). Since then I have spent lots of $$$ at Nordstrom.

I am torn on the whole "where does the responsibility start and end" thing only because it vary between manufacturers and it is in part also the owner/maintainers responsibility to take care of the maintenance of the camera.

Other electronic devices like phones, TV's, computers and Photography cameras in order to honor warranties require you to register your products with their respective manufacturer. When you do this they also send you information regarding your products as well as recalls. After reading the AXIS website warranty information all you need is a receipt and the serial number for the camera. with the way cyber security is going this may need to change as most other manufacturers follow this same model.

Best solution is to have a secure method to register these products so the manufacturer can send you emails saying hey you need to upgrade you firmware and here is how. This puts all of the liability on the owner and not the manufacturer. This could lead to some bad relations with integrators though as it cuts them out of service calls but IMHO that will go away sooner or later anyway with the way things are progressing.

So no I dont think it is AXIS's job to chase down people and let them know that the camera is security vulnerability, But I will say if what AXIS says:

"Axis is committed to providing high quality products, trouble-free ownership and better control of total costs by offering exceptional global service covering questions and trouble-shooting concerning both the installation and use of the products"

Then they need to come up with a better way to do what they are claiming

I think the best to solve this is to go to the "registering your product model"

If you have a camera or NVR and it needs a firmware upgrade then you get an email saying "hey you need to upgrade your firmware or we are not liable for whatever may happen.

also this would cover the warranty as well

1)so in short you buy a camera or NVR

2) there is a slip of paper in the manual or packet that says " if you want warranty or to avoid security vulnerabilities you need to register you products and upgrade according.

3) customer either does #2 and gets the upgrades and is put on an email list for upgrades that may come out or doesn't and assumes responsibility for what ever may happen.

4)Manufacturers get Brownie and advertising points saying they give a damn about the end user/owner, and they are doing it better than all the other Manufacturers.

this cleans up a lot of gray area's in the who is responsible for what questions. Manufacturer says we will take care or owner as long as you cooperate with rules. Owner gets great service from manufacturer and feels safer..... hopefully.

How does it differ from other software updates? Take Windows, for example. Granted, many/most are "functional" updates/patches, although many are security patches/updates to block/fix vulnerabilities.

While many a consumer can set their machine to update Windows automatically, many Enterprises do not allow such action, and have Network Admins who spend tons of time on installing/administering patches/updates.

Should Microsoft be reimbursing companies for Network Admin time spent applying/adminstering their constant patching? How does it differ from this situation and Axis? (and maybe others......)

Can be seen as another huge plus for using HD Coax to some extent......

I am not a fan of these sensationalist articles.

All complex software has flaws, with the right research effort holes could be picked in almost any product. If it is a bug in the core of an open source product the exact same bug may appear in other brand's firmware, would you expect the same from every manufacturer?

I think that AXIS turning around a patched firmware for practically every model with a matter of days shows their commitment to holding themselves at a very high standard.

It's the 18th, did Axis ask the researcher for more time?