Obviously anyone who voted "Neither" is likely an Axis competitor. LOL.
Axis: "It’s A Question Of Trust And Who You Want To Be Associated With"
Who do you trust?
Who do you want to be associated with?
Axis is raising hard questions to start 2018.
In this note, we examine these questions, the competitive impact of them and how it fits in a clear industry trend.
Trust, ***********, *** ******
****'"****’* ********** ****** *** *** ******** of *****" ************* ****:
**** ** **** ******* ********* ***** ********* behavior.
China / *********
**** ********* ** **** **** ***** observation ******* ** *** ***** ************ industry *** ***** ************ ************* *** declined ** ******* ** *** ******** manufacturers.
***** **** ******** *********, ******* *********** *** ********* issues ***** ******* ** ***** *** in ********** *** **********-***** ************, *********.
*********'* ******* ************* ******, ********* *** IP ****** ********, ***** ******* ******* about ***** ******* ***** ********** *******, and ***** ****** ******** **** *** WSJ *** ****** **** **** *********'* ****** a ********* *****.
Hanwha **** ****** ***** ********
**** ** *** ***** ** ******* questions ***** *****.****** *** *** *** ** ***** its **** *** ************* ***************:
Key ******** *****
******* ** *** ******* ** *** Chinese ************* *** *** ******* ******** of ***-******* *************, ** *** *** 'question ** *****' ******** * ***** debate *** ************** ** *** ********. Hikvision *** *****, ** **********, **** have ** ****** *** **** ** overcome **** ********/*****. ****** ***** **** behavior, ** ****** ***** ** ****** hide **** **** ****** ***** ********* **** fight aggressively, ********** **** ****, ****** *** other ********* *********** *** *** ********* ones. ** ****, *********, **** *** a *********** ****.
Vote / ****
I think the "Who do you trust more?" question is a bit of stretch by only including the best (IMHO) Axis and the worst Hikvision, but I'll allow it!
In fairness to me :), I was not picking who was 'best' and 'worst' but who was the biggest in China and the biggest outside of China.
With all the recent vulnerabilities found effecting many different manufacturers I am not surprised trust is becoming a focus.
I work for a manufacturer and have heard discussions surrounding this in recent strategy meetings. And while it is easy for a group of people who work for a manufacturer to sit around and strategize what they will do to build trust, the execution of the plan is always the most difficult part.
Given the importance of trust, as seen in the poll results above, I would like to ask the members of this site, specifically the integrators, distributors and dealers: What can we, as manufacturers, do to keep/gain/earn your trust?
What can we, as manufacturers, do to keep/gain/earn your trust?
The fundamentals always apply:
- Don't overpromise / create unrealistic expectations (in practice this means letting your senior technical people give feedback before releasing announcements and marketing material to point out things that are technically exaggerated or wrong)
- Own mistakes, don't blame others or create euphemisms to hide the truth.
- Overcommunicate, don't try to hide bad news (if your case study of a pizzeria in pittsburgh is on all your social media channels and the front page of every trade magazine but your cybersecurity announcement is buried 4 clicks into your website and nowhere else, people can tell you are trying to hide things from them).
Overall, most manufacturers have at least decent trust levels with their customers. Over the past few years, key exceptions include Arecont with their poor attempts to cover up their quality problems and Avigilon with their hyper-aggressive sales machine (Arecont still struggles, Avigilon has reformed in the past year or two).
The Hikvision situation is unique, though. The combination of being owned by an authoritarian government and Hikvision's combative marketing 'strategy' has created an unprecedented trust / ethics issue.
Related, not that any manufacturer would be foolish enough to take Hikvision's approach of ad hominem attacks on critics, that's not a prudent policy. While IPVM has definitely benefited from Hivision's wild attacks against us (e.g., this classic), those tactics turn most people off and deepen trust issues.
Borderline copyright infringement Mr. H. From my Jan 6 comment in bold. :)
The fundamentals always apply:
- Don't overpromise / create unrealistic expectations (in practice this means letting your senior technical people give feedback before releasing announcements and marketing material to point out things that are technically exaggerated or wrong)
- Own mistakes, don't blame others or create euphemisms to hide the truth.
- Overcommunicate, don't try to hide bad news (if your case study of a pizzeria in pittsburgh is on all your social media channels and the front page of every trade magazine but your cybersecurity announcement is buried 4 clicks into your website and nowhere else, people can tell you are trying to hide things from them).
In terms of software architecture and code level, we have a unique consideration.
Evidently not: Uniview Recorder Backdoor Examined
Well "Unique consideration" doesn't sound like proper English but grammar never was my strong point. So I was trying to put a positive spin on the interpretation that meant Uniview is unique in the way it handles John's backdoor exam. Unique compared to Hik because Uniview acknowledged the problem, provided a solution to fix the problem, and how they plan on preventing future problems. Then clearly communicated this to their customers and media (IPVM) in a professional manner.
Uniview
was originally the daughter of the company that founded huawei
they sold it to a USA investment company
and have subsequently repurchased it
into Chinese ownership
It's as simple as just be honest... If you find a vulnerability in your product patch it and publish it, don't hide from it. If you have quality issues, own them and make them right.
The difficulty is that we tie in by brand supplier and not by product
different products have different issues
nvr with built in poe completely different beast to nvr with switch
these discussions too generic
just slagging off hik isn’t the answer
You have to get into the detail
they squirm from one issue to another
for example they do a deal with a professional manufacturer ambrelia
flir and then introduce their own rip off copies
If you separate ip from analogue
ip tends to be supplied in to lager scale
intergration
where suppliers are in control of the switch
ie 24 Chn built in poe they can protect the network better with their own software
where installs require external. Switch’s the network is more vulnerable
and ip cameras can be attacked by malware
I'm just waiting for Marty to vote for Hikvision, so they can at least get one vote. :)
If you're looking for a one time sale, lower pricing rules the day. If you are a company built on repeat business and referrals, then sales are built on Trust.
As a future one time purchaser, I would never purchase from Hikvision because of their
direct relationship with the Chinese government. My son is also looking into cameras and once I told him about Hik, he also shut them down.
Just my two cents
How important is trust in picking manufacturer? - For the distributor, reseller, installer or end customer?
The distributor or reseller probably looks on the percentage of cams that come DoA.
In most situations the installer is in competition to other installers, as the end customer in most cases is mainly looking at the price of the offer.
The end customer is not aware of "prestigious" brand or "no name". He doesn´t know the names of typical camera manufacturers anyway. Looking at the internet he finds more or less attractive websites from all the manufacturers or sample videos of new features or...
Security is an abstract value. (In most cases) The end customer doesn´t feel "more secure", when protected by Axis camera, than by Hikvision.
The look and feel of a specific client device, e.g. doorphone monitor may make a difference for him.
The end customer has to trust the installer.
For the installer it is much more difficult, than for car dealer to explain the value of a specific brand.
The customers knows the difference between Mercedes or Porsche and Kia or Mistubishi and connects different expectations and values.
But if different security cams deliver similar picture quality, why should he choose the expensive brand?
Should he really pay + 30% for an abstract value of "more security"?
How many projects are there, with a budget for detailled demonstrations / presentations or discussions on ethical aspects?
Depends on who your target market is, if it is a house and the person is only concerned about price then HIK will win but if it is someone who knows what the Chinese government is about they will not select HIK.
If you have large end users who have IT departments you certainly get asked more questions on why are you using HIK than if you quote a non Chinese government brand.
And if you still go along and install HIK and another vulnerability is found you will certainly be the one paying to patch them and you will also likely loose the end users trust in selecting the right product!
The distributor or reseller probably looks on the percentage of cams that come DoA.
DoAs and other hardware issues are always a major concern. However, as cameras become more 'computerized', software issues are a growing factor. Just ask the legion of Dahua (and Dahua OEM) dealers hammered last fall during the DVR hacking spree. And it's not just that, the most frequent complaint from dealers about Hikvision (outside of cybersecurity) is HikConnect app issues (queue Sean Nelson... :).
"The end customer is not aware of "prestigious" brand or "no name". He doesn´t know the names of typical camera manufacturers anyway." that comment could not be more wrong.
I would think any large end user dealing with a system of more than a hundred cameras (maybe even less) or even one that has more than five years experience in the industry not only knows brands, but also knows more than most trunk slammers (and obviously some manufacturers) when it comes to camera brands.
Not sure how many end users like me are on here, but whatever the number it would obviously surprise you.
UM#4, I promise that I know more about camera makes/models/features than 90% of "high-end" integrators. This statement isn't to make me look smart, it's to show that my employer pays me to provide the best systems within budget and I do my homework. Any real (end-user) security professional does this as they are paid to reduce risk.
I tell the end users that I meet to do their own 'due diligence'. I appreciate that not everything on the web is true (really it isn't lol) or exaggerated, bit like reading Tripadvisor reviews where somebody decimates a 5 star hotel because the ketchup wasn't Heinz, but in general good info about a product, it's origin and past 'issues' is available and a lot of it thanks to IPVM.
Ultimately, it’s a question of trust and who you want to be associated with. People appear to be happier to allow commercial organizations to gather, manage, use and keep the data that we seem happy to share so freely, rather than governments and state bodies. But they are also increasingly aware and sensitive about how their data is used, and the ethical behavior of those businesses they choose to deal with.
That’s some pretty subtle subtext if that is intended as a dig to Hik, since the article could stand on its own without any inference, and could just be judged as a straightforward Data/Privacy post.
Their post's first paragraph emphasizes that it's related to the industry as well:
You might have read other posts or research on some of the key trends that will affect our business and industry during 2018, including some recently posted thoughts of my own. What I find interesting, however, is how these trends reflect and link into broader macro trends that are affecting industry [emphasis added]
...how these trends reflect and link into broader macro trends that are affecting industry – and indeed society – more broadly. Taking a step back for a broader perspective...
The writer went a little overbroad, if you ask me ;)
We are only starting to enter the era of trust
before just a black box recording video images
now we have moved to ai (artificial intelligence)
large teams at hik dahua focused on delivering ai with no fundamental standards
you previously wrote hik installed at military airbase
with ai they will know
who the senior military are
and when they are at the base
Trust as I stated many time is the
key factor when dahua hik run a business like the film minority report
heaven help
the
world
This is really an issue about trust (competence, culture, commitment and execution), throughout the supply chain, and the word trust itself is really loaded.
(I'm not writing this as a fan of Hik)
When we install IP cameras at customer sites, all cameras are on their own dedicated VLAN and they're not permitted to communicate to the public Internet. So anything security concerns related to the camera itself falls away. Our customers are so price-sensitive that we have a near-impossible task of convincing them to go with anything higher priced than Hik.
I really like Axis, and Avigilon (we're Canadian) and would love for Hik to not be an option (for the sole reason I supporting a non-North American company).
This is my second post on IPVM. I totally understand the concerns that Hik brings (I think!), and I wanted to ask: in a network that's properly setup using best practices, is there still a security concern I'm missing?
Axis' approach to win the market over by talking "trust" feels a lot like Blackberry talking about how important security and encryption is in their handsets. iPhones security was "good enough" for most... and they came with a camera.
My point is: if a customer achieves what they want with Hik (feature parity, image quality, good enough network security, much lower price) then can Axis beat them by arguing about trust? For customers with deep pockets who won't compromise on security, maybe, but everybody else? I'm not sure.
This is my second post on IPVM. I totally understand the concerns that Hik brings (I think!), and I wanted to ask: in a network that's properly setup using best practices, is there still a security concern I'm missing?
Yes.
The Hikvision Vulnerability Permits Wi-Fi Attack report is a good example. In this case, the cameras came with a default configuration that has them setup to try and connect to an SSID of "davinici". An attacker within wifi range of the cameras could potentially use them as a gateway into the network, and then from there infect other machines, etc.
Granted, this poses less of an overall threat of attack than an exploit that allows a remote attacker in, but it is still an issue of concern.
This is where "trust" can come in to play. Hikvision has an established history of poor controls around cyber security. Additionally, they have tried to diminish the severity of these exploits, and the vast number of customers left exposed. While Axis has certainly not been free of issues, their issues have generally been lower-level/harder to exploit, and the company has also been more upfront about them (proactively reaching out, etc.).
It stands to reason that many products shipping today likely have as-yet-undiscovered vulnerabilities, and many of these could in fact compromise even closed networks. Who do you trust to appropriately manage these still undiscovered vulnerabilities when they are finally exposed?
Ah... we've never used WiFi on Hik. Our cameras are all hardwired PoE. So I guess I still feel the same way, unless there's something else? Every vulnerability we've seen (or considered) has been network-related. So in a properly secured network, this has been a non-issue.
We always lead with Avigilon or Axis gear, and invariably get asked to install Hik due to cost. If we don't do Hik, we price ourselves out of the business.
Ah... we've never used WiFi on Hik. Our cameras are all hardwired PoE
These were not wi-fi only cameras, they also had PoE capabilities, and in at least some of the cases, customers may have purchased them not specifically for wi-fi, but for other options that were included as well. Customers would have deployed them like "normal" cameras, and have been unaware of the wifi vulnerability.
The broader point, is that even when you take steps to secure the network, unless you have 100% understanding of everything going on inside the camera you may have vulnerabilities that you are unaware of and unprotected from. (To be clear, you cannot have 100% understanding of the camera internals, unless the vendor provides open-source firmware, and you take time to the review the firmware).
At some point, it comes down to trust in the vendors you put on your network, because it is near impossible to secure the network in such a way to prevent inside attacks.
Yeah, I can't really agree with you on all your points. But maybe that's because my company does focus on and control the network. It's literally impossible for a Hik camera (or any manufacturer's camera) to talk to anything outside of the networks we design. Regardless of firmware.
If you're saying Hik secretly installs WiFi radios in its hardware and didn't say anything, I guess that'd be different. But that doesn't appear to be the case.
We always lead with Avigilon or Axis gear, and invariably get asked to install Hik due to cost. If we don't do Hik, we price ourselves out of the business.
Ben, what are your target customers for Avigilon or Axis?
MDU... specifically, student residences. 50-100+ cameras per site depending on the size of the residence.
We always lead with Avigilon or Axis gear, and invariably get asked to install Hik due to cost.
I sense an Avigilon dealership termination in the future.
Ben, thanks!
all cameras are on their own dedicated VLAN and they're not permitted to communicate to the public Internet.
How do you ensure that there are not any errors made? (To be clear, I don't mean by you, I mean by others in IT or others that later modify or add to the system). Also, what do you do if someone wants to view the cameras remotely? Say a manager from their home or the road?
In the buildings we manage, we serve as a kind of managed "building backbone." That means we control the entire wired and wireless network. In some cases, we don't do the cameras, so we work with the security company to ensure they're supported. Same goes for access control systems, environmental controls, etc.
For remote access to the NVR, we have various ways of connecting the outside world to it. But those outside connections never have access directly to the cameras themselves (the NVR will generally have two NICs, one facing the secured camera VLAN, the other participating on a secured management network VLAN.
I realize that I'm probably in a different kind of scenario than most others here.
in a network that's properly setup using best practices, is there still a security concern I'm missing?
Yes, even products that are off the grid are not invulnerable. The Iranian uran centrifuges were not connected to the Internet and they were still targeted by a tailormade virus.
Even if you're using 802.1x in order to secure your network in addition to dedicated VLAN, you are never 100 % secure. Look at the latest CPU-vulnerabilities for example. Therefore also off-grid products need to be patched for security vulnerabilities.
You have however to a large extent limited the risks, and mitigated some of the vulnerabilities.
The technology you choose and how it is maintained should always be risk-proportionate. If you sell a system to an end-user where the consequences of someone accessing the camera feed or access network is of low consequence, then by all means, go with products that are not as secure.
However, for high-risk & high-consequence end users, trust should definitely be an issue when selecting products. How quickly are vulnerabilities identified? How soon are they patched? For how long are the products supported with new FW?
What is the maintenance cost of installing new FW 5 times per year instead of 1?
Yes, even products that are off the grid are not invulnerable. The Iranian uran centrifuges were not connected to the Internet and they were still targeted by a tailormade virus.
Did you not provide a real example related to IP cameras because you don't have one?
If we're going to talk about security and vulnerabilities, it's probably best if we stick to IP cameras, not Intel chips and Iran centrifuges.
Ben, there is a long list of vulnerabilities targeting cameras and associated devices. IPVM for instance has one great example of such vulnerabilities
https://ipvm.com/reports/security-exploits
The majority of those are vulnerabilities that would apply not only over the Internet, but also if someone were to gain access to the local network. The risk is indeed reduced, as I pointed out in my previous post, but it is not eliminated.
Even if you lock down the local network properly, there is always the risk that unauthorized access can occur. (Even with the most secure networks, there can be 0-day exploits that are unknown.) Now, the question is, if someone were to gain access to your network, what could they do? Maybe only access other cameras, but for high-risk sites, that could be problematic enough.
As for me providing examples targeting computers, I'm certain that you know that IoT-devices today (which cameras are) are indeed small computers that have CPUs inside. Spectre not only affects Intel CPUs, but also AMD, ARM and Power CPUs.
Speculative execution used in Spectre, and buffer overruns (which there are several examples of from the video surveillance world) can make a system do taks that are unwanted, even if the system itself is properly configured. If there are design errors in the product itself, proper configuration cannot eliminate every threat.
Now, you came here asking for help, and I provided an answer that hopefully enlighted you in some aspects.
My advice for high-risk/high-consequence sites, would be to regularly update your devices with new FW, even if you run them on a totally disconnected site. Particulary if there are known vulnerabilities.
Regards,
Ola
Now, you came here asking for help, and I provided an answer that hopefully enlighted you in some aspects.
Hi Ola,
My original comment questioned Axis' approach to leveraging trust as a way to gain an edge in the marketplace and I made a point that securing a network device within dedicated vlan mitigates nearly every concern we've had with Hik (and other cameras).
I'm familiar with the exploits and vulnerabilities you've referenced above. None of those exploits (AFAICT) are possible when a camera is put on its own VLAN in a properly secured network.
I didn't come here for vague generalities, which is what you've provided; I was hoping to get a better understanding of how Hik cameras could be problematic within our environments.
I guess I should be pleased there doesn't seem to be anything concrete with regard to our current risk level!
Ben, you've not told us how you secure the local network except that you're using a VLAN for the cameras and that they have no direct access to the Internet? How can I be more specific without you providing more details? Which cameras are you running, which FW-versions do they have? Which NVR & FW? Can someone open up a camera and use the network cable to access the camera network with a laptop?
Your customer segment does not seem to be high security, so your product selection and configuration might very well be risk proportionate. Meaning that you can still sell your solutions with a good conscience.
However, for a high-security site:
1: Would I personally use products that I don't trust? (This goes for any brand)
2: Would I trust that network segmentation is good enough to protect my customers, to protect my company? Thus avoid doing proper maintenance for the devices over the system lifespan? (You can probably guess the answer.)
3: With fog computing becoming the new norm, meta-data (or video) is likely to be communicated to the cloud. For this scenario, trust is very imperative, as you would really have very little control over the encrypted data that is transmitted to the cloud. And unless you run a private cloud environment, you would not have control over which data is transmitted from the cloud. But this might not yet be relevant for you.
I fear that I'm not reaching you, so this will be my last post on this topic. All the best to you and your customers.
I'm not sure how we ended up here, Ola. But might be best if we agree to end it here.
With hik and dahua introducing so many new functions like ai and analytics return to site visits be more like 5 times a week
if cloud based it would have a chance
throw in viewing remotely via an app
and all those horrible insecurities bubble up
intresting customers discuss in this forum
only deal with high end customers with controlled networks this isn’t the norm for 90 percent of installs
any multi site customers want central viewing
they need to improve security never being on the internet is a fantasy
In my opinion there can be no trust with the products manufactured in China. This is not a racial or nationalist reason, it's technological. They've proven time and again that they are not up to speed with the current demands for network (IoT) security in the devices that they make, either they can't do it, or just won't. Almost all of the DVRs, NVRs and IP cameras coming from the major chinese manufacturers share a common component, the HiSilicon processor running it.
I would suspect that HiSilicon delivers this processor along with a pre-built embedded BusyBox Linux OS for the manufacturers to put their DVR/NVR/IP camera program on top of. Everything I've seen of this underlying OS is that security is not a concern, if it was then we wouldn't be seeing devices in 2018 still utilizing FTP and Telnet when these protocols were archaic and unsafe to use in 2005!
Add to that the fact that no effort seems to be spent in developing for modern interfaces. Can your device be accessed with a browser other than Internet Explorer, or does the CMS software from the manufacturer still utilize C++ runtime installation libraries from 2010? Have you seen any development or efforts to implement 2 factor authentication or secure protocols from these manufacturers?
The overall attitude seems to be "it's good enough for the price point", but this shouldn't be allowed to fly in this day and age. Security is the responsibility of the manufacturer above all and the lack of effort being put forth by them in this realm is ludicrous. We're running full speed to the edge of the cliff with these devices and the only thought seems to be "how many more can I sell before we go off the edge like Thelma and Louise".
I am very eager to hear the results of the Senate meeting on January 30th when they discuss the situation with these manufacturers and their current methods of doing business. Who knows, with the current hike in tariffs on solar panels from china being implemented, could something similar be forthcoming for security products? Could this spur a movement to somehow start manufacturing quality, well secured up-to-date devices here in the US? I can dream, right?