Axis: "It’s A Question Of Trust And Who You Want To Be Associated With"

Published Jan 17, 2018 14:58 PM

Who do you trust?

Who do you want to be associated with?

Axis is raising hard questions to start 2018.

In this note, we examine these questions, the competitive impact of them and how it fits in a clear industry trend.

Trust, ***********, *** ******

****'"****’* ********** ****** *** *** ******** of *****" ************* ****:

**** ** **** ******* ********* ***** ********* behavior.

China / *********

**** ********* ** **** **** ***** observation ******* ** *** ***** ************ industry *** ***** ************ ************* *** declined ** ******* ** *** ******** manufacturers.

***** **** ******** *********, ******* *********** *** ********* issues ***** ******* ** ***** *** in ********** *** **********-***** ************, *********.

*********'* ******* ************* ******, ********* *** IP ****** ********, ***** ******* ******* about ***** ******* ***** ********** *******, and ***** ****** ******** **** *** WSJ *** ****** **** **** *********'* ****** a ********* *****. 

Hanwha **** ****** ***** ********

**** ** *** ***** ** ******* questions ***** *****.****** *** *** *** ** ***** its **** *** ************* ***************:

Key ******** *****

******* ** *** ******* ** *** Chinese ************* *** *** ******* ******** of ***-******* *************, ** *** *** 'question ** *****' ******** * ***** debate *** ************** ** *** ********. Hikvision *** *****, ** **********, **** have ** ****** *** **** ** overcome **** ********/*****. ****** ***** **** behavior, ** ****** ***** ** ****** hide **** **** ****** ***** ********* **** fight aggressively, ********** **** ****, ****** *** other ********* *********** *** *** ********* ones.  ** ****, *********, **** *** a *********** ****.

Vote / **** 

Comments (46)
U
Undisclosed #1
Jan 17, 2018

Obviously anyone who voted "Neither" is likely an Axis competitor. LOL.

(1)
(1)
(5)
U
Undisclosed #8
Jan 20, 2018

or a Partner... bedräglig.

(1)
Avatar
Ross Vander Klok
Jan 17, 2018
IPVMU Certified

I think the "Who do you trust more?" question is a bit of stretch by only including the best (IMHO) Axis and the worst Hikvision, but I'll allow it!  

(1)
(4)
JH
John Honovich
Jan 17, 2018
IPVM

In fairness to me :), I was not picking who was 'best' and 'worst' but who was the biggest in China and the biggest outside of China.

(1)
(2)
(1)
UM
Undisclosed Manufacturer #2
Jan 17, 2018

With all the recent vulnerabilities found effecting many different manufacturers I am not surprised trust is becoming a focus. 

I work for a manufacturer and have heard discussions surrounding this in recent strategy meetings. And while it is easy for a group of people who work for a manufacturer to sit around and strategize what they will do to build trust, the execution of the plan is always the most difficult part. 

Given the importance of trust, as seen in the poll results above, I would like to ask the members of this site, specifically the integrators, distributors and dealers:  What can we, as manufacturers, do to keep/gain/earn your trust?

(2)
JH
John Honovich
Jan 17, 2018
IPVM

What can we, as manufacturers, do to keep/gain/earn your trust?

The fundamentals always apply:

  • Don't overpromise / create unrealistic expectations (in practice this means letting your senior technical people give feedback before releasing announcements and marketing material to point out things that are technically exaggerated or wrong)
  • Own mistakes, don't blame others or create euphemisms to hide the truth.
  • Overcommunicate, don't try to hide bad news (if your case study of a pizzeria in pittsburgh is on all your social media channels and the front page of every trade magazine but your cybersecurity announcement is buried 4 clicks into your website and nowhere else, people can tell you are trying to hide things from them).

Overall, most manufacturers have at least decent trust levels with their customers. Over the past few years, key exceptions include Arecont with their poor attempts to cover up their quality problems and Avigilon with their hyper-aggressive sales machine (Arecont still struggles, Avigilon has reformed in the past year or two).

The Hikvision situation is unique, though. The combination of being owned by an authoritarian government and Hikvision's combative marketing 'strategy' has created an unprecedented trust / ethics issue.

Related, not that any manufacturer would be foolish enough to take Hikvision's approach of ad hominem attacks on critics, that's not a prudent policy. While IPVM has definitely benefited from Hivision's wild attacks against us (e.g., this classic), those tactics turn most people off and deepen trust issues.

(8)
(2)
(2)
(1)
CR
Chad Rohde
Jan 24, 2018

In terms of software architecture and code level, we have a unique consideration.

Evidently not: Uniview Recorder Backdoor Examined

Well "Unique consideration" doesn't sound like proper English but grammar never was my strong point. So I was trying to put a positive spin on the interpretation that meant Uniview is unique in the way it handles John's backdoor exam. Unique compared to Hik because Uniview acknowledged the problem, provided a solution to fix the problem, and how they plan on preventing future problems. Then clearly communicated this to their customers and media (IPVM) in a professional manner.

(1)
UE
Undisclosed End User #11
Jan 24, 2018

I nominate this post as the most Unhelpful post of the day.

CR
Chad Rohde
Jan 24, 2018

How much does that pay?

(1)
Avatar
Mick Brown
Jan 25, 2018

Uniview 

was originally the daughter of the company that founded huawei

they sold it to a USA investment company 

and have subsequently repurchased it 

into Chinese ownership

 

(1)
Avatar
Josh Sherer
Jan 23, 2018
KMart

It's as simple as just be honest... If you find a vulnerability in your product patch it and publish it, don't hide from it.  If you have quality issues, own them and make them right.  

(2)
(1)
Avatar
Mick Brown
Jan 24, 2018

The difficulty is that we tie in by brand supplier and not by product

different products have different issues

nvr with built in poe completely different beast to nvr with switch

these discussions too generic

just slagging off hik isn’t the answer 

You have to get into the detail 

they squirm from one issue to another

for example they do a deal with a professional manufacturer ambrelia

flir and then introduce their own rip off copies

 

 

Avatar
Mick Brown
Jan 25, 2018

If you separate ip from analogue 

ip tends to be supplied in to lager scale

intergration

where suppliers are in control of the switch 

ie 24 Chn built in poe they can protect the network better with their own software 

where installs require external. Switch’s the network is more vulnerable 

and ip cameras can be attacked by malware

UI
Undisclosed Integrator #3
Jan 17, 2018

I'm just waiting for Marty to vote for Hikvision, so they can at least get one vote. :)

(1)
(1)
(11)
Avatar
Rich Moore
Jan 17, 2018

If you're looking for a one time sale, lower pricing rules the day.  If you are a company built on repeat business and referrals, then sales are built on Trust.  

(8)
(1)
Avatar
Brad Peterson
Jan 17, 2018

As a future one time purchaser, I would never purchase from Hikvision because of their

direct relationship with the Chinese government.  My son is also looking into cameras and once I told him about Hik, he also shut them down.

Just my two cents

(3)
UM
Undisclosed Manufacturer #4
Jan 17, 2018

How important is trust in picking manufacturer? - For the distributor, reseller, installer or end customer?

The distributor or reseller probably looks on the percentage of cams that come DoA.

In most situations the installer is in competition to other installers, as the end customer in most cases is mainly looking at the price of the offer.

The end customer is not aware of "prestigious" brand or "no name". He doesn´t know the names of typical camera manufacturers anyway. Looking at the internet he finds more or less attractive websites from all the manufacturers or sample videos of new features or...
Security is an abstract value. (In most cases) The end customer doesn´t feel "more secure", when protected by Axis camera, than by Hikvision.
The look and feel of a specific client device, e.g. doorphone monitor may make a difference for him.

The end customer has to trust the installer.

For the installer it is much more difficult, than for car dealer to explain the value of a specific brand.
The customers knows the difference between Mercedes or Porsche and Kia or Mistubishi and connects different expectations and values.

But if different security cams deliver similar picture quality, why should he choose the expensive brand?

Should he really pay + 30% for an abstract value of "more security"?

How many projects are there, with a budget for detailled demonstrations / presentations or discussions on ethical aspects?

(7)
(4)
(1)
UM
Undisclosed Manufacturer #5
Jan 17, 2018

Depends on who your target market is, if it is a house and the person is only concerned about price then HIK will win but if it is someone who knows what the Chinese government is about they will not select HIK.

If you have large end users who have IT departments you certainly get asked more questions on why are you using HIK than if you quote a non Chinese government brand.

And if you still go along and install HIK and another vulnerability is found you will certainly be the one paying to patch them and you will also likely loose the end users trust in selecting the right product!

(4)
JH
John Honovich
Jan 17, 2018
IPVM

The distributor or reseller probably looks on the percentage of cams that come DoA.

DoAs and other hardware issues are always a major concern. However, as cameras become more 'computerized', software issues are a growing factor. Just ask the legion of Dahua (and Dahua OEM) dealers hammered last fall during the DVR hacking spree. And it's not just that, the most frequent complaint from dealers about Hikvision (outside of cybersecurity) is HikConnect app issues (queue Sean Nelson... :).

(1)
(1)
(1)
Avatar
Ross Vander Klok
Jan 17, 2018
IPVMU Certified

"The end customer is not aware of "prestigious" brand or "no name". He doesn´t know the names of typical camera manufacturers anyway." that comment could not be more wrong. 

I would think any large end user dealing with a system of more than a hundred cameras (maybe even less) or even one that has more than five years experience in the industry not only knows brands, but also knows more than most trunk slammers (and obviously some manufacturers) when it comes to camera brands. 

Not sure how many end users like me are on here, but whatever the number it would obviously surprise you.

(1)
Avatar
Brandon Knutson
Jan 23, 2018
IPVMU Certified

UM#4, I promise that I know more about camera makes/models/features than 90% of "high-end" integrators. This statement isn't to make me look smart, it's to show that my employer pays me to provide the best systems within budget and I do my homework. Any real (end-user) security professional does this as they are paid to reduce risk.   

(1)
(1)
UM
Undisclosed Manufacturer #6
Jan 17, 2018

I tell the end users that I meet to do their own 'due diligence'. I appreciate that not everything on the web is true (really it isn't lol) or exaggerated, bit like reading Tripadvisor reviews where somebody decimates a 5 star hotel because the ketchup wasn't Heinz, but in general good info about a product, it's origin and past 'issues' is available and a lot of it thanks to IPVM.

(2)
U
Undisclosed #7
Jan 17, 2018
IPVMU Certified

Ultimately, it’s a question of trust and who you want to be associated with. People appear to be happier to allow commercial organizations to gather, manage, use and keep the data that we seem happy to share so freely, rather than governments and state bodies. But they are also increasingly aware and sensitive about how their data is used, and the ethical behavior of those businesses they choose to deal with.

That’s some pretty subtle subtext if that is intended as a dig to Hik, since the article could stand on its own without any inference, and could just be judged as a straightforward Data/Privacy post.

 

 

(1)
JH
John Honovich
Jan 17, 2018
IPVM

Their post's first paragraph emphasizes that it's related to the industry as well:

You might have read other posts or research on some of the key trends that will affect our business and industry during 2018, including some recently posted thoughts of my own. What I find interesting, however, is how these trends reflect and link into broader macro trends that are affecting industry [emphasis added]

U
Undisclosed #7
Jan 17, 2018
IPVMU Certified

...how these trends reflect and link into broader macro trends that are affecting industry – and indeed society – more broadly. Taking a step back for a broader perspective...

The writer went a little overbroad, if you ask me ;)

(3)
Avatar
Mick Brown
Jan 22, 2018

We are only starting to enter the era of trust

before just a black box recording video images

now we have moved to ai (artificial intelligence)

large teams at hik dahua focused on delivering ai with no fundamental standards

you previously wrote hik installed at military airbase

with ai they will know

who the senior military are

and when they are at the base

Trust as I stated many time is the

key factor when dahua hik run a business like the film minority report 

heaven help

the

world

 

(2)
Avatar
Salvatore D'Agostino
Jan 22, 2018
IDmachines

This is really an issue about trust (competence, culture, commitment and execution), throughout the supply chain, and the word trust itself is really loaded.

(1)
Avatar
Ben Lucier
Jan 22, 2018
pofp.com

(I'm not writing this as a fan of Hik)

When we install IP cameras at customer sites, all cameras are on their own dedicated VLAN and they're not permitted to communicate to the public Internet. So anything security concerns related to the camera itself falls away. Our customers are so price-sensitive that we have a near-impossible task of convincing them to go with anything higher priced than Hik.

I really like Axis, and Avigilon (we're Canadian) and would love for Hik to not be an option (for the sole reason I supporting a non-North American company).

This is my second post on IPVM. I totally understand the concerns that Hik brings (I think!), and I wanted to ask: in a network that's properly setup using best practices, is there still a security concern I'm missing?

Axis' approach to win the market over by talking "trust" feels a lot like Blackberry talking about how important security and encryption is in their handsets. iPhones security was "good enough" for most... and they came with a camera.

My point is: if a customer achieves what they want with Hik (feature parity, image quality, good enough network security, much lower price) then can Axis beat them by arguing about trust? For customers with deep pockets who won't compromise on security, maybe, but everybody else? I'm not sure.

Avatar
Brian Karas
Jan 22, 2018
IPVM

This is my second post on IPVM. I totally understand the concerns that Hik brings (I think!), and I wanted to ask: in a network that's properly setup using best practices, is there still a security concern I'm missing?

Yes.

The Hikvision Vulnerability Permits Wi-Fi Attack report is a good example. In this case, the cameras came with a default configuration that has them setup to try and connect to an SSID of "davinici". An attacker within wifi range of the cameras could potentially use them as a gateway into the network, and then from there infect other machines, etc.

Granted, this poses less of an overall threat of attack than an exploit that allows a remote attacker in, but it is still an issue of concern.

This is where "trust" can come in to play. Hikvision has an established history of poor controls around cyber security. Additionally, they have tried to diminish the severity of these exploits, and the vast number of customers left exposed. While Axis has certainly not been free of issues, their issues have generally been lower-level/harder to exploit, and the company has also been more upfront about them (proactively reaching out, etc.).

It stands to reason that many products shipping today likely have as-yet-undiscovered vulnerabilities, and many of these could in fact compromise even closed networks. Who do you trust to appropriately manage these still undiscovered vulnerabilities when they are finally exposed?

 

(1)
Avatar
Ben Lucier
Jan 22, 2018
pofp.com

Ah... we've never used WiFi on Hik. Our cameras are all hardwired PoE. So I guess I still feel the same way, unless there's something else? Every vulnerability we've seen (or considered) has been network-related. So in a properly secured network, this has been a non-issue.

We always lead with Avigilon or Axis gear, and invariably get asked to install Hik due to cost. If we don't do Hik, we price ourselves out of the business.

Avatar
Brian Karas
Jan 22, 2018
IPVM

Ah... we've never used WiFi on Hik. Our cameras are all hardwired PoE

These were not wi-fi only cameras, they also had PoE capabilities, and in at least some of the cases, customers may have purchased them not specifically for wi-fi, but for other options that were included as well. Customers would have deployed them like "normal" cameras, and have been unaware of the wifi vulnerability.

The broader point, is that even when you take steps to secure the network, unless you have 100% understanding of everything going on inside the camera you may have vulnerabilities that you are unaware of and unprotected from. (To be clear, you cannot have 100% understanding of the camera internals, unless the vendor provides open-source firmware, and you take time to the review the firmware).

At some point, it comes down to trust in the vendors you put on your network, because it is near impossible to secure the network in such a way to prevent inside attacks.

(1)
(1)
Avatar
Ben Lucier
Jan 22, 2018
pofp.com

Yeah, I can't really agree with you on all your points. But maybe that's because my company does focus on and control the network. It's literally impossible for a Hik camera (or any manufacturer's camera) to talk to anything outside of the networks we design. Regardless of firmware. 

If you're saying Hik secretly installs WiFi radios in its hardware and didn't say anything, I guess that'd be different. But that doesn't appear to be the case.

(1)
MM
Michael Miller
Jan 22, 2018

We always lead with Avigilon or Axis gear, and invariably get asked to install Hik due to cost. If we don't do Hik, we price ourselves out of the business.

Ben, what are your target customers for Avigilon or Axis? 

Avatar
Ben Lucier
Jan 22, 2018
pofp.com

MDU... specifically, student residences. 50-100+ cameras per site depending on the size of the residence. 

UI
Undisclosed Integrator #9
Jan 23, 2018

We always lead with Avigilon or Axis gear, and invariably get asked to install Hik due to cost. 

I sense an Avigilon dealership termination in the future.

(1)
JH
John Honovich
Jan 22, 2018
IPVM

Ben, thanks!

all cameras are on their own dedicated VLAN and they're not permitted to communicate to the public Internet.

How do you ensure that there are not any errors made? (To be clear, I don't mean by you, I mean by others in IT or others that later modify or add to the system). Also, what do you do if someone wants to view the cameras remotely? Say a manager from their home or the road? 

(1)
Avatar
Ben Lucier
Jan 23, 2018
pofp.com

In the buildings we manage, we serve as a kind of managed "building backbone." That means we control the entire wired and wireless network. In some cases, we don't do the cameras, so we work with the security company to ensure they're supported. Same goes for access control systems, environmental controls, etc. 

For remote access to the NVR, we have various ways of connecting the outside world to it. But those outside connections never have access directly to the cameras themselves (the NVR will generally have two NICs, one facing the secured camera VLAN, the other participating on a secured management network VLAN.

I realize that I'm probably in a different kind of scenario than most others here.

OE
Ola Edman
Jan 23, 2018

in a network that's properly setup using best practices, is there still a security concern I'm missing?

Yes, even products that are off the grid are not invulnerable. The Iranian uran centrifuges were not connected to the Internet and they were still targeted by a tailormade virus.

Even if you're using 802.1x in order to secure your network in addition to dedicated VLAN, you are never 100 % secure. Look at the latest CPU-vulnerabilities for example. Therefore also off-grid products need to be patched for security vulnerabilities.

You have however to a large extent limited the risks, and mitigated some of the vulnerabilities.

The technology you choose and how it is maintained should always be risk-proportionate. If you sell a system to an end-user where the consequences of someone accessing the camera feed or access network is of low consequence, then by all means, go with products that are not as secure.

However, for high-risk & high-consequence end users, trust should definitely be an issue when selecting products. How quickly are vulnerabilities identified? How soon are they patched? For how long are the products supported with new FW?

What is the maintenance cost of installing new FW 5 times per year instead of 1?

(3)
Avatar
Ben Lucier
Jan 23, 2018
pofp.com

Yes, even products that are off the grid are not invulnerable. The Iranian uran centrifuges were not connected to the Internet and they were still targeted by a tailormade virus.

Did you not provide a real example related to IP cameras because you don't have one?

If we're going to talk about security and vulnerabilities, it's probably best if we stick to IP cameras, not Intel chips and Iran centrifuges.

OE
Ola Edman
Jan 23, 2018

Ben, there is a long list of vulnerabilities targeting cameras and associated devices. IPVM for instance has one great example of such vulnerabilities

https://ipvm.com/reports/security-exploits

The majority of those are vulnerabilities that would apply not only over the Internet, but also if someone were to gain access to the local network. The risk is indeed reduced, as I pointed out in my previous post, but it is not eliminated.

Even if you lock down the local network properly, there is always the risk that unauthorized access can occur. (Even with the most secure networks, there can be 0-day exploits that are unknown.) Now, the question is, if someone were to gain access to your network, what could they do? Maybe only access other cameras, but for high-risk sites, that could be problematic enough.

As for me providing examples targeting computers, I'm certain that you know that IoT-devices today (which cameras are) are indeed small computers that have CPUs inside. Spectre not only affects Intel CPUs, but also AMD, ARM and Power CPUs. 

Speculative execution used in Spectre, and buffer overruns (which there are several examples of from the video surveillance world) can make a system do taks that are unwanted, even if the system itself is properly configured. If there are design errors in the product itself, proper configuration cannot eliminate every threat.

Now, you came here asking for help, and I provided an answer that hopefully enlighted you in some aspects.

My advice for high-risk/high-consequence sites, would be to regularly update your devices with new FW, even if you run them on a totally disconnected site. Particulary if there are known vulnerabilities.

 

Regards,

Ola

(1)
Avatar
Ben Lucier
Jan 23, 2018
pofp.com

Now, you came here asking for help, and I provided an answer that hopefully enlighted you in some aspects.

Hi Ola,

My original comment questioned Axis' approach to leveraging trust as a way to gain an edge in the marketplace and I made a point that securing a network device within dedicated vlan mitigates nearly every concern we've had with Hik (and other cameras).

I'm familiar with the exploits and vulnerabilities you've referenced above. None of those exploits (AFAICT) are possible when a camera is put on its own VLAN in a properly secured network.

I didn't come here for vague generalities, which is what you've provided; I was hoping to get a better understanding of how Hik cameras could be problematic within our environments.

I guess I should be pleased there doesn't seem to be anything concrete with regard to our current risk level!

(4)
OE
Ola Edman
Jan 23, 2018

Ben, you've not told us how you secure the local network except that you're using a VLAN for the cameras and that they have no direct access to the Internet?  How can I be more specific without you providing more details? Which cameras are you running, which FW-versions do they have? Which NVR & FW? Can someone open up a camera and use the network cable to access the camera network with a laptop?

Your customer segment does not seem to be high security, so your product selection and configuration might very well be risk proportionate. Meaning that you can still sell your solutions with a good conscience. 

However, for a high-security site:

1: Would I personally use products that I don't trust? (This goes for any brand)

2: Would I trust that network segmentation is good enough to protect my customers, to protect my company? Thus avoid doing proper maintenance for the devices over the system lifespan? (You can probably guess the answer.)

3: With fog computing becoming the new norm, meta-data (or video) is likely to be communicated to the cloud. For this scenario, trust is very imperative, as you would really have very little control over the encrypted data that is transmitted to the cloud. And unless you run a private cloud environment, you would not have control over which data is transmitted from the cloud. But this might not yet be relevant for you.

I fear that I'm not reaching you, so this will be my last post on this topic. All the best to you and your customers.

(1)
Avatar
Ben Lucier
Jan 23, 2018
pofp.com

I'm not sure how we ended up here, Ola. But might be best if we agree to end it here. 

Avatar
Mick Brown
Jan 23, 2018

With hik and dahua introducing so many new functions like ai and analytics return to site visits be more like 5 times a week

if cloud based it would have a chance 

throw in viewing remotely via an app

and all those horrible insecurities bubble up

intresting customers discuss in this forum 

only deal with high end customers with controlled networks this isn’t the norm for 90 percent of installs

any multi site customers want central viewing 

they need to improve security never being on the internet is a fantasy

 

(2)
UD
Undisclosed Distributor #10
Jan 23, 2018

In my opinion there can be no trust with the products manufactured in China.  This is not a racial or nationalist reason, it's technological.  They've proven time and again that they are not up to speed with the current demands for network (IoT) security in the devices that they make, either they can't do it, or just won't.  Almost all of the DVRs, NVRs and IP cameras coming from the major chinese manufacturers share a common component, the HiSilicon processor running it. 

I would suspect that HiSilicon delivers this processor along with a pre-built embedded BusyBox Linux OS for the manufacturers to put their DVR/NVR/IP camera program on top of.  Everything I've seen of this underlying OS is that security is not a concern, if it was then we wouldn't be seeing devices in 2018 still utilizing FTP and Telnet when these protocols were archaic and unsafe to use in 2005! 

Add to that the fact that no effort seems to be spent in developing for modern interfaces.  Can your device be accessed with a browser other than Internet Explorer, or does the CMS software from the manufacturer still utilize C++ runtime installation libraries from 2010?  Have you seen any development or efforts to implement 2 factor authentication or secure protocols from these manufacturers?

The overall attitude seems to be "it's good enough for the price point", but this shouldn't be allowed to fly in this day and age.  Security is the responsibility of the manufacturer above all and the lack of effort being put forth by them in this realm is ludicrous.  We're running full speed to the edge of the cliff with these devices and the only thought seems to be "how many more can I sell before we go off the edge like Thelma and Louise".

I am very eager to hear the results of the Senate meeting on January 30th when they discuss the situation with these manufacturers and their current methods of doing business.  Who knows, with the current hike in tariffs on solar panels from china being implemented, could something similar be forthcoming for security products?  Could this spur a movement to somehow start manufacturing quality, well secured up-to-date devices here in the US?  I can dream, right?

(1)
Avatar
Salvatore D'Agostino
Jan 23, 2018
IDmachines

you can implement https on 443 properly..