Bosch/Genetec Video Cybersecurity Partnership Examined (CHAVE)

By: Brian Karas, Published on Feb 15, 2017

Surveillance products have been relatively weak when it comes to cyber security. Default passwords, open ports, and weak authentication mechanisms led to a wave of exploits.

Now, Bosch and Genetec are working together to deliver a system that is "resilient against unauthorized access, malware, brute force cracking and other exploit techniques."

The two companies described the solution, which Bosch is marketing as CHAVE (Credentialed High Assurance Video Encryption), in a conversation with IPVM.

In this report we describe how CHAVE differs from other security mechanisms, what it adds in terms of costs, and how installation and day to day use vary from other systems.

************ ******** **** **** relatively **** **** ** comes ** ***** ********. Default *********, **** *****, and **** ************** ********** led ** * **** of ********.

***, ***** *** ******* are ******* ******** ** deliver * ****** **** is "********* ******* ************ ******, malware, ***** ***** ******** and ***** ******* **********."

*** *** ********* ********* the ********, ***** ***** is ********* ** ***** (************ **** ********* ***** Encryption), ** * ************ with ****.

** **** ****** ** describe *** ***** ******* from ***** ******** **********, what ** **** ** terms ** *****, *** how ************ *** *** to *** *** **** from ***** *******.

[***************]

CHAVE ****** ********

***** ** ** ***-**-*** security *********** *** ***** systems. ** ******** ******* with ********** ******** / chipsets *** ******** **** encryption, ***** **** ***-****** security ************ *** * VMS **** *** ********* make *** ** ***** components.

*** **** ** ***** is ** ****** *** integrity ** *****, **** the ******* **** *** been ***********, *** ** better ****** *** *** user ****** ** **** and ****** *****. ***** meets *.*. ************** ***-****** * ************, ***** Bosch ****** ** ***** manufacturer ** **** ** do.

*********, ***** ** ********* CHAVE-capable *******, *** ******* is ****** ***** ******* to ** ******** ******** Center *******.

User **************

***** ** * ***** system *** ****** ***** cards, **** ******************-****** ****-** *****, ***** **** **** an ********** ****. ***** to *** *** ******** inserting ***** ***** **** in * ****** ******** to *** ****** ** and ******** * ***.

Target *********

*******/**********, ** ******* ********* that **** ********** ** compliance ************ ****** ************* are *** ****** ******. It ** ******** **** even * ***** ********** private-sector ******** ***** ********* CHAVE ******* ******* ************.

CHAVE ********** ********

********* ** *****, *** technology ********** ** ***** are *** ***** ** standards-compliant ********, **** ***.*** ****************** (********* ***** ********). ***** ** *****'* marketing **** *** ******* these ********* ******** **** an ** ******, *** implementing *** ******** *** accessing *** *******.

******* ******* *** ******** to **** ******** ******** components ** ******* *****, it ** *** * feature **** *** ** added ** ******** ******* via ******** ******** ** other *******.

Username/Password ** ****

***** *************** ***** **************, ***** ********** ********/******** access ** *******, *** the **** ** ****** or ******* *********. *** system ** ******** ** have ****** ** *** internet, ** **** *** devices *** ********* ******* the *********** ********* ** ensure *** ***** *** still *****. ********* ** Bosch, *** ******** ****** requirement ** *** ** issue, **** *** ********-****** government *************, ** *** systems ********* ******* **** internet ****** *** ****** access/administration ********.

Supported *******

***** ***** *** ********* cameras ** ********* ********** CHAVE:

  • ********* ** **** ** fixed **** ******
  • ********* ** ********* **** VR ***** **** ******
  • ****** ** ********* **** MP ***** *** ******
  • ********* ** **** ** panoramic ******
  • ******** ** ******* **** HD ***
  • *** ** ********* **** HD ********** ***
  • ****** ** ****** **** HD ******

Genetec *******

******* **** **** *** aiming ** **** **** support *** ***** ** the **** ******* ** Security ******, ***** ****** be *.*.

********* ***** ******* ** exclusive ** *******, ****** neither ***** *** ******* would ******* *** **** the ********* *********** ** intended ** ****.

Additional ******** *** ************ ************

******* **** ** **** the ******** ************ ***-********* before ********, **** **** is ******* **************. *** *********** ******* process **** ******** ****-**** slightly, ********* ** *****, but ****** *** *** more **** * *** extra ****.

**** ********, ************* ************ need ** ** ******** into ******** ****** ****** the ******* *** ** added ** *** *** and **********. ***** ******** of ****** *****, **** as ******** ******* ******** or ******** ******** *** the **** ** ***-***** cameras.

*******, *** ********** **** required ** ******* *** configure *****-******* ******* ****** be *******, *** **** require ***** ** ** through * ********/************* *******.

Training ************

***** **** **** *********** will **** ** ******* additional ******** ****** **** are ********* ** **** and ******* ***** ********. The ******** ** ******** to ** ********* *****, and **** ****** ** a **** *** ******.

Cost ** *****

***** *** ********** ******* costs ** ********* ***** vs * ***-***** ******. While *** ********* ******* do *** **** ***** and ***-***** ********, ******* that * ******** **** not *** **** *** CHAVE *******, *** ******* price *** * ***** camera *** ** ****** than * *********** *******.

*** ******** ******** ************ cost $**-$***, ********* ** the ***** ***** ** the *********** ***** ******, and **** **** ** be ******* ***** * years.

******* **** **** **** not ********* ******* *** Security ****** **** *****, but *** *** ** would ****** ** * different ******* *******, **** an ********** ****.

***** **** **** **** to ** ****** ***** cards, *** **** ****** PCs ******** **** ***** card *******. *******, ** is ****** **** ********* implementing ***** **** ******* be ***** ***** *****, so **** **** *** not ** ********, ** may **** ******* * few *** ** **** smart **** ******* *****.

Compared ** ***** ******** *******

*****'* ******* *************** *** the **** ***-* ***** 3 **********, *** ***********-***** logins **** *** *********** of ********/******** *****. **** *** **** ******** we *** ***** ** that ************ ****** *** FIPS **********, ***** ***** be ******** ** ********* that **** ** **** these ************, ** ** would ********* *** **** to ****** ** *********** approach *** *******/********. *********** the ******* ** ***** with * ****/**** ***** could ** ******** ** security-minded *********, **** ** they *** *** **** to **** *** ******** regulatory ************.

*******, * ***** ****** would ****** ** ************ more ********* **** *********** options, **** ** ***** a *** *** ******* that ******* ***** ************** and ***** *********, ** it ******** ******** ****** hardware, ************ **** **** to ** ****** ********* and **** ******* ***** 3 *****, **** ********** setup/installation ****.

Outlook *** *****

***** **** ** ****** targeted ** ********** ************, it **** **** *** a ********* *** **** can ** **** **** a ************* *********** ** make ******* **** **********. When/if ***** ***** ******* CHAVE, ** *** ****** some ** ***** ******** methods ** *******-**** ** everyday *******, ****** ****** with ******* ************ (*.*., no *********** *** ***** cards). *****, **** ** unlikely ** ****** ** 2017, ****** ***** * relatively ***** ******* **** only ** *** ********** market.

Comments (19)

This is a fantastic and innovate solution that Bosch have come up with. I am jealous.

Well, I can buy 2 of your cameras for the cost of adding just the certificate to Bosch, so you may still have some advantages ;)

CHAVE's primary differentiators are the FIPS 140-2 Level 3 compliance, and certificate-based logins with the elimination of username/password login. it is the only approach we are aware of that specifically claims the FIPS compliance, which would be valuable to customers that need to meet these requirements, as it would eliminate the need to submit an alternative approach for testing/approval. Eliminating the ability to login with a user/pass combo could be valuable to security-minded customers, even if they did not need to meet any specific regulatory requirements

Panasonic Has something similar to this they claim FIPS Level-1 or something on the new extreme cameras coming out along with the new WJ-NX400.

Details are still fuzzy on the new Security licenses that the have listed for the Units but I still havent really sat down and looked at the FIPS Documentation on my desk yet anyway so I'll make that decision when i get there.

FIPS 140-2 has 4 levels of protection, 1 being the most basic, 4 being the most secure.

Panasonic lists FIPS 140-2 Level 1 in their Extreme series release. We covered some more details of the newer Extreme cameras, and also did a test.

The Panasonic cameras also only offer 720p and 1080p fixed options, the Bosch cameras have options for a 1080p PTZ, 5MP box camera, and 12MP panoramic.

From an end user standpoint, I'd like to see the camera manufacturers provide notification (email or alarm into VMS etc) when the number of failed log-in attempts exceeds a configurable number. This would provide the system administrator visibility of how often a human or bot etc. is attempting to access to the cameras.

I agree with that sentiment. I appreciate that Dahua, Hanwha, and Hikvision have added auto account lock, but I believe only Hikvision allows emails to be sent or events sent to the client (and I believe that's only compatible with iVMS, but I haven't checked). Locking the account is good, but without notification, far less useful than it could be.

That setup in Hikvision cameras is here:

The bigger issue is how few manufacturers support failed login detection at all. My email tells me the second someone tries to login with a wrong password, but cameras and VMSes, products in the security industry, do not?

I'd like to see the camera manufacturers provide notification (email or alarm into VMS etc) when the number of failed log-in attempts exceeds a configurable number.

Related: Axis: 90% Of Hacks Are NOT The Manufacturer's Fault discusses how Axis does not support this.

With Hikvision cameras, simply keep the default setting of auto lock on illegal login enabled and let your VMS alert you of the camera being offline. Should be easy with any decent VMS.

Locking an account on a Hikvision camera doesn't drop the stream necessarily, just the web interface. I just tested this with Exacq and I've seen the same in other VMSes. It could vary depending on the VMS, though.

Second, even if it did reliably does kick the camera offline, that notification will only tell you it's offline. Then you're left investigating why it's offline separately. Actually sending a discrete event would be preferable.

I am hoping that camera manufacturers are reading this... As an end user and camera specifier of a relatively large video surveillance system - I will be making purchasing decisions based upon the camera's cyber-security features.. Top among these will be cameras that can notify me either by email or SDK hook into a VMS when failed login attempts occur as a prime differentiator as most camera manufacturers can do a decent job with WDR, picture quality etc. I don't think I am alone on this....

Curious, would you trade cyber-security features for other advancements? On-board analytics, higher resolutions, better compression, enhanced WDR?

Brian, For us, the features that you listed are nice to haves for the majority of our locations needing surveillance. That being said, I am a big fan of the Smart Codecs for reducing file storage and better performing WDR.

In my opinion, from a corporate network standpoint - having features that provide notification of threat to the security of your video surveillance system is a higher priority (Marai Botnet which you covered extensively etc) .

Putting this all together - I am looking for a 4K dome with built in IR , an excellent wide dynamic range, good low light performance, utilizes a smart codec and includes log-in failure notification - Am I asking for too much :) ??

I don't think you are asking for too much in the sense of wanting a product featureset that is impractical. I think the challenge for manufacturers is that it is often a zero-sum game with engineering resources. Implementing more cyber-security features means something else gets cut or delayed. Maybe that delay is just 1 quarter, maybe it is 1 year, hard to say.

I think more customers need to make it clear the cyber security enhancements might be more important than "camera stuff" like analytics or smart(er) CODECs (assuming of course that the other camera features are on par with industry standards, a company with an old H.264 CODEC might be better off working on that first).

I agree with what you are saying - all things being equal we will lean towards companies that have robust security features. At this point I feel that notification would add more value than all of the overhead involved in using certificate based authentication etc.

"The system is required to have access to the internet, so that the devices can routinely contact the certificate authority to ensure the certs are still valid. According to Bosch, the internet access requirement is not an issue, even for security-minded government organizations, as the systems typically already have internet access for remote access/administration purposes."

This is where I stopped reading. My opinion is no security systems should be EVER connected to the Internet. Especially not for remote administration purposes.

Another issue I have with this system that you need one card and a login/password combo and you can login to the system. These can be stolen or cloned, so your system is vulnerable again.

If the user is already on the Internet, why can't the user use their smartphone NFC with the builting fingerprint reader, online certification system can be developed for iOS or Android, I know one system like that already.

So do you mean NFC to camera? if you installed a camera up a 30foot pole how you doing to touch it with your Android phone!

Also currently NFC on iOS currently at 10.3beta3 as yet does not support NFC flags, rumour maybe iOS10 will.

So how to make a secure IPC for a respectable cost with minimal effort?

1. Camera has a Bluetooth module, and attached to this is a QR code label. removable.

2. Install camera where is needed, requires power PoE or direct.

3. Device on first power on will go into certification / password generation mode.

4. Installer run the appropriate phone App, which will then after a code scan allow a pairing with the device, for only enough time so than certification generate is done from phone (because it will have a better chance at a random generation) making the use wiggle his finger over the screen to be used a part of the certificate generation. (see PuTTy software which is what the do via the mouse)

5. When complete the device then can enable Ethernet communication, close off Bluetooth.

6. Smart App now has a master public / private codes stored, when then can be passed to the software, this could be cloud based.

7. Camera generates it's own password, to stop reverse engineering of the App to discover a weakness.

8.Time/date can be set from phone to device as normally at least most users will have this correct.

7. Note: An installation engineer may not be person doing software side, so that the data now collected. Password and certificate are then delivered to the software side, or sent as data to customer.

8. Many assumptions that software platform is on internet, can allow phone - device (NVR or PC platform) to open a P2P pre-setup so all information about new device is added.

9 Software platform can be accessed by phone App so we don't need know password.

10. installation company could keep backup of device data, not even knowing the data contents.

11. Device will only now respond to communication from the generated certificate.

Linux as used in most IPC devices has all software certificate generation, and password generation available now. a simple 'openssl rand -base64 24' gives you a lovely password nobody would be able to guess.

No, I meant logging in to the VMS client:

Login to the VMS requires inserting their smart card in a reader attached to the client PC and entering a PIN.

Another issue I have with this system that you need one card and a login/password combo and you can login to the system. These can be stolen or cloned, so your system is vulnerable again.

Do not worry!

Bosch has already some good fingerprint readers, so if you have the requirement, then Bosch can supply that product as well

=> https://us.boschsecurity.com/en/products/accesscontrolsystems/readersandcards/biometricreaders/biometricreaders_34654

There is no exaggeration in suggestion that CHAVE by Genetec and Bosch is a giant step forward towards improving system hardening. It is also exciting to learn that authentication as been extended to biometric which appears to be more reliable.

I want to believe that the onus lies on the installers and integrators to utilise the systems tools and capabilities to full capacity.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Genetec Beats Milestone For IHS #1 on Jun 21, 2019
For years, Milestone has touted that they are the #1 VMS. Now, Genetec has beaten them in IHS rankings. But what is this? Even other manufacturers...
Exacq Remote Cloud Access Tested on Jun 20, 2019
Remote cloud access has been missing from most VMSes (including Exacq and Milestone). Now, Exacq, after releasing Cloud Drive Storage earlier in...
Repositionable Multi-Imager Camera Shootout - Avigilon, Axis, Dahua, Hanwha, Hikvision, Panasonic, Vivotek on Jun 19, 2019
Repositionable multi-imager cameras are one of the fastest growing segments in video surveillance, with a slew of new offerings being recently...
Sighthound Transforms Into Enterprise AI Provider Profile on Jun 14, 2019
Sighthound is now rapidly expanding its R&D team, building an enterprise AI service. This may come as a surprise given their origins 6 years...
Embattled $400 Million China Funded Philippines Surveillance System Proceeds on Jun 13, 2019
An embattled 12,000 camera surveillance system project that will cost ~$400 million will proceed.  The project contract was awarded, had its...
Carnegie Mellon AI Startup Zensors Profile on Jun 11, 2019
Zensors is a startup formed by Carnegie Mellon graduates from a Carnegie Mellon research project, offering customized models per camera that they...
Avigilon 32MP and 12MP H4 Multisensor Cameras Tested on Jun 11, 2019
Avigilon has released their H4 Multi-Sensor line of cameras claiming "broad scene coverage and high image detail" We bought and tested the...
Dumber Techs, Bad Box Movers, Says Australian Distributor on Jun 10, 2019
Techs today are "dumber" than they used to be, despite better education and training and that makes a typical day "frustrating" for one...
Directory of 30+ VSaaS / Cloud Video Surveillance Providers on Jun 07, 2019
This directory provides a list of VSaaS / cloud video surveillance providers to help you see and research what options are available. 2019 State...
OpenALPR Doubles Prices on Jun 06, 2019
There is no 'race to the bottom' in cloud / AI video surveillance. In May, Verkada increased their prices. Now, OpenALPR is doing the same with a...

Most Recent Industry Reports

HID Mobile Tested on Jun 21, 2019
HID Global is one of the largest access brands, but their mobile access has had challenges. Indeed, the company has already restructured their...
Genetec Beats Milestone For IHS #1 on Jun 21, 2019
For years, Milestone has touted that they are the #1 VMS. Now, Genetec has beaten them in IHS rankings. But what is this? Even other manufacturers...
Risk of Amazon Alexa Guard: No Battery Or Cell Backup on Jun 20, 2019
Amazon positions its Alexa Guard Service as a "smart home security system" and says it can help you "keep your home safe". However, the...
Exacq Remote Cloud Access Tested on Jun 20, 2019
Remote cloud access has been missing from most VMSes (including Exacq and Milestone). Now, Exacq, after releasing Cloud Drive Storage earlier in...
Briefcam Buys Frost Award* on Jun 20, 2019
Frost 'awards' are well-known and widely disrespected. Now Briefcam is touting their win. The way it has worked for many years is that Frost...
IFSEC 2019 Show Report on Jun 19, 2019
The UK's largest trade show, IFSEC, is underway and IPVM has been examining what is new and happening at the show. Inside, we cover: Huawei...
Repositionable Multi-Imager Camera Shootout - Avigilon, Axis, Dahua, Hanwha, Hikvision, Panasonic, Vivotek on Jun 19, 2019
Repositionable multi-imager cameras are one of the fastest growing segments in video surveillance, with a slew of new offerings being recently...
Genetec Synergis Cloud Link - Complex, Costly and Confusing on Jun 18, 2019
Genetec's Synergis Cloud Link is complex, costly and confusing compared to competitor access control architectures. Inside this note, we examine...
Startup Vaion Launching End-to-End AI Solution Backed with $20 Million Funding on Jun 17, 2019
An EU / USA video surveillance startup, Vaion, founded by ex-Cisco Senior Directors is launching an end-to-end VSaaS platform with $20 million in...
Biometrics Usage Statistics 2019 on Jun 17, 2019
While face and fingerprint recognition are used regularly for smartphones, it is not as common in physical security. In this note, we examine...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact