China Dahua To Replace Their Software With US Pepper

By John Honovich and John Scanlan, Published Aug 22, 2019, 01:03pm EDT (Info+)

What does a US government banned company do to improve its security positioning in the US?

Well, Dahua is unveiling a novel solution, partnering with US-based 'Pepper'.

IPVM Image

The press release is misleading but after speaking with both Dahua and Pepper, inside this note, we examine what the approach is, its key benefits and its major limitations.

What ** *******

*** ******* ****:

** *********** **** ******’* ********-**-*-*******, ***** Technology’s ******** ******* **** ** * comprehensive, ******, *** *******-***** ******* *********

*** ***** ******** *********** ** *** U.S., *** **** *** ***** ************** will ** ********* ** *** ****** States *** **** ** ******’* ********* cybersecurity *** **** ******* *********

***Dahua **********’* ********* *********, the Pepper partnership provides access to a set of market-leading platform and software capabilities designed to deliver video as well as non-video IoT services to end-users [emphasis added]

Consumer **** ** ** *****

**** ***** *** ****** ********* **** despite *** ******* ******* ***** ***** products, ** *******, *** ************ '********* customers', **** ** *** *** ****, at ***** *** ***. ***** ********* to **:

**** *** *********** ******** *** *********, we **** *** **** ****** *** first ***** ** ***** ***** ** theconsumer ******* ***** ** *** *********. As for further go-to-market strategies, these will be determined through additional discussions between both parties.

** **********, ****** ***** ******* ****(*****'* ******** *****, ******************) ***** ** '******-**'. ******* **** offered ******* ***** *****, ***** ** in *** **, *****'* **** ****** sold ********, ** ***** ** ***** / ****** (*.* ******* ****** ******** **** *** US ** *** **** ****).

*****'* ********** *********, ***** ** **** Dahua ***** ***** *** *** ***** typically ** *** **, ** *** included *** ***.

Pepper ** *** ********, ***** ** **** ********

*** *** ****** **** **** ** applied **, ** ** ***** ** be *** ******'* ********, **** ** the ******* *** ** *** *****, as *** ******* *****:

******’* ******* ******* ******** ****** ********, highly ****** ***** ******* *** ********* user ********* *******

**** ****** *** ******** ***** ** Dahua.

Exiting ******** *********** (*** ******'** ******)

** ** ** ********** ********. *****'* hardware *********** ** ****** ***** ** is ***** ********, **** *** ********* and *** *************, **** *** **** a *******.

** ******* *** ** *** ******** side ** ***** ******, ***** *** simultaneously ******* *** ************* *** *** government ******* ******** ** *********** ****** "We *** **** ********* ******** **** a ***** ** * *****").

Commercial ******** **********

**** ***** *** ** ** ******** for ****** ** ** **** ** the ******** / ***** ** ***** commercial ********. *******, ** ***** ************ it **** ** **** **** ***********.

*** **** ******** ******* **** ********** simple *** ******* ******** ************ *** are ******** ** ** ****** *******. So ****** *** ****** **** ***** their *** ***-**-*** ******** *** ****.

** ********, ***** ********** *******, **** almost *** ********** *******, **** **** more ************* ************ *** *************** *****-**. To ******* *** ** **** *** Dahua ********** *******, ***** ** **** difficult. ** *** *** *********** ** an ******** ****** ******* ** ***** commercial ******* *** ****** **** **** the ********** ** ** *** ** offering.

Pepper ***** ** *******

******** * ****** ****, *** ******* with ~** ********* **** ******** **$*.* ******* ****** * ******* ** March ****. ***** *** ******* ** ********** small, ** **** ********** ** **** this **** *** ******* * ****** of ***** *********** *** ****** ********* as *********.

Sales *** ********* ** ******** ****** * ***** *********

***** ***** ******** ** *********** ***** business **** *** **** ****** *** years ** *** ******** ******, ** will ** *********** ** *** **** how *****'* ********* ******* ***** (*.*., the *** ***** ****** **** ******** even *** **** *********) *** *** Dahua *** ****** ****, * ***** that ** *** *********** ** ***** America. ****** ***** **** ** *** software / ************* **** *** ***** will ***** **** ** **** ** developing ***** *** *********.

Vote / ****

Comments (17)

Undisclosed Manufacturer #1

08/22/19 06:42pm

This is a smart move for both Dahua and Pepper. Dahua needs a solution quickly and Pepper may be it. Other Chinese camera makers are likely to consider similar plans.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

08/22/19 07:23pm

if when they do move into the commercial space, you could put together a SALTO and Pepper security solution.

Agree
Disagree
Informative
Unhelpful
Funny: 18

Undisclosed Manufacturer #1

In reply to Undisclosed #2 | 08/22/19 08:03pm

The Over-the-Air updates will be called, "Push It!"

Agree
Disagree
Informative
Unhelpful
Funny: 14

John Honovich

IPVM | In reply to Undisclosed #2 | 08/22/19 08:07pm

That will be one well seasoned solution.

Agree
Disagree
Informative
Unhelpful
Funny: 6

Undisclosed #3

IPVMU Certified | 08/22/19 09:53pm

if you say it fast enough it works!

Agree: 1
Disagree
Informative
Unhelpful
Funny: 24
Avatar

Sean Nelson

Nelly's Security
08/23/19 02:55pm

First they move to Mexico, then partner with Pepper. They really spicing things up!

Agree: 1
Disagree
Informative
Unhelpful
Funny: 4

Undisclosed Manufacturer #4

In reply to Sean Nelson | 08/24/19 04:07pm

Sean’s really on a roll. Spicy Tuna Crisp maybe?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Levy

08/23/19 04:59pm

From a cyber security level the chipsets from China can still contain embedded systems that can be used for packet relay and transmission to China. How will US consumers and the government be convinced that all components are safe considering the complexity of these devices?

Agree: 13
Disagree
Informative: 1
Unhelpful
Funny
Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Brian Levy | 08/23/19 05:53pm

I reached out to Pepper and will update here when I receive the response.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Thomas Bomberger

In reply to Brian Levy | 08/24/19 12:02am

Out if curiosity; is there a single camera or camera manufacturer that doesn't contain or use at least some components made in China, if not the whole chipset?

Agree: 1
Disagree
Informative
Unhelpful
Funny
Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Brian Levy | 08/27/19 01:59pm

Brian - thanks for the comment. Below is the response from Pepper:

It’s a good question. Cyber security in general is evolving and nothing can ever be guaranteed, devices are no different. From our experience, general cyber security protections are lacking on most IoT devices sold into the market today. We bring best practices and additional rigor to fill the gap both through direct methods of blocking/addressing vulnerabilities (using a hardened firmware, erasing flash memory before loading, etc.) and also elevated cyber security processes and controls to proactively monitor devices and identify threats through things like: lab testing of random new production samples (silicon through network/communication), long-term monitoring of communications in a lab environment, penetration tests, etc..

In summary, your readers comment/concern is valid, unfortunately there is no single easy answer. It is a combination of processes and procedures in place to both eliminate and proactively detect or react to various threat vectors.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny
Avatar

Brian Levy

08/24/19 06:34am

From my understanding Avigilon is wholly manufactured and made in Texas. Also, Vicon features cameras made in the USA.

Agree: 3
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Brian Levy | 08/26/19 07:14pm

Avigilon has a distribution facility in Texas, which is the primary distribution point for the USA. However, much of their products are made in Canada, which is where their other North American distribution point is on the continent. So it is North American manufacturered, but not all in the USA. And their servers are Oem-ed from someone (I think it is Dell), much like many other manufacturers.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #5

08/26/19 03:49pm

Another dog and pony show,it sounds to me like a political promise, sounds good, looks like it may work but never really lives up to the hype and a dismal failure in the end.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #6

08/26/19 05:02pm

Who will provide firmware updates to the camera? The hardware can still phone home no? Will they submit the hardware design to third party to verify that it does not include hidden code?

FW upgrades means the code can be changed anytime it suits the government.

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed End User #6 | 08/26/19 07:21pm

The hardware can still phone home no?

Theoretically, the point is that it would 'phone home' to Pepper, not Dahua.

Related, I changed the title form 'replaces' to 'to replace' to better emphasize that this is the plan but that it is not live yet.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

John Scanlan

IPVM | IPVMU Certified | 05/13/20 04:13pm

Despite being 9 months later there is no progress to speak of. Dahua has not responded to a request for an update on this and Pepper responded with:

After checking internally, we do not have updates on the IMOU devices to share at this time.

We requested updates from both companies in light of the recent Dahua Critical Cloud Vulnerabilites.

Agree
Disagree
Informative: 1
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports