DMP / SecureCom NDAA And Security Risks Examined
DMP is standing by Hikvision, arguing that its app's secret communication with Hikvision (that IPVM recently exposed) and extensive Hikvision code inclusion does not violate the NDAA.
Moreover, the company emphasized to IPVM that a separate company named "SecureCom Wireless" provides the app, though also admitting those companies have common ownership.
In this note, we examine DMP's responses to IPVM and the risk of violating the NDAA.
Cloud ************ ** *********
*** *** **** *** ******, *** main ******* ** *** ******* ***** connectivity *** ************** ** ********* **** DMP (** ********* ********, *** ******* company) *** ******** **** **********.
************** ****** **** * **** ** Internet ************** * ******* ** ************* ******** but ** **** ****, *** ******** via ********* ******** *** ************* ******** back ** *********.
DMP **** ***** *** **********
**** ** **** **** ********** ******* the ***** ****** *******-******** ** **** Hikvision ***** *** ********** ****** ********** and ***** ********** ** **** ** Hikvision *** ** ****** ***** *******, it ***** *** ******.
*******,*** ***** ******** "*** ********* ********’* **** ******* name ** ********"***"*** ***** ****** *** *******, ***** or ***** ***********".
SecureCom ********
*** ********* ** ******** ****** ******* ******* ****** ***, ******** **** ** ** ******** by * ******** *******,********* ********, ****** ***** ********* **** *** companies **** ****** *********.
*** ***** ****** ********* ******** ** an ********* ** *** ******** **** week:
** ******* ******** ** **** ******** article *** ********* **** ********** ********, and ****** *** ***/** **** ******* publish ** ********* *********** **** ***** parties ********* **** ***** ** ********* with ***’* ******** ** *********** ************, DMP ******** **** **** *********** **** theVirtual ******™ *********** ** ******** ** ********* ********, ***, *** *** ***. The Licensing Agreement end users, including IPVM, accept in order to use the Virtual Keypad™ application is provided by SecureCom Wireless, LLC, and companies contract withSecureCom Wireless, LLC to provide the Virtual Keypad™ remote functionality to end users. [emphasis added]
*****, ***'* *******, ********* ***** ********* Wireless, ***** ** ********* ******** ***** its ************ **** ***, ***** ********** that *** *** *** ******* *** app *** *** ********* **** **** share ****** *********:
*** **** *** ******* ******* ******™. As **** *** **** *****, ******* Keypad™ ** *** ******* ** ***. Virtual ******™ ** ******** ** ********* and ********* **** *** ********* **** a *** ********...
********** ** ****’* ******* *******,and ********* ***** ****** *********. ******* *** *** *********. [******** *****]
DMP / ********* ******** ****** **********
*** *** ********* ******** ******* **** common ********** *** *********, ** ***'* attorney ************ ********. ******** ********:
- *** ****** ********* ****************** ******** **** ** ****.
- ********* ********'* ********* ***************** *** *** **** *******.
- **** *******(****'* ***) ** ****** ** * VP ** ********* ** ******** *** a *** ********* ** ***'********** ********.
- *** ****** ** **** *** ********* rights *** ******* ****** (*******)
- *** ***** *** ********** *** ** *** ****** *** developer** "******* ******"
- **** ********* *** ***** ** *** same ********.
- * ********* ******** **************, ********* *** main ***** ****, **** **** **** SecureCom ** "****" ** ***.
*** ****** ********* ** *** ******* "family" *****'* *** ***** ***********.
NDAA ******
*** **** * ****** ** ****** about *** **** ***********, ******** **** one ***** ******:
*. ***** *** *** ******** *** does *** ***** *** ******* ****************** equipment *** **** *** ***** *** products **** *********** **** ******* ****************** equipment, ********* *********;
*. *** **** *** *** *** covered ****************** ********* ** ********, ********* Hikvision, ** *** ********, ** *** operations, ** *** *** ************* *********; and
*. *** *** ** ******* ******™ and/orHikvision ******** ** ******** *** *** necessary ********** *** *** ****** ******** or *********** ** * *** ******.
*** **** ** ******* ******* **** just *** ********* *** *** **** covers "*********** **********" ** ****.
***'* ******** ******** **:
*** **** **** *** ******** ********* Virtual ******™. ** *** ******* **** states, “[*]* *** *** ***** ** any ************ ************* ***** **** ****** as ***** * ‘***********’ *********…”. *******, FAR **.***-**(*) ********* ******* “*********** *** essential *********” ** “*** ********* ********* for *** ****** ******** ** *********** of * ***** ** *********, ******, or *******.” ** **** *** ********** noted *** * ** **** *** are *****, * ********* ***** ********, or *** ***** ******* ****************** ********* or ********, ** *** * ********* necessary *** *** ****** ******** ** performance ** *** ******* ******™ ***. The ***** ******** ** *** **** does *** ******** ** ********* ****** from ********* ******* ******™ *** ****’* position ** ******* *****.
** ****** **** ***'* ******** **** the ********* ***** ******** ***** **** not ***** ** ***** *** *** with *** **** (****** *** ******* lack ** **** *********** *** *** doorbell ******) *** *** ********* ******** app********* ** ******* ********* ***** ********* and ************* **** ************* ********* *** ****.
***'* ******** *********, ********** ******** ** SecureCom ********:
*** *****, *** *’* ********* ****’* investigation, ** *** ******* **** ********* that “******* ****** ** ***** **** a *********** ****** ** ********* ****.” The ******* ******™ *** *** ******* and ********** ***** ****, **** ****** code *** ***** ** ***** *** Virtual ******™ *** ***** ** ******* to * ********* ***** ********. **** your ********* **** *** ********* ***** doorbell ** *** ** ********* ***** of ********* *** * *** ******, the ******* **** ***** *** *** application ** *********** **** *** ***** doorbell ** *** * *********** ** essential ********* ** ******* ******™. *** plain ******** ** *** **.***-** **** not ******** ** ********* ****** **** procuring ******* ******™ *** ****’* ******** is ******* *****.
*******, *** *********** ******* *** *** SecureCom ** ******** ** ****’* ********* NDAA ********. *** ***** ******** ********* to ********** ******* *** ***** * GSA ********, ***** ********* ***** ********* and ******** ******* ******* ******™. *********, which **** *** **** * *** contract, ****** *** ******* ******™ *********** capable ** ********* ****** ************* ** a *** ******. ***** ** ** communication, ** ******* ** ***********, ******* DMP’s ******* ****** ** *** ***** equipment *** ****** ***** *** *** contract *** *** ********* ***** ********. Any *** *** ************* **** *** Hikvision ***** ********,the ******* ****** ** ****’* *******, ** ******* ** *** ******* ******™ *** ******* ** *********.
***********, *** **** *** ****’* ********* concerns ********* *** *********** ** *** 52.204-25 ** ******* ******™ *******, ***IPVM’s ******** ***** ***** ** ********* – ** ****** **** **** *** **** * *** ********, *** *** ***. [emphasis added]
** ******* *** ** ******* ***** about *** *** ******** ** *** NDAA ******* ******* ** ******* ******** and *****, ********** ** ******* ***** funds *** ***** *** *** *** or ***** *********** *******.
*** "***********" ****** ** *** **** is ***** ** *** *** **** risk ** **** / ***** ********. The ** ********** **** *** ******* define **** ****** ** * "***********" component. **** *** *** ***** **** the ******* ****** *** **** ******* Hikvision **** *** *** *** **** communicate ******** **** *********'* ***** ******** but ** **** "***********"?
** ******* **** ********* **** ********* from * ******* *** ************* **** that ******* ** "***********", **** **** so **** **** ******* ** ****** on ******** ** ******* ********** ****** lists. ***** ***'* ****** ** * historically ******* ******** ** *** ******* US *****, ******* ********, *** ***********, we ***** **** ******** **** ** spend **** ****** ********** ***** *** contracts *** ***** ******* **** ***** entity *** **** ***** ******** ********.
** ******* ***** ** **** *******:
*** ***** *** ****. ******* ****** by ******* ** ********** ***** ********, and *** ***** *** **** ** reputation ** ******** ****** ** *** and ******* ** **** *** ***** non-compliant.
******* *** ***** *** ******** ****** the ****** ** *********** *** ****** to **** ******. **** ***** ***** be ****** *** ******* ***** *****.
**** ********* ********** *** **** *** all ********* **** ******* ******** ********* to **** * ******** **** ** Materials (****) ********* **** ********** ******** solution. **** ****** ********* ******* ********** of *** **** **** *** **** provided ** * *****-*****, ***** ** any *********** ********* ******** ****** ********, and ********* **** *** ********** ********** protocols ** ******** ********* **** *** manufacturer ******** ** ******* **. ********* -******** **** ** ********* (****) | CISA
************* ******, *** *** * *** video ********, *** **-**. ***** ** is ***, * ******* ** ** be * ******** ******* *** **** be **** ** ******** *** ********* concerns.
**** ******** ** ** *** ****** functionality - ********** ** * ********* video ******** *********/*********, *** **** ** the *** ***** ****** - **** that **** ********* *** * **** door ** *** *** *** ********* the ****** ************* *** *** ********?
" *** ******* ******™ *** *** existed *** ********** ***** ****, **** before **** *** ***** ** ***** the ******* ******™ *** ***** ** connect ** * ********* ***** ********. Like **** ********* **** *** ********* video ******** ** *** ** ********* piece ** ********* *** * *** system, *** ******* **** ***** *** the *********** ** *********** **** *** video ******** ** *** * *********** or ********* ********* ** ******* ******™."
"...****** *** ******* ******™ *********** ******* of ********* ****** ************* ** * DMP ******."
***** ** ** ******** ** *** communication ******* *** *** "******* ******" app *** *** *** ******, ** appears **** *** ********* ********* ***** DoorBell **** ** ********* ** *** Hikvision ***** *****, *** *** *** "Virtual ******" *** **** ******* *** serial ****** ** *** ********* ********* Video ******** ** ********* ******* **** it ******* *** *****. *******, *** significant ***** ** **** *** *** "Virtual ******" *** ********** ********* *** connection ** *** ********* ***** ***** without *** ******** ** *** ********* Video ********, *** *** *** ********** will **** ** ********* **** *** doorbell ** *******.
* ***'* ***** ********* *** ****** to *** *** "******* ******" ***, but * ** ***** ********* ***** does **** ****** ** *** ********* Hikvision ***** ********.
**** *** ** ***** **** * sold *** ******* * ******* *** a ******* ******** **** ** ** where ** ********* ** *** ****** WITHOUR *** ******* ******. ******** **** sites ****** *** ****** ** * virtual ****** ** **** **** ********* in **** *****, * ****** **** out ** ** ******* ** *** information * *** ** *** **** of **** (****). * **** **** on *** ************ ** *** ***** on ***** ************ ********* ** ***** RFP.
** *** ******* **** *** *****. I **** * *******!
*** ******* ****** *** *** ***** is ** "*****".
** *** *** ***** ******* ****** our ********** ********** *** ******* **** a *** ***** *** **** ***** product **** ** ****** ********* ** our ******** ********* *** *** ******* refused ** ****** ** *** ********...** they **** * ******** *** **** with ***** **** ***** *** ***'* be ******* **** *** ****** ***********
**** ***** ***'* ******* *******, **** Early, ** ** ********** ********* *** if ***, *** ****. ***** **********, Early ********* ******* ** ** *** authorized ** *********** ** ****** ** SecureCom, *** *** ** ***** ** anyone *** **** ********** ** ** so: