Genetec Now Detects Insecure Camera Firmware

Avatar
Brian Karas
Published Nov 29, 2017 15:01 PM

Genetec is heavily emphasizing cyber security and cyber resilience. From initiatives like CHAVE to 2 Factor Authentication to Expelling Hikvision.

Now, Genetec Security Center will warn if you have vulnerable firmware installed on cameras. The company has released a new feature in Security Center 5.7 that keeps track of most recent firmware for installed devices, issuing a warning if devices are running out of date firmware are connected to ones Genetec system.

We examine Genetec's cyber security-focused firmware management enhancement, including when it can notify users to potentially vulnerable firmware, and where it lacks ability to warn.

Firmware ******** ********

******** ****** *.* **** *** ******* to ********* ** ********* **** ******* are ******* *** **** ****** ********* firmware, ********* ** *******. ** ****** this *******, ******* **** **** ******* data **** ******* ********, ******* *****, and ***** *********** ******* ** ***** a ******** ** **** ****** ********* firmware *** ********* *******. **** ******** is ****** ****** *******'* ***** *******, and ******** ****** *.* (** *****) servers *** ***** **** ******** *** each ******/***** **** ** ******* ** find *** ****** ********* ********. ******* claims *** ******** ** **** ******* with *** ******** ************ ***** *** company *** ******** *** ******* *** compatibility **** ******** ******.

***** **** ******* * ************ **** new ******** ** ******** *** * device ** ***** *******, *** *** also *** * ****** ********, ***** using ********* ********* ************ **** ** ** *.*.

** *** ********* ****** ****** *****, there *** *** ***** ******* ********, 183 ******* (** ****) **** ** recommended *******, * ****** (***) *** an ****** *** * ***** *************, and * (*****) **** **** *********** updates *** ******* ***** ***** **** vulnerabilities:

******* **** *** ******* ******** ******** is ******* *********, ***** ** ******** releases **** ********.

No ************/*** ********

********* ** *******, ** ******* ********* is ******** ** ******* ******* ******** update *************. *******, *** ******** ****** server **** **** *** ******, ** order ** ******** *** ****** ******** database *********** **** *******.

No ********* *******

*** ******** ******* ******* **** ******** users **** * ***** ******* ** firmware ** ********* *** * ******. It **** *** ************* ********, ** install, ******** *** ******** *******, ******* leaving ***** ***** ** ************** ** perform.

Only ***** *** ***** ***************/******

******* ******* ****** ** *********** **** manufacturers ** ***** ** ******* *** firmware ******** *** ******* *****, **** are ******* ** **** ********* **** manufacturers *******. ** * ************ **** not **** ** ***** **** * given ******** ******* ********* ********** ***************, Genetec **** *** ** **** ** fully ********** *** ***** ********** **** the ******** ********. ************, ** *************** have *** **** **********, ** ******** disclosed, ***** *** ** ******* ********** firmware **** ** ******** ****** ******* it ** ***** ** ** ****. Again, **** ** *** ** ******* only ***** **** ** **** ** known *********** ***** ******** *************** ** fixes.

Manufacturers *********

******* ****** **** ******** ******* *** all ******** *** ********* *********, *** noted **** **** *** **** ******** information *** *** ********* *************:

  • *******
  • ****
  • *****
  • ******
  • *********
  • *********
  • *****
  • ****
  • *******

******* ******* ** **** *** ******** checks ****** ********, ********* * **** of ******* ******** *** ** **** manufacturers ** **** *** *** ****** to.

Hikvision ********

************** ******** ********* ********* ******* *** ******* **** ** **** ******* Hikvision *******/******** ** **** ** *** firmware ******** ******* *** *** *** the *********** ******. 

Progressive *******

** ** **** *******, ** *** not ***** ** *** ***** ***** that *********** ****** ***** **** ****** firmware *** ** *** ** ****, particularly *** *** ***** *******. **** companies, **** ** ********, **** ********* to ****** ******** ************* *** ******* for ***** *** ******* *****, ***** is ****** ** ********* ** ** ** ****** for * ************ ** **** ***** of ***** *** ******** ******* *** releases.

Poll / ****

Comments (10)
JC
Jesse Crawford
Nov 29, 2017
OpenEye

This is a great feature! Nice work Genetec.

(7)
RL
Randy Lines
Nov 29, 2017

It would be cool if they ran a hash on the firmware as well as opposed to version numbers to be sure that spoofed firmware was not a threat. 

Great Initiative by Genetek.

On the topic of Genetec, I am looking forward to HIK coming back into the fold. Some tension between VMS and manufacturer has the potential to can make both better. Full on war makes them both look a bit worse.

Great article.

rbl

(1)
IJ
Ian Johnston
Dec 03, 2017
In reply to Randy Lines

Getting a hash of the firmware that is already loaded in the camera, is practically impossible.  In order for this to work, the VMS has to be able to execute the hash of the flash chip, or else the firmware just lies and gives the VMS something it wants to hear.

What we need is a means to have the VMS read the firmware signatures to verify that the firmware build was in fact generated by the manufacturer.

Code signing isn't a silver bullet, but it makes it incrementally more difficult to have rogue firmware loaded in the device.

 

(2)
U
Undisclosed #2
Dec 03, 2017
IPVMU Certified
In reply to Ian Johnston

Related: Secure Boot Could Eliminate Botnets - But Manufacturers Ignore It

(2)
Avatar
Jeff Junker
Nov 29, 2017
Dell Technologies CVSS

This is an important aspect of solution integrity that minimizes use of additional external tools.  Trusted certificate management is another area that should be examined for future automation of security policies.

(3)
(1)
bm
bashis mcw
Nov 29, 2017

Interesting and good stuff

(2)
UM
Undisclosed Manufacturer #1
Nov 29, 2017

Perhaps IPVM could compile a list of unsecured firmware versions also :-)

Avatar
Kenton Peterson
Nov 29, 2017

Great feature. Definitely a value-add piece to sell with all of the concern over cyber security at the moment. However it would be nice if you could just download a file from GTAP and then throw it on a USB to load it onto the Security Center server to update all of the firmware info that way, rather than needing internet access on the SC server.

(3)
Avatar
Andrew Elvish
Nov 29, 2017
Genetec Inc.
In reply to Kenton Peterson

Hi Kenton,

This is indeed part of the design.  The Genetec Update Service can act as a proxy so that Security Center does not need to be connected to the internet.  Your RSM can provide you with more details.

(1)
(5)
UM
Undisclosed Manufacturer #3
Dec 04, 2017

It's innovations in the cyber-security field that is the next step for VMS companies. As some have said, not a perfect system, but a heck of a lot better than nothing. A very progressive, relevant and competitive move by Genetec. (From a dealer whose product on occasion goes head to head with Genetec.)