This is a great feature! Nice work Genetec.
Genetec Now Detects Insecure Camera Firmware
Genetec is heavily emphasizing cyber security and cyber resilience. From initiatives like CHAVE to 2 Factor Authentication to Expelling Hikvision.
Now, Genetec Security Center will warn if you have vulnerable firmware installed on cameras. The company has released a new feature in Security Center 5.7 that keeps track of most recent firmware for installed devices, issuing a warning if devices are running out of date firmware are connected to ones Genetec system.
We examine Genetec's cyber security-focused firmware management enhancement, including when it can notify users to potentially vulnerable firmware, and where it lacks ability to warn.
Firmware ******** ********
******** ****** *.* **** *** ******* to ********* ** ********* **** ******* are ******* *** **** ****** ********* firmware, ********* ** *******. ** ****** this *******, ******* **** **** ******* data **** ******* ********, ******* *****, and ***** *********** ******* ** ***** a ******** ** **** ****** ********* firmware *** ********* *******. **** ******** is ****** ****** *******'* ***** *******, and ******** ****** *.* (** *****) servers *** ***** **** ******** *** each ******/***** **** ** ******* ** find *** ****** ********* ********. ******* claims *** ******** ** **** ******* with *** ******** ************ ***** *** company *** ******** *** ******* *** compatibility **** ******** ******.
***** **** ******* * ************ **** new ******** ** ******** *** * device ** ***** *******, *** *** also *** * ****** ********, ***** using ********* ********* ************ **** ** ** *.*.
** *** ********* ****** ****** *****, there *** *** ***** ******* ********, 183 ******* (** ****) **** ** recommended *******, * ****** (***) *** an ****** *** * ***** *************, and * (*****) **** **** *********** updates *** ******* ***** ***** **** vulnerabilities:
******* **** *** ******* ******** ******** is ******* *********, ***** ** ******** releases **** ********.
No ************/*** ********
********* ** *******, ** ******* ********* is ******** ** ******* ******* ******** update *************. *******, *** ******** ****** server **** **** *** ******, ** order ** ******** *** ****** ******** database *********** **** *******.
No ********* *******
*** ******** ******* ******* **** ******** users **** * ***** ******* ** firmware ** ********* *** * ******. It **** *** ************* ********, ** install, ******** *** ******** *******, ******* leaving ***** ***** ** ************** ** perform.
Only ***** *** ***** ***************/******
******* ******* ****** ** *********** **** manufacturers ** ***** ** ******* *** firmware ******** *** ******* *****, **** are ******* ** **** ********* **** manufacturers *******. ** * ************ **** not **** ** ***** **** * given ******** ******* ********* ********** ***************, Genetec **** *** ** **** ** fully ********** *** ***** ********** **** the ******** ********. ************, ** *************** have *** **** **********, ** ******** disclosed, ***** *** ** ******* ********** firmware **** ** ******** ****** ******* it ** ***** ** ** ****. Again, **** ** *** ** ******* only ***** **** ** **** ** known *********** ***** ******** *************** ** fixes.
Manufacturers *********
******* ****** **** ******** ******* *** all ******** *** ********* *********, *** noted **** **** *** **** ******** information *** *** ********* *************:
- *******
- ****
- *****
- ******
- *********
- *********
- *****
- ****
- *******
******* ******* ** **** *** ******** checks ****** ********, ********* * **** of ******* ******** *** ** **** manufacturers ** **** *** *** ****** to.
Hikvision ********
************** ******** ********* ********* ******* *** ******* **** ** **** ******* Hikvision *******/******** ** **** ** *** firmware ******** ******* *** *** *** the *********** ******.
Progressive *******
** ** **** *******, ** *** not ***** ** *** ***** ***** that *********** ****** ***** **** ****** firmware *** ** *** ** ****, particularly *** *** ***** *******. **** companies, **** ** ********, **** ********* to ****** ******** ************* *** ******* for ***** *** ******* *****, ***** is ****** ** ********* ** ** ** ****** for * ************ ** **** ***** of ***** *** ******** ******* *** releases.
Poll / ****
It would be cool if they ran a hash on the firmware as well as opposed to version numbers to be sure that spoofed firmware was not a threat.
Great Initiative by Genetek.
On the topic of Genetec, I am looking forward to HIK coming back into the fold. Some tension between VMS and manufacturer has the potential to can make both better. Full on war makes them both look a bit worse.
Great article.
rbl
Getting a hash of the firmware that is already loaded in the camera, is practically impossible. In order for this to work, the VMS has to be able to execute the hash of the flash chip, or else the firmware just lies and gives the VMS something it wants to hear.
What we need is a means to have the VMS read the firmware signatures to verify that the firmware build was in fact generated by the manufacturer.
Code signing isn't a silver bullet, but it makes it incrementally more difficult to have rogue firmware loaded in the device.
This is an important aspect of solution integrity that minimizes use of additional external tools. Trusted certificate management is another area that should be examined for future automation of security policies.
Interesting and good stuff
Perhaps IPVM could compile a list of unsecured firmware versions also :-)
Great feature. Definitely a value-add piece to sell with all of the concern over cyber security at the moment. However it would be nice if you could just download a file from GTAP and then throw it on a USB to load it onto the Security Center server to update all of the firmware info that way, rather than needing internet access on the SC server.
Hi Kenton,
This is indeed part of the design. The Genetec Update Service can act as a proxy so that Security Center does not need to be connected to the internet. Your RSM can provide you with more details.
It's innovations in the cyber-security field that is the next step for VMS companies. As some have said, not a perfect system, but a heck of a lot better than nothing. A very progressive, relevant and competitive move by Genetec. (From a dealer whose product on occasion goes head to head with Genetec.)