Genetec Now Detects Insecure Camera Firmware

By Brian Karas, Published Nov 29, 2017, 10:01am EST (Info+)

Genetec is heavily emphasizing cyber security and cyber resilience. From initiatives like CHAVE to 2 Factor Authentication to Expelling Hikvision.

Now, Genetec Security Center will warn if you have vulnerable firmware installed on cameras. The company has released a new feature in Security Center 5.7 that keeps track of most recent firmware for installed devices, issuing a warning if devices are running out of date firmware are connected to ones Genetec system.

We examine Genetec's cyber security-focused firmware management enhancement, including when it can notify users to potentially vulnerable firmware, and where it lacks ability to warn.

Firmware ******** ********

******** ****** *.* **** *** ******* to ********* ** ********* **** ******* are ******* *** **** ****** ********* firmware, ********* ** *******. ** ****** this *******, ******* **** **** ******* data **** ******* ********, ******* *****, and ***** *********** ******* ** ***** a ******** ** **** ****** ********* firmware *** ********* *******. **** ******** is ****** ****** *******'* ***** *******, and ******** ****** *.* (** *****) servers *** ***** **** ******** *** each ******/***** **** ** ******* ** find *** ****** ********* ********. ******* claims *** ******** ** **** ******* with *** ******** ************ ***** *** company *** ******** *** ******* *** compatibility **** ******** ******.

***** **** ******* * ************ **** new ******** ** ******** *** * device ** ***** *******, *** *** also *** * ****** ********, ***** using ********* ********* ************ **** ** ** *.*.

** *** ********* ****** ****** *****, there *** *** ***** ******* ********, 183 ******* (** ****) **** ** recommended *******, * ****** (***) *** an ****** *** * ***** *************, and * (*****) **** **** *********** updates *** ******* ***** ***** **** vulnerabilities:

******* **** *** ******* ******** ******** is ******* *********, ***** ** ******** releases **** ********.

No ************/*** ********

********* ** *******, ** ******* ********* is ******** ** ******* ******* ******** update *************. *******, *** ******** ****** server **** **** *** ******, ** order ** ******** *** ****** ******** database *********** **** *******.

No ********* *******

*** ******** ******* ******* **** ******** users **** * ***** ******* ** firmware ** ********* *** * ******. It **** *** ************* ********, ** install, ******** *** ******** *******, ******* leaving ***** ***** ** ************** ** perform.

Only ***** *** ***** ***************/******

******* ******* ****** ** *********** **** manufacturers ** ***** ** ******* *** firmware ******** *** ******* *****, **** are ******* ** **** ********* **** manufacturers *******. ** * ************ **** not **** ** ***** **** * given ******** ******* ********* ********** ***************, Genetec **** *** ** **** ** fully ********** *** ***** ********** **** the ******** ********. ************, ** *************** have *** **** **********, ** ******** disclosed, ***** *** ** ******* ********** firmware **** ** ******** ****** ******* it ** ***** ** ** ****. Again, **** ** *** ** ******* only ***** **** ** **** ** known *********** ***** ******** *************** ** fixes.

Manufacturers *********

******* ****** **** ******** ******* *** all ******** *** ********* *********, *** noted **** **** *** **** ******** information *** *** ********* *************:

  • *******
  • ****
  • *****
  • ******
  • *********
  • *********
  • *****
  • ****
  • *******

******* ******* ** **** *** ******** checks ****** ********, ********* * **** of ******* ******** *** ** **** manufacturers ** **** *** *** ****** to.

Hikvision ********

************** ******** ********* ********* ******* *** ******* **** ** **** ******* Hikvision *******/******** ** **** ** *** firmware ******** ******* *** *** *** the *********** ******. 

Progressive *******

** ** **** *******, ** *** not ***** ** *** ***** ***** that *********** ****** ***** **** ****** firmware *** ** *** ** ****, particularly *** *** ***** *******. **** companies, **** ** ********, **** ********* to ****** ******** ************* *** ******* for ***** *** ******* *****, ***** is ****** ** ********* ** ** ** ****** for * ************ ** **** ***** of ***** *** ******** ******* *** releases.

Poll / ****

Comments (10)

Jesse Crawford

OpenEye | 11/29/17 03:22pm

This is a great feature! Nice work Genetec.

Agree: 7
Disagree
Informative
Unhelpful
Funny

Randy Lines

11/29/17 04:41pm

It would be cool if they ran a hash on the firmware as well as opposed to version numbers to be sure that spoofed firmware was not a threat. 

Great Initiative by Genetek.

On the topic of Genetec, I am looking forward to HIK coming back into the fold. Some tension between VMS and manufacturer has the potential to can make both better. Full on war makes them both look a bit worse.

Great article.

rbl

Agree: 1
Disagree
Informative
Unhelpful
Funny

Ian Johnston

In reply to Randy Lines | 12/03/17 08:01pm

Getting a hash of the firmware that is already loaded in the camera, is practically impossible.  In order for this to work, the VMS has to be able to execute the hash of the flash chip, or else the firmware just lies and gives the VMS something it wants to hear.

What we need is a means to have the VMS read the firmware signatures to verify that the firmware build was in fact generated by the manufacturer.

Code signing isn't a silver bullet, but it makes it incrementally more difficult to have rogue firmware loaded in the device.

 

Agree
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to Ian Johnston | 12/03/17 09:40pm

Related: Secure Boot Could Eliminate Botnets - But Manufacturers Ignore It

Agree: 2
Disagree
Informative
Unhelpful
Funny
Avatar

Jeff Junker

Dell Technologies CVSS
11/29/17 05:19pm

This is an important aspect of solution integrity that minimizes use of additional external tools.  Trusted certificate management is another area that should be examined for future automation of security policies.

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny

bashis mcw

11/29/17 05:41pm

Interesting and good stuff

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #1

11/29/17 07:02pm

Perhaps IPVM could compile a list of unsecured firmware versions also :-)

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Kenton Peterson

11/29/17 07:08pm

Great feature. Definitely a value-add piece to sell with all of the concern over cyber security at the moment. However it would be nice if you could just download a file from GTAP and then throw it on a USB to load it onto the Security Center server to update all of the firmware info that way, rather than needing internet access on the SC server.

Agree: 3
Disagree
Informative
Unhelpful
Funny
Avatar

Andrew Elvish

Genetec Inc.
In reply to Kenton Peterson | 11/29/17 07:50pm

Hi Kenton,

This is indeed part of the design.  The Genetec Update Service can act as a proxy so that Security Center does not need to be connected to the internet.  Your RSM can provide you with more details.

Agree: 1
Disagree
Informative: 5
Unhelpful
Funny

Undisclosed Manufacturer #3

12/04/17 01:39am

It's innovations in the cyber-security field that is the next step for VMS companies. As some have said, not a perfect system, but a heck of a lot better than nothing. A very progressive, relevant and competitive move by Genetec. (From a dealer whose product on occasion goes head to head with Genetec.)

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports