Genetec Now Detects Insecure Camera Firmware

By Brian Karas, Published Nov 29, 2017, 10:01am EST

Genetec is heavily emphasizing cyber security and cyber resilience. From initiatives like CHAVE to 2 Factor Authentication to Expelling Hikvision.

Now, Genetec Security Center will warn if you have vulnerable firmware installed on cameras. The company has released a new feature in Security Center 5.7 that keeps track of most recent firmware for installed devices, issuing a warning if devices are running out of date firmware are connected to ones Genetec system.

We examine Genetec's cyber security-focused firmware management enhancement, including when it can notify users to potentially vulnerable firmware, and where it lacks ability to warn.

Firmware ******** ********

******** ****** *.* **** the ******* ** ********* if ********* **** ******* are ******* *** **** recent ********* ********, ********* ** *******. To ****** **** *******, Genetec **** **** ******* data **** ******* ********, release *****, *** ***** information ******* ** ***** a ******** ** **** recent ********* ******** *** supported *******. **** ******** is ****** ****** *******'* cloud *******, *** ******** Center *.* (** *****) servers *** ***** **** database *** **** ******/***** type ** ******* ** find *** ****** ********* firmware. ******* ****** *** database ** **** ******* with *** ******** ************ after *** ******* *** verified *** ******* *** compatibility **** ******** ******.

***** **** ******* * notification **** *** ******** is ******** *** * device ** ***** *******, and *** **** *** a ****** ********, ***** using ********* ********* ************ **** ** ** *.*.

** *** ********* ****** report *****, ***** *** 186 ***** ******* ********, 183 ******* (** ****) have ** *********** *******, 1 ****** (***) *** an ****** *** * known *************, *** * (green) **** **** *********** updates *** ******* ***** other **** ***************:

******* **** *** ******* firmware ******** ** ******* regularly, ***** ** ******** releases **** ********.

No ************/*** ********

********* ** *******, ** support ********* ** ******** to ******* ******* ******** update *************. *******, *** Security ****** ****** **** need *** ******, ** order ** ******** *** latest ******** ******** *********** from *******.

No ********* *******

*** ******** ******* ******* only ******** ***** **** a ***** ******* ** firmware ** ********* *** a ******. ** **** not ************* ********, ** install, ******** *** ******** devices, ******* ******* ***** tasks ** ************** ** perform.

Only ***** *** ***** ***************/******

******* ******* ****** ** information **** ************* ** order ** ******* *** firmware ******** *** ******* notes, **** *** ******* to **** ********* **** manufacturers *******. ** * manufacturer **** *** **** it ***** **** * given ******** ******* ********* particular ***************, ******* **** not ** **** ** fully ********** *** ***** associated **** *** ******** firmware. ************, ** *************** have *** **** **********, or ******** *********, ***** may ** ******* ********** firmware **** ** ******** Center ******* ** ** being ** ** ****. Again, **** ** *** to ******* **** ***** able ** **** ** known *********** ***** ******** vulnerabilities ** *****.

Manufacturers *********

******* ****** **** ******** updates *** *** ******** are ********* *********, *** noted **** **** *** more ******** *********** *** the ********* *************:

*******
****
*****
******
*********
*********
*****
****
*******

******* ******* ** **** the ******** ****** ****** agnostic, ********* * **** of ******* ******** *** as **** ************* ** they *** *** ****** to.

Hikvision ********

************** ******** ********* ********* devices *** ******* **** ** will ******* ********* *******/******** as **** ** *** firmware ******** ******* *** and *** *** *********** future.

Progressive *******

** ** **** *******, we *** *** ***** of *** ***** ***** that *********** ****** ***** when ****** ******** *** be *** ** ****, particularly *** *** ***** devices. **** *********, **** as ********, **** ********* to ****** ******** ************* and ******* *** ***** own ******* *****, ***** is ****** ** ********* ** it ** ****** *** * manufacturer ** **** ***** of ***** *** ******** updates *** ********.

Poll / ****

Comments (10)

Jesse Crawford

OpenEye | 11/29/17 03:22pm

This is a great feature! Nice work Genetec.

Randy Lines

11/29/17 04:41pm

It would be cool if they ran a hash on the firmware as well as opposed to version numbers to be sure that spoofed firmware was not a threat.

Great Initiative by Genetek.

On the topic of Genetec, I am looking forward to HIK coming back into the fold. Some tension between VMS and manufacturer has the potential to can make both better. Full on war makes them both look a bit worse.

Great article.

rbl

Ian Johnston

In reply to Randy Lines | 12/03/17 08:01pm

Getting a hash of the firmware that is already loaded in the camera, is practically impossible. In order for this to work, the VMS has to be able to execute the hash of the flash chip, or else the firmware just lies and gives the VMS something it wants to hear.

What we need is a means to have the VMS read the firmware signatures to verify that the firmware build was in fact generated by the manufacturer.

Code signing isn't a silver bullet, but it makes it incrementally more difficult to have rogue firmware loaded in the device.

Undisclosed #2

IPVMU Certified | In reply to Ian Johnston | 12/03/17 09:40pm

Jeff Junker

Dell Technologies CVSS
11/29/17 05:19pm

This is an important aspect of solution integrity that minimizes use of additional external tools. Trusted certificate management is another area that should be examined for future automation of security policies.

bashis mcw

11/29/17 05:41pm

Interesting and good stuff

Undisclosed Manufacturer #1

11/29/17 07:02pm

Perhaps IPVM could compile a list of unsecured firmware versions also :-)

Kenton Peterson

11/29/17 07:08pm

Great feature. Definitely a value-add piece to sell with all of the concern over cyber security at the moment. However it would be nice if you could just download a file from GTAP and then throw it on a USB to load it onto the Security Center server to update all of the firmware info that way, rather than needing internet access on the SC server.

Andrew Elvish

Genetec Inc.
In reply to Kenton Peterson | 11/29/17 07:50pm

Hi Kenton,

This is indeed part of the design. The Genetec Update Service can act as a proxy so that Security Center does not need to be connected to the internet. Your RSM can provide you with more details.

Undisclosed Integrator #3

12/04/17 01:39am

It's innovations in the cyber-security field that is the next step for VMS companies. As some have said, not a perfect system, but a heck of a lot better than nothing. A very progressive, relevant and competitive move by Genetec. (From a dealer whose product on occasion goes head to head with Genetec.)

Read this IPVM report for free.

This article is part of IPVM's 6,736 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.