Genetec CEO Warns Against Insider Threats

Is this the same 'rival' we are seeking aid to stop North Korea?

No. This is the US 'rival' who is the primary trading partner of North Korea. This is the US 'rival' who defends North Korea as a buffer and counter to South Korea and the US. This is the US 'rival', who along with North Korea, are two of three top cyber attackers of the US.

This is also the US 'rival' who is the owner of your business partner - the Hangzhou Hikvision Digital Technology Co. Ltd.

This is the People's Republic of China.

If you don't want to see it you will never see it no matter how many times its spelled out. Head, stuck and sand are words that spring to mind...

Hahaha, I thought the same thing. I respect his loyalty though, however misguided it may seem to people who haven't drank the Dahua and Hikvision Kool-aid.

Please don't single out Marty, it's possible he didn't vote at all.  It could be Russian hackers trying to sway the IPVM polls.

He is a just trying to keep his team employed and profitable.  

Besides, there were two who didn't care.

I don't find it impressive - it's simple business strategy. Hikvision is one of their biggest threats on the recording side. People who buy Hikvision aren't likely to be good Genetec customers anyway.

Your wish was granted!  

Hackers detected and publicly posted a very simple way to access and disable HIK cameras that aren't running the very latest firmware, across many OEM/ODM brands as well.

IPVM referenced the original postings in a different discussion, they didn't do the "hacking" themselves from what I read.

This thread was about the "who cares" attitude many have and Genetec's warning that guarding the gate still leaves the refrigerator accessible for those already inside to raid.

There would be no benefit to dissuading the use of any brand of camera for Genetec, except the rumor that they feared HIK's entry into the Enterprise market.  Do you believe they have gone through all this for that reason?

I'm sure if another manufacturer creeps up on HIK's track record for security issues and doesn't disclose them until caught, Genetec will pounce on that as well, regardless of whom.

If a "bad guy" gains control (access to the operating system, e.g. Telnet) of one camera in your network, he can do many things.
Usually his goal will be to stay undetected to use the camera for followup attacks against more interesting targets. The camera is just a tool/relay for additional attacks.

He can use the camera to gain control of computers in that network. If you do not have a VLAN or dedicated network, gaining control about ERP-Systems might be very interesting, for example.

He can spread malware in your network.

He can utilize ARP spoofing (https://en.wikipedia.org/wiki/ARP_spoofing) to control the flow of data in your network. This way he could redirect the traffic between 2 computers through the camera and he can use the camera to record all the traffic to analyze it and e.g. find passwords.

So many options :-)

Wikipedia: Anatomy of an ARP spoofing attack

The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

For those wanting to see JD and others debate this go here, no need to rewrite the entire discussion.

There are still some issues with your suggestion of separate networks when there's a good number of cameras:

• Arranging a physically separate network that does not share any cabling, switching or routing with anything else is very expensive unless you only have a couple of cameras, and is one of the major reasons to use IP cameras as no extra cabling after the initial investment to network infrastructure is needed in case something needs to be moved around or more cameras need to be installed.
• No connectivity and no Internet basically also means that providing updates and accurate system time needs extra effort, so some compromises may be needed for manageability.
• In centralized management of distributed sites, there's likely a separate network administrator team or depending on the operation, perhaps each site has their own. Getting things implemented in a certain way may be difficult even if you could justify the price, and the overhead of managing all of it yourself is significant in all but the tiniest of installations. These network managers and installers - trusted as they are - have opportunities to access devices or data that doesn't belong to them.
• If we're talking serious insider threats, I would also count in the network teams and at minimum anyone who has a big keyring and gets physical access to switches. Probably the same guy who cabled the physically separate surveillance network, or even the portier who opened the cabinet door for him. Physical security and privilege management is really hard when there's a lot of people involved.
• Any glaring holes such as poor key handling will in the end defeat most protective measures. An outsider could notice that an office building has Hikvision cameras for example and realizes they would just need brief access to the switch cabinet - the simplest, fairly non-technical approach - to plug in their tiny wireless network tap in the right ports to perhaps own the building or just scout around. All they need now is to put on overalls, sweet talk the guy to let them change a supposedly broken network cable at the prominent switching cabinet near the reception and not spend too much time there. All an insider would need to do is to walk to the cabinet and open it themselves, and they could do it as many times as needed to ensure success, likely without anyone questioning it.

Easy and consistent software exploits with the devices involved may act as motivation for someone to overcome any initial hurdles with the security. A grave exploit for a camera like the Hikvision one and awareness of it is exactly something that makes people ponder if the camera next to them is safe or not. If they can tell only half of the problem needs to be solved, it lowers the bar:

Maybe they didn't consider robbing a consumer tech warehouse before, but after Jane Doe arrived to the office for the second morning of her new job at the waybill archive, she had just prior evening read about the poor state of security in building services engineering in general, and also saw a headline about an easy hack in certain cameras. As a CS bachelor, she was proficient with computers yet a bit naïve, not expecting that the switch room was kept unlocked and unmonitored at all times, and it was just around the corner on the way to the bathroom. After two weeks she yielded to her curiosity, planted a RaspberryPi to the cabinet and noticed the server for the electronic locks was constantly broadcasting on the network. Sitting at her desk, seemingly working but also idly poking around the network with her mobile, she was confronted by harsh reality: the default password worked and she could now manage all locks and fob privileges, disable cameras as needed and do many other things to hide her tracks. Not that she was evil or anything, but she thought it was pretty rad.

Jane switched jobs after she felt uneasy keeping a straight face with her colleagues. The extra ten or so MacBooks and other nifty gear she took home - one at a time - should make up for it though, she thinks. She at least still has her extra master fob to sell to someone if she needs cash.

The fictional example above is just slightly based on reality - though in reality security was even worse. Obviously some scenarios may be unlikely in practice due to details in life, but the bigger the reward, the more effort someone will put in, and some security goofs are actually much more common than they ought to be - as we know.