Hikvision FIPS 140-2 Cybersecurity Certification Examined

By IPVM Team, Published Aug 27, 2018, 12:40pm EDT

A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US government with Hikvision touting it as "another important milestone in Hikvision's cybersecurity program."

Many rightfully wondered: Had the US government changed its mind? Is the US government contradicting itself? Is Hikvision now backdoor free?

Here are key findings from our research:

  • The certification does not cover nor address backdoors nor cybersecurity vulnerabilities.
  • Hikvision has, undisclosed, rebranded the widely used open source OpenSSL as 'HikSSL' for the certification.
  • The 15+ year-old specification is rarely, if ever, required by US government agencies for video surveillance.
  • While the move is a marketing one, for Hikvision it is money well spent to help booster its brand, especially with its supporters and employees.

Inside, we examine each of these points in-depth.

Cryptography, *** ***************

**** ***-* ******* ** the "******** ************ *** ************* Modules", ***** **-**** *************, **** updated ** ****, ********.

** **** *** ***** general *********** ******* *** *************** in ** *********** *********. Rather *** ***** ** on *** ********* ** data **********, ****** *******, and ****** *** ************.

*** ** ********** *** a "************* ****** ********** *******", ***** ********* *************** conformant ** **** ***-*. There *** *,***+ ****** certifications (*** *** ******** ** *******-* ********* Modules).

* ************* ****** *****, starting **** ***** * (Software ****) ** ***** 4, **** *** ***** 3 ****** ******** ********** hardware **********.

Hikvision *************

********* ******** * ***** 1 ******** ************* ** July **** (***: ********* **** ***-* ***********), ******* *****:

*********'* ******** ***** ******* said **** ***** '********' were ********* *** ********* subsequently ******* ** ** clarify **** **** *** software ****** ***, *** their ******** (****: ******** can ** ********* *** Hikvision *** *** ****). The ****** ****** *** be ****, *** *** tested, **** ***** ** cameras *** ****.

HikSSL = **** ****** *******

***** ********* ***** '******', it ** * ******* / ******* ** *******. Indeed, *** **** *********** **** * **** version, ** ** ********* (see ******* **** ******) *** *** ************* is ********* ******* *** the **** * ***** as **** ******* *** made, ********* *****:

* ****** ** ********* use ******* *** ***** own **************, ****** ***** credit ** *******, ** the ******* ***** ************* *** *************:

*** *******,******* ******************* ** **** **** one ****** ** ******* is ** ******* * different ** ******* / version:

***** *** ******* **** is ** ****** ****** new ********* ******* ** their **** ************, ** rebranded *** ******* ******. We *** ** *** process ** ****** ******* 8.1, ****** * & 7, *** ****** **.** as ****** ************** ** our **** *********** (** cannot *** *** ********* systems ** *** ******** OpenSSL ************ ** **** is *** ** *********). If * *** ****** needs ** *** *** OpenSSL **** ****** ** their ******** **** ******* CentOS *** ******* (*** example), **** ** *** quickly ******* * **** certificate ** **** *******'* name **** ***** ********* systems ****** ** ****** Configurations.

***** ********* ***** ** credit ** ******* ** its ********* *** **********, the *** (*****) ********* the ********** ****** ** *********'* FIPS ***-* ************* **** *********** *** *** of *******:

*** ********* **** *********** the ************* ** **** any *** ***** ** enhancements **** ** ** recertified **** *** **********, limiting ***********.

Not ** ******** ******** / ******* ******** ********

**** ****** ** *** available ** ********* ******** firmware, ********* ** ********* technical *******. ** *** want ** **** **** FIPS ********, ** ********* you ******* *********.

Rarely ******** ** ***** ************

*******, ***** *** ********** crypotography is ****** ********* ** video ************ *************, *** certification ****** ** ***. Despite, ** ******* ******* of *** ***, **** 140-2 ************* *** **** widely ******* ** ********** buyers ** ***** ************ products.

*******, * ******* **** not **** ** ** certified ******, ** *** own ****, ** **** as **** *** * validated ******. ****** ********:

** ** ********* ** note **** ********** ************ are ****** *** ************* *******. * ****** *** ****** ** ** ******** ********* ** * ******* ** application, ** * ******** ******* ** *** ** ******. 

Bosch ******* **** ***-* ***** *

***** ***** **** **** what **** ****** ** a '******* ******** ******' ** * *****-***** FIPS ***-* ***** * certified **** ******** ** their ** *******. ***** acknowledged, ******, **** ** is **** *** ********** buyers ** ******* **** certification. *******, ***** **** there *** ***** ******** of ****** *** ****, rather **** * ******** module, *** ********* ******* OS / *********** ********.

$50,000+ **** *** *********

** ******** * **** of $**,***+ *** *********, with $**,*** **** ** the ** ********** / NIST, $**,*** ******* ******* to **** *** ***** Lab **** ********** **** to ***** *** *** Hikvision's *** **** / ****** to *** *** **********.

Marketing **** *****

**** ** ********* *** not ****** *** ** government ***, ***** ** is ******, ** ****, required **********, ** ***** ******** have **** ** * practical ****** ** **** deployments.

*** * ****** ******* company, ** ***** *** be ***** $**,***+ *** a ***** *******, *** as ******** **********-*** ************, ** ** ***** it. **** ***-* ** such ** ******* **** that *** **** **** the ******* ** **. Plus, ** **** ******* impressive-sounding ********* ***** *** a '**********' ** *** US **********.

**** ********* ***** ** widely ********** (**** *** elsewhere), **** *** ************** trying ** ** ******** they *** ** ******* their *****.

Not ********* ** *** **, ********* ** ***** *** ******

*** *********** ********** ** this ** ****, ** date, ********* *** ********* this ** ***** *** in ****** *** *** the ** (*** ** *** ** press ******* ****, *** ** ********* USA ******** **** [**** no ****** *********],*** ** ********* *** Twitter). **** ** ******** counterintuitive ***** **** ** a ** *************.

Comments (13)

Two other notes that did not make the post but are worth emphasizing:

  • Hikvision should be commended for updating its press release correcting a technical error after IPVM reported it (i.e., saying the 'products' were certified when the module was what was certified, not the 'products'). Despite their displeasure with us, they did reasonably list and incorporate feedback, showing openness for accuracy.
  • KeyPair Consulting, a specialist in FIPS 140-2 was a helpful source for those interested in pursuing such certification (e.g., see their FIPS 140-2 certification statistics and the FIPS 140-2 Inside paper).
Agree
Disagree
Informative: 3
Unhelpful
Funny

This is just further evidence of Hikvision's ongoing propaganda warfare campaign to try and detract from their multiple cyber security vulnerabilities and inherently insecure code base.

The way Hikvision tried to position this is an indication of active deception, IMO, and a clear indicator that their cyber security vulnerabilities are hurting their reputation and sales. That they choose to pursue marketing campaigns like this release, their "cyber security myths" farce, and such, rather than fix their vulnerable products, tells you where their intentions really are rooted.

Meanwhile, Hikvision's top partners will continue to actively block the fact they are being misled by the company and use this to placate themselves while they offer their customers products that place their networks and infrastructure under constant threat.

I will give Hikvision credit though, they really understand how poorly their key partners understand cyber security, and are creative in finding ways to appear responsible while doing almost no real work in securing their code. 

FIPS Level 1 is a cyber security participation trophy. Hik can put that on the shelf with their other useless industry awards for their partners to admire.

Agree: 6
Disagree: 3
Informative
Unhelpful
Funny: 1

Update: This module is not available in Hikvision standard firmware according to Hikvision technical support. If you want or need this FIPS firmware, we recommend you contact Hikvision.

We've added this note to the report.

Agree
Disagree
Informative: 3
Unhelpful
Funny: 1

Nice, so this really is just a "trophy", its not even in production firmware.

Agree: 2
Disagree: 2
Informative
Unhelpful
Funny: 3

Give them a chance. I'd think they would release a suite of firmware to take advantage of this.

Agree
Disagree: 2
Informative
Unhelpful
Funny: 1

As a marketing campaign, this was brilliant.  I received calls from a few end-users who we have refused business with Hikvision in the past.  They were telling me how Hikvision has changed and they are all about cyber security now.  For those of us who have worked on government contracts, we know how easy the Level-1 certification is and how truly unremarkable it is.

With the new government (and potential city(s)) bans, was this anything more than a marketing stunt?

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

There's a typo under the "$50,000+ Cost For Hikvision" section. It shows $11,00 paid to the US government.

Agree: 1
Disagree
Informative
Unhelpful
Funny

I have to think this was a requirement for a large project that they wanted to land. I see this less as a marketing driven deal than a reactionary action due to an end users requirements. After the fact, the marketing dept then is using it to do their best to repair whatever credibility they have remaining.

Agree
Disagree
Informative
Unhelpful
Funny

I have to think this was a requirement for a large project that they wanted to land.

I think that's reasonable. Hikvision has not said that publicly but it is a plausible assumption.

What still is a bit confusing is why they went through the trouble of doing their own and hiding OpenSSL when they could have, for less money and hassle, partnered / used an existing option. That is the part that signals it being more marketing than project / deal driven.

Agree
Disagree
Informative
Unhelpful
Funny

I think the rebranding is an effort to differentiate from a competitor, maybe Dahua?

Agree
Disagree: 1
Informative
Unhelpful
Funny

I think the reason why they rebranded the already certified OpenSSL is to save money.

Check this link: http//keypair.us/2017/09/maintaining-a-fips-140-2-certificate/

Quote: "There are two alternative scenarios for 1SUBs.  Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. Note: A NIST fee is applicable for Alternative Scenarios 1A and 1B."

I guess this was much cheaper than starting the process from scratch. The license agreement of OpenSSL gives you a lot of freedom, so it's no problem to rename the software.

 

Agree
Disagree
Informative
Unhelpful
Funny

Update: Hikvision USA has still not issued a press release for this but they did post a blog post on September 5th copying the HQ / Europe press release.

Agree
Disagree
Informative
Unhelpful
Funny

Just had the new Hikvision rep come through my door and smirk at me because we don't use their products. Told me about their FIPS certification and that a few "bloggers" have given Hikvision a bad name. Had to agree to disagree and thanked him for his time :)

Agree
Disagree
Informative: 1
Unhelpful
Funny: 4
Read this IPVM report for free.

This article is part of IPVM's 6,887 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports