Hikvision FIPS 140-2 Cybersecurity Certification Examined

Published Aug 27, 2018 16:40 PM

A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US government with Hikvision touting it as "another important milestone in Hikvision's cybersecurity program."

Many rightfully wondered: Had the US government changed its mind? Is the US government contradicting itself? Is Hikvision now backdoor free?

Here are key findings from our research:

  • The certification does not cover nor address backdoors nor cybersecurity vulnerabilities.
  • Hikvision has, undisclosed, rebranded the widely used open source OpenSSL as 'HikSSL' for the certification.
  • The 15+ year-old specification is rarely, if ever, required by US government agencies for video surveillance.
  • While the move is a marketing one, for Hikvision it is money well spent to help booster its brand, especially with its supporters and employees.

Inside, we examine each of these points in-depth.

Cryptography, *** ***************

**** ***-* ******* ** *** "******** ************ *** ************* *******", ***** **-**** *************, **** ******* ** 2002, ********.

** **** *** ***** ******* *********** ******* nor *************** ** ** *********** *********. Rather *** ***** ** ** *** inclusion ** **** **********, ****** *******, and ****** *** ************.

*** ** ********** *** * "************* ****** ********** *******", ***** ********* *************** ********** ** FIPS ***-*. ***** *** *,***+ ****** certifications (*** *** ******** ** *******-* ********* *******).

* ************* ****** *****, ******** **** Level * (******** ****) ** ***** 4, **** *** ***** * ****** covering ********** ******** **********.

Hikvision *************

********* ******** * ***** * ******** certification ** **** **** (***: ********* **** ***-* ***********), ******* *****:

*********'* ******** ***** ******* **** **** their '********' **** ********* *** ********* subsequently ******* ** ** ******* **** only *** ******** ****** ***, *** their ******** (****: ******** *** ** certified *** ********* *** *** ****). The ****** ****** *** ** ****, and *** ******, **** ***** ** cameras *** ****.

HikSSL = **** ****** *******

***** ********* ***** '******', ** ** a ******* / ******* ** *******. Indeed, *** **** *********** **** * **** *******, ** ** ********* (*** ******* **** ******) *** *** ************* ** ********* updated *** *** **** * ***** as **** ******* *** ****, ********* below:

* ****** ** ********* *** ******* for ***** *** **************, ****** ***** credit ** *******, ** *** ******* below ************* *** *************:

*** *******,******* ******************* ** **** **** *** ****** to ******* ** ** ******* * different ** ******* / *******:

***** *** ******* **** ** ** longer ****** *** ********* ******* ** their **** ************, ** ********* *** OpenSSL ******. ** *** ** *** process ** ****** ******* *.*, ****** 6 & *, *** ****** **.** as ****** ************** ** *** **** certificate (** ****** *** *** ********* systems ** *** ******** ******* ************ so **** ** *** ** *********). If * *** ****** ***** ** use *** ******* **** ****** ** their ******** **** ******* ****** *** Android (*** *******), **** ** *** quickly ******* * **** *********** ** that *******'* **** **** ***** ********* systems ****** ** ****** **************.

***** ********* ***** ** ****** ** OpenSSL ** *** ********* *** **********, the *** (*****) ********* *** ********** ****** ** *********'* **** ***-* certification **** *********** *** *** ** *******:

*** ********* **** *********** *** ************* is **** *** *** ***** ** enhancements **** ** ** *********** **** the **********, ******** ***********.

Not ** ******** ******** / ******* ******** ********

**** ****** ** *** ********* ** Hikvision ******** ********, ********* ** ********* technical *******. ** *** **** ** need **** **** ********, ** ********* you ******* *********.

Rarely ******** ** ***** ************

*******, ***** *** ********** ************* ** ****** supported ** ***** ************ *************, *** certification ****** ** ***. *******, ** perhaps ******* ** *** ***, **** 140-2 ************* *** **** ****** ******* by ********** ****** ** ***** ************ products.

*******, * ******* **** *** **** to ** ********* ******, ** *** own ****, ** **** ** **** use * ********* ******. ****** ********:

** ** ********* ** **** **** validation ************ *** ****** *** ************* *******. * ****** *** ****** ** ** ******** ********* ** * ******* ** ***********, ** a ******** ******* ** *** ** ******. 

Bosch ******* **** ***-* ***** *

***** ***** **** **** **** **** market ** * '******* ******** ******' ** * *****-***** **** ***-* Level * ********* **** ******** ** their ** *******. ***** ************, ******, that ** ** **** *** ********** buyers ** ******* **** *************. *******, Bosch **** ***** *** ***** ******** of ****** *** ****, ****** **** a ******** ******, *** ********* ******* OS / *********** ********.

$50,000+ **** *** *********

** ******** * **** ** $**,***+ for *********, **** $**,*** **** ** the ** ********** / ****, $**,*** minimum ******* ** **** *** ***** Lab **** ********** **** ** ***** and *** *********'* *** **** / ****** to *** *** **********.

Marketing **** *****

**** ** ********* *** *** ****** for ** ********** ***, ***** ** is ******, ** ****, ******** **********, ** would ******** **** **** ** * practical ****** ** **** ***********.

*** * ****** ******* *******, ** would *** ** ***** $**,***+ *** a ***** *******, *** ** ******** **********-*** ************, ** ** ***** **. **** 140-2 ** **** ** ******* **** that *** **** **** *** ******* to **. ****, ** **** ******* impressive-sounding ********* ***** *** * '**********' by *** ** **********.

**** ********* ***** ** ****** ********** (here *** *********), **** *** ************** trying ** ** ******** **** *** to ******* ***** *****.

Not ********* ** *** **, ********* ** ***** *** ******

*** *********** ********** ** **** ** that, ** ****, ********* *** ********* this ** ***** *** ** ****** but *** *** ** (*** ** *** ** ***** ******* page, *** ** ********* *** ******** page [**** ** ****** *********],*** ** ********* *** *******). **** ** ******** **************** ***** this ** * ** *************.

Comments (13)
JH
John Honovich
Aug 27, 2018
IPVM

*** ***** ***** **** *** *** make *** **** *** *** ***** emphasizing:

(3)
U
Undisclosed #1
Aug 27, 2018

**** ** **** ******* ******** ** Hikvision's ******* ********** ******* ******** ** try *** ******* **** ***** ******** cyber ******** *************** *** ********** ******** code ****.

*** *** ********* ***** ** ******** this ** ** ********** ** ****** deception, ***, *** * ***** ********* that ***** ***** ******** *************** *** hurting ***** ********** *** *****. **** they ****** ** ****** ********* ********* like **** *******, ***** "***** ******** myths" *****, *** ****, ****** **** fix ***** ********** ********, ***** *** where ***** ********** ****** *** ******.

*********, *********'* *** ******** **** ******** to ******** ***** *** **** **** are ***** ****** ** *** ******* and *** **** ** ******* ********** while **** ***** ***** ********* ******** that ***** ***** ******** *** ************** under ******** ******.

* **** **** ********* ****** ******, they ****** ********** *** ****** ***** key ******** ********** ***** ********, *** are ******** ** ******* **** ** appear *********** ***** ***** ****** ** real **** ** ******** ***** ****. 

**** ***** * ** * ***** security ************* ******. *** *** *** that ** *** ***** **** ***** other ******* ******** ****** *** ***** partners ** ******.

(6)
(3)
(1)
Avatar
Ethan Ace
Aug 27, 2018
IPVM

******: **** ****** ** *** ********* in ********* ******** ******** ********* ** Hikvision ********* *******. ** *** **** or **** **** **** ********, ** recommend *** ******* *********.

**'** ***** **** **** ** *** report.

(3)
(1)
U
Undisclosed #1
Aug 27, 2018

****, ** **** ****** ** **** a "******", *** *** **** ** production ********.

(2)
(2)
(3)
UM
Undisclosed Manufacturer #2
Aug 27, 2018

**** **** * ******. *'* ***** they ***** ******* * ***** ** firmware ** **** ********* ** ****.

(2)
(1)
UI
Undisclosed Integrator #3
Aug 27, 2018

** * ********* ********, **** *** brilliant.  * ******** ***** **** * few ***-***** *** ** **** ******* business **** ********* ** *** ****.  They **** ******* ** *** ********* has ******* *** **** *** *** about ***** ******** ***.  *** ***** of ** *** **** ****** ** government *********, ** **** *** **** the *****-* ************* ** *** *** truly ************ ** **.

**** *** *** ********** (*** ********* city(s)) ****, *** **** ******** **** than * ********* *****?

(2)
(1)
MB
Matt Buyukozer
Aug 27, 2018

*****'* * **** ***** *** "$**,***+ Cost *** *********" *******. ** ***** $**,****** ** *** ** **********.

(1)
Avatar
Jon Dillabaugh
Aug 27, 2018
Pro Focus LLC

* **** ** ***** **** *** a *********** *** * ***** ******* that **** ****** ** ****. * see **** **** ** * ********* driven **** **** * *********** ****** due ** ** *** ***** ************. After *** ****, *** ********* **** then ** ***** ** ** ** their **** ** ****** ******** *********** they **** *********.

JH
John Honovich
Aug 27, 2018
IPVM

* **** ** ***** **** *** a *********** *** * ***** ******* that **** ****** ** ****.

* ***** ****'* **********. ********* *** not **** **** ******** *** ** is * ********* **********.

**** ***** ** * *** ********* is *** **** **** ******* *** trouble ** ***** ***** *** *** hiding ******* **** **** ***** ****, for **** ***** *** ******, ********* / **** ** ******** ******. **** is *** **** **** ******* ** being **** ********* **** ******* / deal ******.

Avatar
Jon Dillabaugh
Aug 27, 2018
Pro Focus LLC

* ***** *** ********** ** ** effort ** ************* **** * **********, maybe *****?

(1)
UM
Undisclosed Manufacturer #4
Aug 28, 2018

* ***** *** ****** *** **** rebranded *** ******* ********* ******* ** to **** *****.

***** **** ****: ****//*******.**/****/**/***********-*-****-***-*-***********/

*****: "There *** *** *********** ********* *** *****.  Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. ****: * **** *** ** ********** *** *********** ********* ** and **."

* ***** **** *** **** ******* than ******** *** ******* **** *******. The ******* ********* ** ******* ***** you * *** ** *******, ** it's ** ******* ** ****** *** software.

 

JH
John Honovich
Sep 11, 2018
IPVM

******: ********* *** *** ***** *** issued * ***** ******* *** **** but ******* **** * **** **** ** September ********** *** ** / ****** ***** release.

Avatar
Ryan Anderson
Sep 26, 2019

**** *** *** *** ********* *** come ******* ** **** *** ***** at ** ******* ** ***'* *** their ********. **** ** ***** ***** FIPS ************* *** **** * *** "bloggers" **** ***** ********* * *** name. *** ** ***** ** ******** and ******* *** *** *** **** :)

(1)
(4)