Hikvision FIPS 140-2 Cybersecurity Certification Examined

By: IPVM Team, Published on Aug 27, 2018

A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US government with Hikvision touting it as "another important milestone in Hikvision's cybersecurity program."

Many rightfully wondered: Had the US government changed its mind? Is the US government contradicting itself? Is Hikvision now backdoor free?

Here are key findings from our research:

  • The certification does not cover nor address backdoors nor cybersecurity vulnerabilities.
  • Hikvision has, undisclosed, rebranded the widely used open source OpenSSL as 'HikSSL' for the certification.
  • The 15+ year-old specification is rarely, if ever, required by US government agencies for video surveillance.
  • While the move is a marketing one, for Hikvision it is money well spent to help booster its brand, especially with its supporters and employees.

Inside, we examine each of these points in-depth.

Cryptography, *** ***************

**** ***-* ******* ** the "******** ************ *** ************* Modules", ***** **-**** *************, **** updated ** ****, ********.

** **** *** ***** general *********** ******* *** *************** in ** *********** *********. Rather *** ***** ** on *** ********* ** data **********, ****** *******, and ****** *** ************.

*** ** ********** *** a "************* ****** ********** *******", ***** ********* *************** conformant ** **** ***-*. There *** *,***+ ****** certifications (*** *** ******** ** *******-* ********* Modules).

* ************* ****** *****, starting **** ***** * (Software ****) ** ***** 4, **** *** ***** 3 ****** ******** ********** hardware **********.

Hikvision *************

********* ******** * ***** 1 ******** ************* ** July **** (***: ********* **** ***-* ***********), ******* *****:

*********'* ******** ***** ******* said **** ***** '********' were ********* *** ********* subsequently ******* ** ** clarify **** **** *** software ****** ***, *** their ******** (****: ******** can ** ********* *** Hikvision *** *** ****). The ****** ****** *** be ****, *** *** tested, **** ***** ** cameras *** ****.

HikSSL = **** ****** *******

***** ********* ***** '******', it ** * ******* / ******* ** *******. Indeed, *** **** *********** **** * **** version, ** ** ********* (see ******* **** ******) *** *** ************* is ********* ******* *** the **** * ***** as **** ******* *** made, ********* *****:

* ****** ** ********* use ******* *** ***** own **************, ****** ***** credit ** *******, ** the ******* ***** ************* *** *************:

*** *******,******* ******************* ** **** **** one ****** ** ******* is ** ******* * different ** ******* / version:

***** *** ******* **** is ** ****** ****** new ********* ******* ** their **** ************, ** rebranded *** ******* ******. We *** ** *** process ** ****** ******* 8.1, ****** * & 7, *** ****** **.** as ****** ************** ** our **** *********** (** cannot *** *** ********* systems ** *** ******** OpenSSL ************ ** **** is *** ** *********). If * *** ****** needs ** *** *** OpenSSL **** ****** ** their ******** **** ******* CentOS *** ******* (*** example), **** ** *** quickly ******* * **** certificate ** **** *******'* name **** ***** ********* systems ****** ** ****** Configurations.

***** ********* ***** ** credit ** ******* ** its ********* *** **********, the *** (*****) ********* the ********** ****** ** *********'* FIPS ***-* ************* **** *********** *** *** of *******:

*** ********* **** *********** the ************* ** **** any *** ***** ** enhancements **** ** ** recertified **** *** **********, limiting ***********.

Not ** ******** ******** / ******* ******** ********

**** ****** ** *** available ** ********* ******** firmware, ********* ** ********* technical *******. ** *** want ** **** **** FIPS ********, ** ********* you ******* *********.

Rarely ******** ** ***** ************

*******, ***** *** ********** crypotography is ****** ********* ** video ************ *************, *** certification ****** ** ***. Despite, ** ******* ******* of *** ***, **** 140-2 ************* *** **** widely ******* ** ********** buyers ** ***** ************ products.

*******, * ******* **** not **** ** ** certified ******, ** *** own ****, ** **** as **** *** * validated ******. ****** ********:

** ** ********* ** note **** ********** ************ are ****** *** ************* *******. * ****** *** ****** ** ** ******** ********* ** * ******* ** application, ** * ******** ******* ** *** ** ******. 

Bosch ******* **** ***-* ***** *

***** ***** **** **** what **** ****** ** a '******* ******** ******' ** * *****-***** FIPS ***-* ***** * certified **** ******** ** their ** *******. ***** acknowledged, ******, **** ** is **** *** ********** buyers ** ******* **** certification. *******, ***** **** there *** ***** ******** of ****** *** ****, rather **** * ******** module, *** ********* ******* OS / *********** ********.

$50,000+ **** *** *********

** ******** * **** of $**,***+ *** *********, with $**,*** **** ** the ** ********** / NIST, $**,*** ******* ******* to **** *** ***** Lab **** ********** **** to ***** *** *** Hikvision's *** **** / ****** to *** *** **********.

Marketing **** *****

**** ** ********* *** not ****** *** ** government ***, ***** ** is ******, ** ****, required **********, ** ***** ******** have **** ** * practical ****** ** **** deployments.

*** * ****** ******* company, ** ***** *** be ***** $**,***+ *** a ***** *******, *** as ******** **********-*** ************, ** ** ***** it. **** ***-* ** such ** ******* **** that *** **** **** the ******* ** **. Plus, ** **** ******* impressive-sounding ********* ***** *** a '**********' ** *** US **********.

**** ********* ***** ** widely ********** (**** *** elsewhere), **** *** ************** trying ** ** ******** they *** ** ******* their *****.

Not ********* ** *** **, ********* ** ***** *** ******

*** *********** ********** ** this ** ****, ** date, ********* *** ********* this ** ***** *** in ****** *** *** the ** (*** ** *** ** press ******* ****, *** ** ********* USA ******** **** [**** no ****** *********],*** ** ********* *** Twitter). **** ** ******** counterintuitive ***** **** ** a ** *************.

Comments (13)

John Honovich

IPVM | 08/27/18 04:39pm

Two other notes that did not make the post but are worth emphasizing:

  • Hikvision should be commended for updating its press release correcting a technical error after IPVM reported it (i.e., saying the 'products' were certified when the module was what was certified, not the 'products'). Despite their displeasure with us, they did reasonably list and incorporate feedback, showing openness for accuracy.
  • KeyPair Consulting, a specialist in FIPS 140-2 was a helpful source for those interested in pursuing such certification (e.g., see their FIPS 140-2 certification statistics and the FIPS 140-2 Inside paper).

Undisclosed #1

08/27/18 05:08pm

This is just further evidence of Hikvision's ongoing propaganda warfare campaign to try and detract from their multiple cyber security vulnerabilities and inherently insecure code base.

The way Hikvision tried to position this is an indication of active deception, IMO, and a clear indicator that their cyber security vulnerabilities are hurting their reputation and sales. That they choose to pursue marketing campaigns like this release, their "cyber security myths" farce, and such, rather than fix their vulnerable products, tells you where their intentions really are rooted.

Meanwhile, Hikvision's top partners will continue to actively block the fact they are being misled by the company and use this to placate themselves while they offer their customers products that place their networks and infrastructure under constant threat.

I will give Hikvision credit though, they really understand how poorly their key partners understand cyber security, and are creative in finding ways to appear responsible while doing almost no real work in securing their code. 

FIPS Level 1 is a cyber security participation trophy. Hik can put that on the shelf with their other useless industry awards for their partners to admire.

Avatar

Ethan Ace

IPVM | 08/27/18 05:17pm

Update: This module is not available in Hikvision standard firmware according to Hikvision technical support. If you want or need this FIPS firmware, we recommend you contact Hikvision.

We've added this note to the report.

Undisclosed #1

In reply to Ethan Ace | 08/27/18 05:22pm

Nice, so this really is just a "trophy", its not even in production firmware.

Undisclosed Manufacturer #2

08/27/18 06:02pm

Give them a chance. I'd think they would release a suite of firmware to take advantage of this.

Undisclosed Integrator #3

08/27/18 06:51pm

As a marketing campaign, this was brilliant.  I received calls from a few end-users who we have refused business with Hikvision in the past.  They were telling me how Hikvision has changed and they are all about cyber security now.  For those of us who have worked on government contracts, we know how easy the Level-1 certification is and how truly unremarkable it is.

With the new government (and potential city(s)) bans, was this anything more than a marketing stunt?

Matt Buyukozer

08/27/18 07:49pm

There's a typo under the "$50,000+ Cost For Hikvision" section. It shows $11,00 paid to the US government.

Avatar

Jon Dillabaugh

Pro Focus LLC
08/27/18 09:49pm

I have to think this was a requirement for a large project that they wanted to land. I see this less as a marketing driven deal than a reactionary action due to an end users requirements. After the fact, the marketing dept then is using it to do their best to repair whatever credibility they have remaining.

John Honovich

IPVM | In reply to Jon Dillabaugh | 08/27/18 10:17pm

I have to think this was a requirement for a large project that they wanted to land.

I think that's reasonable. Hikvision has not said that publicly but it is a plausible assumption.

What still is a bit confusing is why they went through the trouble of doing their own and hiding OpenSSL when they could have, for less money and hassle, partnered / used an existing option. That is the part that signals it being more marketing than project / deal driven.

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to John Honovich | 08/27/18 10:18pm

I think the rebranding is an effort to differentiate from a competitor, maybe Dahua?

Undisclosed Manufacturer #4

08/28/18 07:10am

I think the reason why they rebranded the already certified OpenSSL is to save money.

Check this link: http//keypair.us/2017/09/maintaining-a-fips-140-2-certificate/

Quote: "There are two alternative scenarios for 1SUBs.  Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. Note: A NIST fee is applicable for Alternative Scenarios 1A and 1B."

I guess this was much cheaper than starting the process from scratch. The license agreement of OpenSSL gives you a lot of freedom, so it's no problem to rename the software.

 

John Honovich

IPVM | 09/11/18 12:54pm

Update: Hikvision USA has still not issued a press release for this but they did post a blog post on September 5th copying the HQ / Europe press release.

Avatar

Ryan Anderson

09/26/19 07:54pm

Just had the new Hikvision rep come through my door and smirk at me because we don't use their products. Told me about their FIPS certification and that a few "bloggers" have given Hikvision a bad name. Had to agree to disagree and thanked him for his time :)

Read this IPVM report for free.

This article is part of IPVM's 6,536 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

School District Admits Not Following FDA Guidelines With 144, No Blackbody, Hikvision Fever Cameras on Aug 21, 2020
The Baldwin County School District has admitted it is not following FDA...
Hikvision Admits Minority Recognition, Now Claims Canceled on Jul 23, 2020
For the first time, Hikvision has directly addressed its minority recognition...
Huawei Releases a 'Fever' Smartphone on Jun 16, 2020
Fever cameras, fever tablets, fever helmets, fever sunglasses, fever guns,...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
Hikvision Illicitly Uses Back To The Future In Marketing on Jul 03, 2020
NBCUniversal told IPVM that Hikvision UK's ongoing coronavirus marketing...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
Favorite Network Switches 2020 on Aug 31, 2020
Cisco has long been the gorilla of network switches but would an upstart...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
White House Expands Dahua Hikvision Blacklist To Federal Funding [Final Rule Reverses] on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Hikvision Salespeople: We Don't Need A Blackbody on May 13, 2020
Dahua jumped out on its cross-town rival selling fever cameras but Hikvision...
Openpath Raises $36 Million on Jul 16, 2020
Openpath has raised $36 million as 2020 has become a boom year for access...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...