Two other notes that did not make the post but are worth emphasizing:
Hikvision should be commended for updating its press release correcting a technical error after IPVM reported it (i.e., saying the 'products' were certified when the module was what was certified, not the 'products'). Despite their displeasure with us, they did reasonably list and incorporate feedback, showing openness for accuracy.
This is just further evidence of Hikvision's ongoing propaganda warfare campaign to try and detract from their multiple cyber security vulnerabilities and inherently insecure code base.
The way Hikvision tried to position this is an indication of active deception, IMO, and a clear indicator that their cyber security vulnerabilities are hurting their reputation and sales. That they choose to pursue marketing campaigns like this release, their "cyber security myths" farce, and such, rather than fix their vulnerable products, tells you where their intentions really are rooted.
Meanwhile, Hikvision's top partners will continue to actively block the fact they are being misled by the company and use this to placate themselves while they offer their customers products that place their networks and infrastructure under constant threat.
I will give Hikvision credit though, they really understand how poorly their key partners understand cyber security, and are creative in finding ways to appear responsible while doing almost no real work in securing their code.
FIPS Level 1 is a cyber security participation trophy. Hik can put that on the shelf with their other useless industry awards for their partners to admire.
Update: This module is not available in Hikvision standard firmware according to Hikvision technical support. If you want or need this FIPS firmware, we recommend you contact Hikvision.
As a marketing campaign, this was brilliant. I received calls from a few end-users who we have refused business with Hikvision in the past. They were telling me how Hikvision has changed and they are all about cyber security now. For those of us who have worked on government contracts, we know how easy the Level-1 certification is and how truly unremarkable it is.
With the new government (and potential city(s)) bans, was this anything more than a marketing stunt?
I have to think this was a requirement for a large project that they wanted to land. I see this less as a marketing driven deal than a reactionary action due to an end users requirements. After the fact, the marketing dept then is using it to do their best to repair whatever credibility they have remaining.
I have to think this was a requirement for a large project that they wanted to land.
I think that's reasonable. Hikvision has not said that publicly but it is a plausible assumption.
What still is a bit confusing is why they went through the trouble of doing their own and hiding OpenSSL when they could have, for less money and hassle, partnered / used an existing option. That is the part that signals it being more marketing than project / deal driven.
I think the reason why they rebranded the already certified OpenSSL is to save money.
Check this link: http//keypair.us/2017/09/maintaining-a-fips-140-2-certificate/
Quote: "There are two alternative scenarios for 1SUBs. Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. Note: A NIST fee is applicable for Alternative Scenarios 1A and 1B."
I guess this was much cheaper than starting the process from scratch. The license agreement of OpenSSL gives you a lot of freedom, so it's no problem to rename the software.
Update: Hikvision USA has still not issued a press release for this but they did post a blog post on September 5th copying the HQ / Europe press release.
Just had the new Hikvision rep come through my door and smirk at me because we don't use their products. Told me about their FIPS certification and that a few "bloggers" have given Hikvision a bad name. Had to agree to disagree and thanked him for his time :)
