Hikvision FIPS 140-2 Cybersecurity Certification Examined
A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US government with Hikvision touting it as "another important milestone in Hikvision's cybersecurity program."
Many rightfully wondered: Had the US government changed its mind? Is the US government contradicting itself? Is Hikvision now backdoor free?
Here are key findings from our research:
- The certification does not cover nor address backdoors nor cybersecurity vulnerabilities.
- Hikvision has, undisclosed, rebranded the widely used open source OpenSSL as 'HikSSL' for the certification.
- The 15+ year-old specification is rarely, if ever, required by US government agencies for video surveillance.
- While the move is a marketing one, for Hikvision it is money well spent to help booster its brand, especially with its supporters and employees.
Inside, we examine each of these points in-depth.
Cryptography, *** ***************
**** ***-* ******* ** *** "******** ************ *** ************* *******", ***** **-**** *************, **** ******* ** 2002, ********.
** **** *** ***** ******* *********** ******* nor *************** ** ** *********** *********. Rather *** ***** ** ** *** inclusion ** **** **********, ****** *******, and ****** *** ************.
*** ** ********** *** * "************* ****** ********** *******", ***** ********* *************** ********** ** FIPS ***-*. ***** *** *,***+ ****** certifications (*** *** ******** ** *******-* ********* *******).
* ************* ****** *****, ******** **** Level * (******** ****) ** ***** 4, **** *** ***** * ****** covering ********** ******** **********.
Hikvision *************
********* ******** * ***** * ******** certification ** **** **** (***: ********* **** ***-* ***********), ******* *****:
*********'* ******** ***** ******* **** **** their '********' **** ********* *** ********* subsequently ******* ** ** ******* **** only *** ******** ****** ***, *** their ******** (****: ******** *** ** certified *** ********* *** *** ****). The ****** ****** *** ** ****, and *** ******, **** ***** ** cameras *** ****.
HikSSL = **** ****** *******
***** ********* ***** '******', ** ** a ******* / ******* ** *******. Indeed, *** **** *********** **** * **** *******, ** ** ********* (*** ******* **** ******) *** *** ************* ** ********* updated *** *** **** * ***** as **** ******* *** ****, ********* below:
* ****** ** ********* *** ******* for ***** *** **************, ****** ***** credit ** *******, ** *** ******* below ************* *** *************:
*** *******,******* ******************* ** **** **** *** ****** to ******* ** ** ******* * different ** ******* / *******:
***** *** ******* **** ** ** longer ****** *** ********* ******* ** their **** ************, ** ********* *** OpenSSL ******. ** *** ** *** process ** ****** ******* *.*, ****** 6 & *, *** ****** **.** as ****** ************** ** *** **** certificate (** ****** *** *** ********* systems ** *** ******** ******* ************ so **** ** *** ** *********). If * *** ****** ***** ** use *** ******* **** ****** ** their ******** **** ******* ****** *** Android (*** *******), **** ** *** quickly ******* * **** *********** ** that *******'* **** **** ***** ********* systems ****** ** ****** **************.
***** ********* ***** ** ****** ** OpenSSL ** *** ********* *** **********, the *** (*****) ********* *** ********** ****** ** *********'* **** ***-* certification **** *********** *** *** ** *******:
*** ********* **** *********** *** ************* is **** *** *** ***** ** enhancements **** ** ** *********** **** the **********, ******** ***********.
Not ** ******** ******** / ******* ******** ********
**** ****** ** *** ********* ** Hikvision ******** ********, ********* ** ********* technical *******. ** *** **** ** need **** **** ********, ** ********* you ******* *********.
Rarely ******** ** ***** ************
*******, ***** *** ********** ************* ** ****** supported ** ***** ************ *************, *** certification ****** ** ***. *******, ** perhaps ******* ** *** ***, **** 140-2 ************* *** **** ****** ******* by ********** ****** ** ***** ************ products.
*******, * ******* **** *** **** to ** ********* ******, ** *** own ****, ** **** ** **** use * ********* ******. ****** ********:
** ** ********* ** **** **** validation ************ *** ****** *** ************* *******. * ****** *** ****** ** ** ******** ********* ** * ******* ** ***********, ** a ******** ******* ** *** ** ******.
Bosch ******* **** ***-* ***** *
***** ***** **** **** **** **** market ** * '******* ******** ******' ** * *****-***** **** ***-* Level * ********* **** ******** ** their ** *******. ***** ************, ******, that ** ** **** *** ********** buyers ** ******* **** *************. *******, Bosch **** ***** *** ***** ******** of ****** *** ****, ****** **** a ******** ******, *** ********* ******* OS / *********** ********.
$50,000+ **** *** *********
** ******** * **** ** $**,***+ for *********, **** $**,*** **** ** the ** ********** / ****, $**,*** minimum ******* ** **** *** ***** Lab **** ********** **** ** ***** and *** *********'* *** **** / ****** to *** *** **********.
Marketing **** *****
**** ** ********* *** *** ****** for ** ********** ***, ***** ** is ******, ** ****, ******** **********, ** would ******** **** **** ** * practical ****** ** **** ***********.
*** * ****** ******* *******, ** would *** ** ***** $**,***+ *** a ***** *******, *** ** ******** **********-*** ************, ** ** ***** **. **** 140-2 ** **** ** ******* **** that *** **** **** *** ******* to **. ****, ** **** ******* impressive-sounding ********* ***** *** * '**********' by *** ** **********.
**** ********* ***** ** ****** ********** (here *** *********), **** *** ************** trying ** ** ******** **** *** to ******* ***** *****.
Not ********* ** *** **, ********* ** ***** *** ******
*** *********** ********** ** **** ** that, ** ****, ********* *** ********* this ** ***** *** ** ****** but *** *** ** (*** ** *** ** ***** ******* page, *** ** ********* *** ******** page [**** ** ****** *********],*** ** ********* *** *******). **** ** ******** **************** ***** this ** * ** *************.
**** ** **** ******* ******** ** Hikvision's ******* ********** ******* ******** ** try *** ******* **** ***** ******** cyber ******** *************** *** ********** ******** code ****.
*** *** ********* ***** ** ******** this ** ** ********** ** ****** deception, ***, *** * ***** ********* that ***** ***** ******** *************** *** hurting ***** ********** *** *****. **** they ****** ** ****** ********* ********* like **** *******, ***** "***** ******** myths" *****, *** ****, ****** **** fix ***** ********** ********, ***** *** where ***** ********** ****** *** ******.
*********, *********'* *** ******** **** ******** to ******** ***** *** **** **** are ***** ****** ** *** ******* and *** **** ** ******* ********** while **** ***** ***** ********* ******** that ***** ***** ******** *** ************** under ******** ******.
* **** **** ********* ****** ******, they ****** ********** *** ****** ***** key ******** ********** ***** ********, *** are ******** ** ******* **** ** appear *********** ***** ***** ****** ** real **** ** ******** ***** ****.
**** ***** * ** * ***** security ************* ******. *** *** *** that ** *** ***** **** ***** other ******* ******** ****** *** ***** partners ** ******.
******: **** ****** ** *** ********* in ********* ******** ******** ********* ** Hikvision ********* *******. ** *** **** or **** **** **** ********, ** recommend *** ******* *********.
**'** ***** **** **** ** *** report.
**** **** * ******. *'* ***** they ***** ******* * ***** ** firmware ** **** ********* ** ****.
** * ********* ********, **** *** brilliant. * ******** ***** **** * few ***-***** *** ** **** ******* business **** ********* ** *** ****. They **** ******* ** *** ********* has ******* *** **** *** *** about ***** ******** ***. *** ***** of ** *** **** ****** ** government *********, ** **** *** **** the *****-* ************* ** *** *** truly ************ ** **.
**** *** *** ********** (*** ********* city(s)) ****, *** **** ******** **** than * ********* *****?
*****'* * **** ***** *** "$**,***+ Cost *** *********" *******. ** ***** $**,****** ** *** ** **********.
* **** ** ***** **** *** a *********** *** * ***** ******* that **** ****** ** ****. * see **** **** ** * ********* driven **** **** * *********** ****** due ** ** *** ***** ************. After *** ****, *** ********* **** then ** ***** ** ** ** their **** ** ****** ******** *********** they **** *********.
* **** ** ***** **** *** a *********** *** * ***** ******* that **** ****** ** ****.
* ***** ****'* **********. ********* *** not **** **** ******** *** ** is * ********* **********.
**** ***** ** * *** ********* is *** **** **** ******* *** trouble ** ***** ***** *** *** hiding ******* **** **** ***** ****, for **** ***** *** ******, ********* / **** ** ******** ******. **** is *** **** **** ******* ** being **** ********* **** ******* / deal ******.
* ***** *** ********** ** ** effort ** ************* **** * **********, maybe *****?
* ***** *** ****** *** **** rebranded *** ******* ********* ******* ** to **** *****.
***** **** ****: ****//*******.**/****/**/***********-*-****-***-*-***********/
*****: "There *** *** *********** ********* *** *****. Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. ****: * **** *** ** ********** *** *********** ********* ** and **."
* ***** **** *** **** ******* than ******** *** ******* **** *******. The ******* ********* ** ******* ***** you * *** ** *******, ** it's ** ******* ** ****** *** software.
******: ********* *** *** ***** *** issued * ***** ******* *** **** but ******* **** * **** **** ** September ********** *** ** / ****** ***** release.
**** *** *** *** ********* *** come ******* ** **** *** ***** at ** ******* ** ***'* *** their ********. **** ** ***** ***** FIPS ************* *** **** * *** "bloggers" **** ***** ********* * *** name. *** ** ***** ** ******** and ******* *** *** *** **** :)
*** ***** ***** **** *** *** make *** **** *** *** ***** emphasizing: