Cryptography, *** ***************
**** ***-* ******* ** the "******** ************ *** ************* Modules", ***** **-**** *************, **** updated ** ****, ********.
** **** *** ***** general *********** ******* *** *************** in ** *********** *********. Rather *** ***** ** on *** ********* ** data **********, ****** *******, and ****** *** ************.
*** ** ********** *** a "************* ****** ********** *******", ***** ********* *************** conformant ** **** ***-*. There *** *,***+ ****** certifications (*** *** ******** ** *******-* ********* Modules).
* ************* ****** *****, starting **** ***** * (Software ****) ** ***** 4, **** *** ***** 3 ****** ******** ********** hardware **********.
Hikvision *************
********* ******** * ***** 1 ******** ************* ** July **** (***: ********* **** ***-* ***********), ******* *****:
*********'* ******** ***** ******* said **** ***** '********' were ********* *** ********* subsequently ******* ** ** clarify **** **** *** software ****** ***, *** their ******** (****: ******** can ** ********* *** Hikvision *** *** ****). The ****** ****** *** be ****, *** *** tested, **** ***** ** cameras *** ****.
HikSSL = **** ****** *******
***** ********* ***** '******', it ** * ******* / ******* ** *******. Indeed, *** **** *********** **** * **** version, ** ** ********* (see ******* **** ******) *** *** ************* is ********* ******* *** the **** * ***** as **** ******* *** made, ********* *****:
* ****** ** ********* use ******* *** ***** own **************, ****** ***** credit ** *******, ** the ******* ***** ************* *** *************:
*** *******,******* ******************* ** **** **** one ****** ** ******* is ** ******* * different ** ******* / version:
***** *** ******* **** is ** ****** ****** new ********* ******* ** their **** ************, ** rebranded *** ******* ******. We *** ** *** process ** ****** ******* 8.1, ****** * & 7, *** ****** **.** as ****** ************** ** our **** *********** (** cannot *** *** ********* systems ** *** ******** OpenSSL ************ ** **** is *** ** *********). If * *** ****** needs ** *** *** OpenSSL **** ****** ** their ******** **** ******* CentOS *** ******* (*** example), **** ** *** quickly ******* * **** certificate ** **** *******'* name **** ***** ********* systems ****** ** ****** Configurations.
***** ********* ***** ** credit ** ******* ** its ********* *** **********, the *** (*****) ********* the ********** ****** ** *********'* FIPS ***-* ************* **** *********** *** *** of *******:
*** ********* **** *********** the ************* ** **** any *** ***** ** enhancements **** ** ** recertified **** *** **********, limiting ***********.
Not ** ******** ******** / ******* ******** ********
**** ****** ** *** available ** ********* ******** firmware, ********* ** ********* technical *******. ** *** want ** **** **** FIPS ********, ** ********* you ******* *********.
Rarely ******** ** ***** ************
*******, ***** *** ********** crypotography is ****** ********* ** video ************ *************, *** certification ****** ** ***. Despite, ** ******* ******* of *** ***, **** 140-2 ************* *** **** widely ******* ** ********** buyers ** ***** ************ products.
*******, * ******* **** not **** ** ** certified ******, ** *** own ****, ** **** as **** *** * validated ******. ****** ********:
** ** ********* ** note **** ********** ************ are ****** *** ************* *******. * ****** *** ****** ** ** ******** ********* ** * ******* ** application, ** * ******** ******* ** *** ** ******.
Bosch ******* **** ***-* ***** *
***** ***** **** **** what **** ****** ** a '******* ******** ******' ** * *****-***** FIPS ***-* ***** * certified **** ******** ** their ** *******. ***** acknowledged, ******, **** ** is **** *** ********** buyers ** ******* **** certification. *******, ***** **** there *** ***** ******** of ****** *** ****, rather **** * ******** module, *** ********* ******* OS / *********** ********.
$50,000+ **** *** *********
** ******** * **** of $**,***+ *** *********, with $**,*** **** ** the ** ********** / NIST, $**,*** ******* ******* to **** *** ***** Lab **** ********** **** to ***** *** *** Hikvision's *** **** / ****** to *** *** **********.
Marketing **** *****
**** ** ********* *** not ****** *** ** government ***, ***** ** is ******, ** ****, required **********, ** ***** ******** have **** ** * practical ****** ** **** deployments.
*** * ****** ******* company, ** ***** *** be ***** $**,***+ *** a ***** *******, *** as ******** **********-*** ************, ** ** ***** it. **** ***-* ** such ** ******* **** that *** **** **** the ******* ** **. Plus, ** **** ******* impressive-sounding ********* ***** *** a '**********' ** *** US **********.
**** ********* ***** ** widely ********** (**** *** elsewhere), **** *** ************** trying ** ** ******** they *** ** ******* their *****.
Not ********* ** *** **, ********* ** ***** *** ******
*** *********** ********** ** this ** ****, ** date, ********* *** ********* this ** ***** *** in ****** *** *** the ** (*** ** *** ** press ******* ****, *** ** ********* USA ******** **** [**** no ****** *********],*** ** ********* *** Twitter). **** ** ******** counterintuitive ***** **** ** a ** *************.
Comments (13)
John Honovich
Two other notes that did not make the post but are worth emphasizing:
Create New Topic
Undisclosed #1
This is just further evidence of Hikvision's ongoing propaganda warfare campaign to try and detract from their multiple cyber security vulnerabilities and inherently insecure code base.
The way Hikvision tried to position this is an indication of active deception, IMO, and a clear indicator that their cyber security vulnerabilities are hurting their reputation and sales. That they choose to pursue marketing campaigns like this release, their "cyber security myths" farce, and such, rather than fix their vulnerable products, tells you where their intentions really are rooted.
Meanwhile, Hikvision's top partners will continue to actively block the fact they are being misled by the company and use this to placate themselves while they offer their customers products that place their networks and infrastructure under constant threat.
I will give Hikvision credit though, they really understand how poorly their key partners understand cyber security, and are creative in finding ways to appear responsible while doing almost no real work in securing their code.
FIPS Level 1 is a cyber security participation trophy. Hik can put that on the shelf with their other useless industry awards for their partners to admire.
Create New Topic
Ethan Ace
Update: This module is not available in Hikvision standard firmware according to Hikvision technical support. If you want or need this FIPS firmware, we recommend you contact Hikvision.
We've added this note to the report.
Create New Topic
Undisclosed Manufacturer #2
Give them a chance. I'd think they would release a suite of firmware to take advantage of this.
Create New Topic
Undisclosed Integrator #3
As a marketing campaign, this was brilliant. I received calls from a few end-users who we have refused business with Hikvision in the past. They were telling me how Hikvision has changed and they are all about cyber security now. For those of us who have worked on government contracts, we know how easy the Level-1 certification is and how truly unremarkable it is.
With the new government (and potential city(s)) bans, was this anything more than a marketing stunt?
Create New Topic
Matt Buyukozer
There's a typo under the "$50,000+ Cost For Hikvision" section. It shows $11,00 paid to the US government.
Create New Topic
Jon Dillabaugh
08/27/18 09:49pm
I have to think this was a requirement for a large project that they wanted to land. I see this less as a marketing driven deal than a reactionary action due to an end users requirements. After the fact, the marketing dept then is using it to do their best to repair whatever credibility they have remaining.
Create New Topic
Undisclosed Manufacturer #4
I think the reason why they rebranded the already certified OpenSSL is to save money.
Check this link: http//keypair.us/2017/09/maintaining-a-fips-140-2-certificate/
Quote: "There are two alternative scenarios for 1SUBs. Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. Note: A NIST fee is applicable for Alternative Scenarios 1A and 1B."
I guess this was much cheaper than starting the process from scratch. The license agreement of OpenSSL gives you a lot of freedom, so it's no problem to rename the software.
Create New Topic
John Honovich
Update: Hikvision USA has still not issued a press release for this but they did post a blog post on September 5th copying the HQ / Europe press release.
Create New Topic
Ryan Anderson
Just had the new Hikvision rep come through my door and smirk at me because we don't use their products. Told me about their FIPS certification and that a few "bloggers" have given Hikvision a bad name. Had to agree to disagree and thanked him for his time :)
Create New Topic