Hikvision FIPS 140-2 Cybersecurity Certification Examined

By: IPVM Team, Published on Aug 27, 2018

A week after the US government passed a law banning Hikvision, Hikvision announced it had obtained a FIPS 140-2 certification from the US government with Hikvision touting it as "another important milestone in Hikvision's cybersecurity program."

Many rightfully wondered: Had the US government changed its mind? Is the US government contradicting itself? Is Hikvision now backdoor free?

Here are key findings from our research:

  • The certification does not cover nor address backdoors nor cybersecurity vulnerabilities.
  • Hikvision has, undisclosed, rebranded the widely used open source OpenSSL as 'HikSSL' for the certification.
  • The 15+ year-old specification is rarely, if ever, required by US government agencies for video surveillance.
  • While the move is a marketing one, for Hikvision it is money well spent to help booster its brand, especially with its supporters and employees.

Inside, we examine each of these points in-depth.

* **** ***** ***** ********** ****** * law ******* *********,********* ********* ** *** obtained * **** ***-* ************* from *** ** ********** with ********* ******* ** as "******* ********* ********* in *********'* ************* *******."

**** ********** ********: *** the ** ********** ******* its ****? ** *** US ********** ************* ******? Is ********* *** ******** free?

**** *** *** ******** from *** ********:

  • *** ************* **** *** cover *** ******* ********* nor ************* ***************.
  • ********* ***, ***********, ********* the ****** **** **** source ******* ** '******' for *** *************.
  • *** **+ ****-*** ************* is ******, ** ****, required ** ** ********** agencies *** ***** ************.
  • ***** *** **** ** a ********* ***, *** Hikvision ** ** ***** well ***** ** **** booster *** *****, ********** with *** ********** *** employees.

******, ** ******* **** of ***** ****** **-*****.

[***************]

Cryptography, *** ***************

**** ***-* ******* ** the "******** ************ *** ************* Modules", ***** **-**** *************, **** updated ** ****, ********.

** **** *** ***** general *********** ******* *** *************** in ** *********** *********. Rather *** ***** ** on *** ********* ** data **********, ****** *******, and ****** *** ************.

*** ** ********** *** a "************* ****** ********** *******", ***** ********* *************** conformant ** **** ***-*. There *** *,***+ ****** certifications (*** *** ******** ** *******-* ********* Modules).

* ************* ****** *****, starting **** ***** * (Software ****) ** ***** 4, **** *** ***** 3 ****** ******** ********** hardware **********.

Hikvision *************

********* ******** * ***** 1 ******** ************* ** July **** (***: ********* **** ***-* ***********), ******* *****:

*********'* ******** ***** ******* said **** ***** '********' were ********* *** ********* subsequently ******* ** ** clarify **** **** *** software ****** ***, *** their ******** (****: ******** can ** ********* *** Hikvision *** *** ****). The ****** ****** *** be ****, *** *** tested, **** ***** ** cameras *** ****.

HikSSL = **** ****** *******

***** ********* ***** '******', it ** * ******* / ******* ** *******. Indeed, *** **** *********** **** * **** version, ** ** ********* (see ******* **** ******) *** *** ************* is ********* ******* *** the **** * ***** as **** ******* *** made, ********* *****:

* ****** ** ********* use ******* *** ***** own **************, ****** ***** credit ** *******, ** the ******* ***** ************* *** *************:

*** *******,******* ******************* ** **** **** one ****** ** ******* is ** ******* * different ** ******* / version:

***** *** ******* **** is ** ****** ****** new ********* ******* ** their **** ************, ** rebranded *** ******* ******. We *** ** *** process ** ****** ******* 8.1, ****** * & 7, *** ****** **.** as ****** ************** ** our **** *********** (** cannot *** *** ********* systems ** *** ******** OpenSSL ************ ** **** is *** ** *********). If * *** ****** needs ** *** *** OpenSSL **** ****** ** their ******** **** ******* CentOS *** ******* (*** example), **** ** *** quickly ******* * **** certificate ** **** *******'* name **** ***** ********* systems ****** ** ****** Configurations.

***** ********* ***** ** credit ** ******* ** its ********* *** **********, the *** (*****) ********* the ********** ****** ** *********'* FIPS ***-* ************* **** *********** *** *** of *******:

*** ********* **** *********** the ************* ** **** any *** ***** ** enhancements **** ** ** recertified **** *** **********, limiting ***********.

Not ** ******** ******** / ******* ******** ********

**** ****** ** *** available ** ********* ******** firmware, ********* ** ********* technical *******. ** *** want ** **** **** FIPS ********, ** ********* you ******* *********.

Rarely ******** ** ***** ************

*******, ***** *** ********** crypotography is ****** ********* ** video ************ *************, *** certification ****** ** ***. Despite, ** ******* ******* of *** ***, **** 140-2 ************* *** **** widely ******* ** ********** buyers ** ***** ************ products.

*******, * ******* **** not **** ** ** certified ******, ** *** own ****, ** **** as **** *** * validated ******. ****** ********:

** ** ********* ** note **** ********** ************ are ****** *** ************* *******. * ****** *** ****** ** ** ******** ********* ** * ******* ** application, ** * ******** ******* ** *** ** ******. 

Bosch ******* **** ***-* ***** *

***** ***** **** **** what **** ****** ** a '******* ******** ******' ** * *****-***** FIPS ***-* ***** * certified **** ******** ** their ** *******. ***** acknowledged, ******, **** ** is **** *** ********** buyers ** ******* **** certification. *******, ***** **** there *** ***** ******** of ****** *** ****, rather **** * ******** module, *** ********* ******* OS / *********** ********.

$50,000+ **** *** *********

** ******** * **** of $**,***+ *** *********, with $**,*** **** ** the ** ********** / NIST, $**,*** ******* ******* to **** *** ***** Lab **** ********** **** to ***** *** *** Hikvision's *** **** / ****** to *** *** **********.

Marketing **** *****

**** ** ********* *** not ****** *** ** government ***, ***** ** is ******, ** ****, required **********, ** ***** ******** have **** ** * practical ****** ** **** deployments.

*** * ****** ******* company, ** ***** *** be ***** $**,***+ *** a ***** *******, *** as ******** **********-*** ************, ** ** ***** it. **** ***-* ** such ** ******* **** that *** **** **** the ******* ** **. Plus, ** **** ******* impressive-sounding ********* ***** *** a '**********' ** *** US **********.

**** ********* ***** ** widely ********** (**** *** elsewhere), **** *** ************** trying ** ** ******** they *** ** ******* their *****.

Not ********* ** *** **, ********* ** ***** *** ******

*** *********** ********** ** this ** ****, ** date, ********* *** ********* this ** ***** *** in ****** *** *** the ** (*** ** *** ** press ******* ****, *** *********** *** ******** ****,*** ** ********* *** Twitter). **** ** ******** counterintuitive ***** **** ** a ** *************.

Comments (13)

*** ***** ***** **** did *** **** *** post *** *** ***** emphasizing:

**** ** **** ******* evidence ** *********'* ******* propaganda ******* ******** ** try *** ******* **** their ******** ***** ******** vulnerabilities *** ********** ******** code ****.

*** *** ********* ***** to ******** **** ** an ********** ** ****** deception, ***, *** * clear ********* **** ***** cyber ******** *************** *** hurting ***** ********** *** sales. **** **** ****** to ****** ********* ********* like **** *******, ***** "cyber ******** *****" *****, and ****, ****** **** fix ***** ********** ********, tells *** ***** ***** intentions ****** *** ******.

*********, *********'* *** ******** will ******** ** ******** block *** **** **** are ***** ****** ** the ******* *** *** this ** ******* ********** while **** ***** ***** customers ******** **** ***** their ******** *** ************** under ******** ******.

* **** **** ********* credit ******, **** ****** understand *** ****** ***** key ******** ********** ***** security, *** *** ******** in ******* **** ** appear *********** ***** ***** almost ** **** **** in ******** ***** ****. 

**** ***** * ** a ***** ******** ************* trophy. *** *** *** that ** *** ***** with ***** ***** ******* industry ****** *** ***** partners ** ******.

******: **** ****** ** not ********* ** ********* standard ******** ********* ** Hikvision ********* *******. ** you **** ** **** this **** ********, ** recommend *** ******* *********.

**'** ***** **** **** to *** ******.

****, ** **** ****** is **** * "******", its *** **** ** production ********.

**** **** * ******. I'd ***** **** ***** release * ***** ** firmware ** **** ********* of ****.

** * ********* ********, this *** *********.  * received ***** **** * few ***-***** *** ** have ******* ******** **** Hikvision ** *** ****.  They **** ******* ** how ********* *** ******* and **** *** *** about ***** ******** ***.  For ***** ** ** who **** ****** ** government *********, ** **** how **** *** *****-* certification ** *** *** truly ************ ** **.

**** *** *** ********** (and ********* ****(*)) ****, was **** ******** **** than * ********* *****?

*****'* * **** ***** the "$**,***+ **** *** Hikvision" *******. ** ***** $**,****** ** *** ** government.

* **** ** ***** this *** * *********** for * ***** ******* that **** ****** ** land. * *** **** less ** * ********* driven **** **** * reactionary ****** *** ** an *** ***** ************. After *** ****, *** marketing **** **** ** using ** ** ** their **** ** ****** whatever *********** **** **** remaining.

* **** ** ***** this *** * *********** for * ***** ******* that **** ****** ** land.

* ***** ****'* **********. Hikvision *** *** **** that ******** *** ** is * ********* **********.

**** ***** ** * bit ********* ** *** they **** ******* *** trouble ** ***** ***** own *** ****** ******* when **** ***** ****, for **** ***** *** hassle, ********* / **** an ******** ******. **** is *** **** **** signals ** ***** **** marketing **** ******* / deal ******.

* ***** *** ********** is ** ****** ** differentiate **** * **********, maybe *****?

* ***** *** ****** why **** ********* *** already ********* ******* ** to **** *****.

***** **** ****: ****//*******.**/****/**/***********-*-****-***-*-***********/

*****: "There *** *** *********** ********* *** *****.  Alternative Scenario 1A allows for rebranding of an already validated OEM module. Alternative Scenario 1B allows a different Lab than the original testing Lab to review the non-security relevant changes to the module. ****: * **** *** ** ********** *** *********** Scenarios ** *** **."

* ***** **** *** much ******* **** ******** the ******* **** *******. The ******* ********* ** OpenSSL ***** *** * lot ** *******, ** it's ** ******* ** rename *** ********.

 

******: ********* *** *** still *** ****** * press ******* *** **** but ******* **** * **** post ** ********* ********** *** ** / Europe ***** *******.

**** *** *** *** Hikvision *** **** ******* my **** *** ***** at ** ******* ** don't *** ***** ********. Told ** ***** ***** FIPS ************* *** **** a *** "********" **** given ********* * *** name. *** ** ***** to ******** *** ******* him *** *** **** :)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Hikvision ColorVu is Smart Marketing on Oct 03, 2019
Hikvision ColorVu (see IPVM test results) is smart marketing, a lesson to be learned by competitors and a rising trend. Inside this note, we...
Directory of 69 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
ASIS GSX 2019 Final Show Report on Sep 12, 2019
IPVM went to Chicago for ASIS GSX 2019, with many exhibitors disappointed about traffic and the exhibitor schedule changing next year. However,...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
"Stats Don't Lie" Says Deceptive IFSEC on Jul 30, 2019
While IFSEC has declared #statsdontlie and trumpeted seemingly skyrocketing visitor numbers, they are decieving about their show's problems. On...
ZeroEyes Gun Detection Startup on Jul 16, 2019
A gun detection video analytics startup, ZeroEyes, is being led by a group of 6 former Navy SEALs, aiming to "save lives" by using AI to assist...
Bosch Integrating Sony Video Security Sales And Marketing Team on Jul 03, 2019
What is the future of Sony in video surveillance? In 2016, Bosch and Sony announced an atypical 'partnership'. Now, Bosch tells IPVM that they...
Ivideon Russian VSaaS Profile on Jun 27, 2019
Ivideon was an early VSaaS entrant, initially focusing on the consumer market, claiming massive growth to IPVM in 2014. We spoke to Ivideon, to...

Most Recent Industry Reports

Axis HD Analog Encoder Tested on Oct 11, 2019
Two years after declaring "Everything is IP", Axis has released their first HD analog encoder, the P7304, with support for AHD, CVI, TVI, and SD...
Dahua Celebrates PRC 70th Wearing Communist Party Hammer and Sickle on Oct 11, 2019
Dahua celebrated the PRC's 70th anniversary with a video of various Dahua employees wearing China Communist Party Hammer and Sickle pins as shown...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Network Optix NxWitness 4.0 Tested on Oct 10, 2019
Network Optix released Nx Witness 4.0, proclaiming new features like a deep learning analytics metadata SDK, increased H.265 support, and UX...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...
ONVIF Suspends Dahua and Hikvision on Oct 09, 2019
Dahua and Hikvision have been 'suspended', and effectively expelled, from ONVIF, immediately following US sanctions being placed on the 2 mega...
Hikvision And Dahua Sanctioned For Human Rights Abuses on Oct 07, 2019
In a groundbreaking move that will have drastic consequences across the video surveillance market, Dahua and Hikvision have been sanctioned by the...
Avigilon H5A Analytic Cameras Tested on Oct 07, 2019
Avigilon has released its H5A analytic cameras, claiming to "detect more objects with greater accuracy even in crowded scenes." We tested the...
Crisis At China's Largest VMS Provider, Netposa, Now State-Controlled on Oct 07, 2019
NetPosa, which bills itself as the PRC's largest VMS provider, is in a crisis. The firm is pursuing huge unpaid bills from clients, and its...
Knightscope Sells Just 1 Net New Robot In 6 Months on Oct 04, 2019
For the first half of 2019, US government records show that Knightscope has sold just 1 net new robots ('machines-in-network'), inching up from 52...