Hikvision Software Bill of Material (SBOM) Advocacy Analyzed
While Hikvision advocates for SBOMs (Software Bill of Materials) as "mission-critical component of today's cybersecurity", an IPVM review indicates Hikvision does not offer its own SBOMs publicly and refused to answer what, if any, SBOMs they would provide.
Hikvision has come under significant international scrutiny both for human rights abuses and its cyber security track record (e.g., last year Hikvision Has "Highest Level of Critical Vulnerability," Impacting 100+ Million Devices).
Inside this note, we examine Hikvision's promotion of SBOMs, why they matter, and Hikvision's lack of SBOMs.
******* ** ****,********* ********** *-**** ***** ***** "******** *** ******** ****** *****: ***** to ******* **** ************," *********** *** ********** ** ******** SBOMs **** ******* ** *********** * strong ************* *******.
***** ******* * *********** ********** ** a ***** ******* ** *******'* ******** components, ***** ***** ******* **** ****** or *****-***** **** **** *** ** vulnerable ** ******** ********.
"***** ******** ** * ********* ***** label *** ******** *********," ********* ****, "SBOMs ****** ************* ** *** * clear ******* ** *** '***********' ** the ******** *** ************ **** **** on." **** ****** ******** ***** ** "identify ******** ********, ***-******* *****, ***-*********** vendors *** ***** ********* ******."
********* **** **** ** **** ***** make ***** ******* ******* *** ******** by ******* ******** **** ***** ***** *************,*** **** ********** ************* ******** ******* ********, ****** ********** ************* ** *******.
********* **** ************* ****** "******* ***** software ******* *** ******** ** ******* transparency ******* *****," *** ********* ** depicting "* **** ****** ****** ******* SBOMs" **** ***** "****** *********** ** build * **** ****** ************* ******* by ************* ***** ********."
Hikvision **** *** ***** *****
******** *********'* ******** ** *** ********** of ***** ** ********** **** *************** from ***************** *** *** *** ****, ** ** ************ **** *********'* own *********. ******* ********** *** *****, even ********** **** ** "********" *** saying ***-***** ****** "*******" ***** **** vendors, ********* **** *** ******** ******* its *** *****.
** ***** ********* ** **** ***** make ***** ******** *********. ********* *** not *******.
** *** ** ********* *** ********* to ******* ** ****. *********'* **** uses ******* *** ********* *** *****-***** code. ** *** ****,** * ****** **** *** ***, *********'* ************* **** *** ********** blamed ********* *********** **** ******* ** China ** "******** ********* **** *** not **** ***** *******." ** *** require *********** **** *** ********* ** account *** *** ***** **********.
Hikvision ************* *********
*** **** **** ********* ********* **** white *****, ***** ******* ******** *********** with *********'* ****** ************* *********, ********* Hikvision ******** ** **** ** ********* material ****** **** * ********** ** its *** ************* **********. **** ** consistent **** * ******* ********* ****** to ******* ******* ************* *********, ***** at ******* ** *** ********** *** cybersecurity.
*********'* ************* ****** ** ********* ***** significant ******** *** ** ********** ** ******** ***************,* ********, *** ***** * *** *****-********** entity. *********** ****** *** ***** *** taking ****** ******* ********* **** *************, including*** **** ************* *** ********* *** **, ** ***** ****** ******* ******** ** ***.
** ********* ****** ****** *** *** and ******, ********* *** ********** ********** its ****** ************* *********, ********* * wide ******* ** ***** **** ** its ***** ***** ** *****. ********* may **** **** ** ********* '******* leadership' ****** ** *************, ** *** improve *** *****.
*******, ** *********** *** "********" ********** of ************* ********** **** ********* **** not ****** ******, ********* ***** ***** perceived ** ************, *** ******* ********.
**** ** ********* *** ************* ******** generally ** **** ** ************ ********* the ***** ** ***** ****** *** physical ******** ******** *** ******.
****** **** ** ** **** ** requirements! ******!