Honeywell, Dahua, Deception And Endangering US Security
Honywell has flagrantly endangered US security for years, with its hidden relabelling of PRC-made, NDAA-banned, and sanctioned Dahua products, only now saying it will stop after the near-unanimous passage of the Secure Equipment Act ordered the FCC to ban new authorizations of Dahua products.
Of course, in truly Honeywell fashion, Honeywell says they will continue to sell these devices to Americans for another 3 months, allowing them to clear out inventory.
But none of this is new.
For example, more than 3 years ago, IPVM first published this video calling attention to this problem:
And that video came months after the US government signed a law widely banning such products use for cybersecurity risks.
Worse, the year before (2017), a backdoor was found in Dahua products resulting in mass hacks of deployed Dahua devices, including Honeywell. None of this mattered enough to Honeywell to cause them to stop.
In 2019, Honeywell defended their use of Dahua, giving a laundry list of various acronyms and claimed steps that they make to ensure their Dahua products are not hacked:
Security Requirements and security controls based on industry standards and guidelines such as BSIMM, ISA/IEC 99/62443, ISO 27001, PCI DSS, GDPR, OWASP...
Binary scanning to identify open source usage and potential vulnerabilities
Our products go through a robust and comprehensive penetration testing regimen...
equIP series has a UL 2900-1 certification
And yet Honeywell's Dahua products continued with issue after issue. Ironically, just weeks after Honeywell made this defense, Honeywell's Dahua products were impacted by a wiretapping vulnerability which the company delayed for weeks in confirming publicly:
Dahua continues to have all sorts of major vulnerabilities, e.g., Dahua New Critical Vulnerabilities 2021 and just last month Dahua Broken Access Control Vulnerability.
Honeywell can say what it wants but the reality is when a company takes software from someone else, they are overwhelmingly dependent on the provider (in this case Dahua) for the cybersecurity of the device.
Honeywell Problem Of Trust
Putting one's label on another company's Internet product is bad generally but even worse when it is from a company such as Honeywell that is well known by the public. When XYZ security, with 3 guys and a dog, relabels Dahua, it is easier to be skeptical of who XYZ is. But when Honeywell does this, the public (outside this industry where it is widely known) is more easily deceived. Indeed, in our discussions with US government officials, that Honeywell does this regularly results in shock. But Honeywell is happy to make easy money.
However, this is good news. Many said nothing would ever change, this was all a futile effort.
This week, we learned, that even Honeywell, a company committed to making easy money at the expense of US security has its limits. It took (1) various critical vulnerabilities, (2) the NDAA ban, (3) sanctions for human rights abuses, (4) Dahua being added to a list of national security threats, and (5) the Secure Equipment Act passage.
But Honeywell is taking action, albeit after a few more months where they can sell off their inventory to American buyers for one last threat.