Honeywell, Dahua, Deception And Endangering US Security

JH
John Honovich
Published Feb 04, 2022 15:18 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Honywell has flagrantly endangered US security for years, with its hidden relabelling of PRC-made, NDAA-banned, and sanctioned Dahua products, only now saying it will stop after the near-unanimous passage of the Secure Equipment Act ordered the FCC to ban new authorizations of Dahua products.

Of course, in truly Honeywell fashion, Honeywell says they will continue to sell these devices to Americans for another 3 months, allowing them to clear out inventory.

But none of this is new.

For example, more than 3 years ago, IPVM first published this video calling attention to this problem:

And that video came months after the US government signed a law widely banning such products use for cybersecurity risks.

Worse, the year before (2017), a backdoor was found in Dahua products resulting in mass hacks of deployed Dahua devices, including Honeywell. None of this mattered enough to Honeywell to cause them to stop.

Defense Invalidated

In 2019, Honeywell defended their use of Dahua, giving a laundry list of various acronyms and claimed steps that they make to ensure their Dahua products are not hacked:

Security Requirements and security controls based on industry standards and guidelines such as BSIMM, ISA/IEC 99/62443, ISO 27001, PCI DSS, GDPR, OWASP...

Industry insights delivered to your inbox weekly.

Sign up to get notified of new reports, investigations, research and more.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Binary scanning to identify open source usage and potential vulnerabilities

Our products go through a robust and comprehensive penetration testing regimen...

equIP series has a UL 2900-1 certification

And yet Honeywell's Dahua products continued with issue after issue. Ironically, just weeks after Honeywell made this defense, Honeywell's Dahua products were impacted by a wiretapping vulnerability which the company delayed for weeks in confirming publicly:

IPVM Image

Dahua continues to have all sorts of major vulnerabilities, e.g., Dahua New Critical Vulnerabilities 2021 and just last month Dahua Broken Access Control Vulnerability.

Honeywell can say what it wants but the reality is when a company takes software from someone else, they are overwhelmingly dependent on the provider (in this case Dahua) for the cybersecurity of the device.

Honeywell Problem Of Trust

Putting one's label on another company's Internet product is bad generally but even worse when it is from a company such as Honeywell that is well known by the public. When XYZ security, with 3 guys and a dog, relabels Dahua, it is easier to be skeptical of who XYZ is. But when Honeywell does this, the public (outside this industry where it is widely known) is more easily deceived. Indeed, in our discussions with US government officials, that Honeywell does this regularly results in shock. But Honeywell is happy to make easy money.

Good News

However, this is good news. Many said nothing would ever change, this was all a futile effort.

This week, we learned, that even Honeywell, a company committed to making easy money at the expense of US security has its limits. It took (1) various critical vulnerabilities, (2) the NDAA ban, (3) sanctions for human rights abuses, (4) Dahua being added to a list of national security threats, and (5) the Secure Equipment Act passage.

But Honeywell is taking action, albeit after a few more months where they can sell off their inventory to American buyers for one last threat.

Comments are shown for subscribers only. Login or Join