Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity

By John Honovich, Published Aug 06, 2019, 12:04pm EDT

For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and manufacturing of 'Honeywell' branded IP cameras.

free image3

Now, after years of silence, Honeywell has spoken to IPVM, explaining what they are doing to address the NDAA ban, the release of their 30 series IP cameras, their cybersecurity process and whether any Dahua-OEMed Honeywell cameras have the Dahua wiretapping vulnerability.

Executive *******

********* **** ******** ** OEM *** '***********' *** '*****' ****** **** ***** while ****** ***'**' *********** **** ****** ************ Vivotek. ********, ********* **** the ***** ***** ***** series ******** * ****** chip **** ****** ***** cameras ** *** **** they **** ******** ** 2900-1 ************* *********** *** the ***** ****.

**** ********* ** ********** this ******** ** ********* a ***** **** ******* in ************ *** *******. On *** ***** ****, this ****** ** ******** from *** ********* *** the ********* ****** ** Dahua ******** ***** ****** buyers ** **** ** inadvertently ********** **** ****** products. ********, ***** ****** a ***-***** *** ********* the ****, ** ***** leaves ********* ********* ** other ************* ****** *** IP ****** *********, * notable ******** *** * company **** *** ***** heavily ** *** **** few ***** ** ***** security ***** (*.*.,********* *******************).

Wiretapping *************

********* **** ** ***** August *, ****:

** *** ******* ** determine *****, ** ***, cameras *** ******** ** this ************* *** *** working ******* **** ***** on ************ *** ********* firmware *****.

**** ** * *******. Dahua **** ***** ****, at ***** *** ****** and ********* ** ******** on ****** *** ***** IPVM ******** *** ********* still *** *** ********** if **** *** ********. While ***** *** **** made **** ***** ** delaying, ** ********** ** still *********'* ************** *** picking *****.

Background ***** ******

*** ***** ***** **** our********* ***** ******* ** Gov ****** ******* ***** Surveillance***** *** ******* *****:

Honeywell ************* ***********

********* **** * ***** case ** **** *** what **** *** ***** for *************.

*** ***** ****** ******* have * ****** ******* in ****** *** ** their ******* ****** **** Honeywell **********:

*** ********* ***** ****** cameras **** *****-** ****** chipsets ** ******* ******** tampering **********. ************, *** crypto ******** *** ********* store ********** ************, ****** key *** ******* **** in * ****** ****** environment. **** ******* ********-***** encryption *** ******* ****** is ********* *** *** entire ****** ** ******* against ***** ******* *** tampering. ********* ********* ******** leading ***** ********** *** protection ***** ** **; for *******, ********* **** and ***** ************* **** HTTPS, ****** ******** *** firmware ********** *** ********** against ******* ********* ** tampering ****** ******** *******, signed ***** ********* *** application ******** ******* ********* while ********* ** ************* VA ********* ******* *******.

** ********, ********* **** that *** ***** *** cameras ** *******:

******** **** ********** ***** on *** ****** *********** faced ** * ********** product ** ******** ** well ** *** ********* features *** ******** *****

******** ************ *** ******** controls ***** ** ******** standards *** ********** **** as *****, ***/*** **/*****, ISO *****, *** ***, GDPR, *****, ********** ***** laws *** ***********, *** others ********* ** *** product ** ******** *** the ******** **** **********

******* ****** ***********

****** ********

****** ******, ******* ** Design, *** ****** ****** standards *** *********

****** **** ******** (****** code ********) ** ******* secure ****** *** ****** practices

****** ******** ** ******** open ****** ***** *** potential ***************

*** ******** ** ******* a ****** *** ************* penetration ******* *******. ** some *****, ********** *********** security ******* ** ********* for ******** ********. *** criteria *** **** ********** testing – ** **** as ***** ******** ** offerings *** ******** *** this – ** *******-**** proprietary ***********.

* ****** **** ********** Policy **** ******** ******** mitigation ********* ***** ** severity

****** *** ******** ** cybersecurity ** ****** ********** prior ** ******* ********

********* ******* *** ******** notification *** ******** *******

** *** ***** ****, as *** *********** ************* delay *****, **** *** still ******* ********* ** Dahua ** ****** **** issues.

********, ********* ********** **** the ***** ****** *** a ** ****-* *************.

*******, **** ** **** for *** **** ********* equIP ******. ***** *****-**** Essentials ****** *** ** chip, ** ** *************, etc.

NDAA **** *** *********

********* ********* ****:

**** **** ** *********** a ******* ** ***** additional ****** ** *** market ***** **** ****** federal ******** *** *** other ********** ** ******** Honeywell *******, **** *** 30 ****** ****, **** are ******** *** *** as **** ** ***** systems ***** ****** **** NDAA ****, ******* ***. The ** ****** ** the ***** ******* ** this *******. ** **** expand ***** ****** **** the **** ** ****** to **** **** ***** customers *** ****** *** video ******** **** **** from *********. ** **** continue ** ******** * range ** ******* *** those ********* *** ***’* require ***** ***** ******* to ****** **** **** 2019, ******* ***. ** are ********** ********* *** products ** ****** **** they **** *** ******** needs ** *** ********* for ***** *** ********.

********* *********** ****** ***** excited, ** ***** ***** on *** ****** ** LinkedIn ***** ** *** past ***** **** **:

***:

OEMing **** *******

*** ** ****** ** OEMed **** ******* ** the **** ****** *** both ********* *****:

********* ******** ** ******* on **** *** ** is ****-*******.

**** *** *** **** they *** "*********** *** 30 ****** ** *** mid-scale *****: ***** *********** and ***** ***** *** able ** **** ** the **** ****** ** us."

***** ** *** ****-***** analysis ** *** *** 3 ********* ***** *******:

*******

*** ******* ** *********'* IP ****** ******* ** much ********. *******, ** is ******* **** ** incredibly *** **** ** hiding ******* ****** *** Honeywell ****** ** ********** to ******** ** ** more *********** *** ********* about *** ******** *** cybersecurity.

** * **** ***, from * ****** ******** perspective, ** *** ************** that ********* ***** **** easy ******* ** *********** other ************'* *******. **** time ** *** ****.

**** ********* ********* ***** still ** ******** **** buying **** ****** ******** is * ******* *** Honeywell *** *********** ******* this ** ******* *** Dahua **** ****, **** using ***** *** ***-** sold ********, ********* ** Vivotek ********* ** ****** a ****** ************, ***.

Comments (10)

Undisclosed

08/07/19 03:57pm

Prowatch, the Battlestar Gallactica of the access control marketplace (complete with rust, blaster burns, and knob-and-tube wiegand wiring), shows up with respectable cyber defenses.  Who woulda thunk it.

Noticably missing from your description is the bona fides of this crypto chip.  You never mention  that the crypto hardware is certified.  You did not say they use an EAL certified Secure Element or words to that effect (or that it's FIPS-140 or anything else.)  We're supposed to believe a company that is otherwise being distrusted was ok to add crypto hardware into the device at the factory in the foreign country in question and that's ok?  If you want me to trust that you need to show me your crypto hardware paperwork.  (And anyone giving that awesome cyber speech you obviously received should know this and know the question would come up.)

 

Agree
Disagree
Informative
Unhelpful
Funny: 2

John Honovich

IPVM | In reply to Undisclosed | 08/07/19 04:06pm

Actually, the opposite. It is still a Dahua camera and it is still US government banned, with or without the chip, sold by Honeywell so there is little justification to use those cameras. I think it is good Honeywell shared a statement but don’t see the value of buying their OEM cameras when the same ones can be bought direct for a lower price and better direct support.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed

In reply to John Honovich | 08/07/19 05:02pm

my point was they screwed up by not talking about that, I don't care who does or does not buy the camera. 

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Jonathan Lawry

Trecerdo, LLC
In reply to Undisclosed | 08/09/19 01:56pm

Being an original founder/developer of Prowatch, I appreciate your backhanded compliment there 😜.  I'm going to use the Battlestar Gallactica riff at parties (you know....like at GSX or events like that).

Agree
Disagree
Informative
Unhelpful
Funny: 1

Undisclosed Integrator #1

08/07/19 05:01pm

“crypto chipsets to provide firmware tampering protection.”

Not sure how this impacts upon the quality of the firmware?

The secure-enclave type chip will likely only protect against non-Honeywell issued firmware... unless they follow Phillips Hue’s example of accidentally bundling the private signing key with the firmware...

Whilst signed firmware makes it a lot harder to sideload malicious or modified code, I cannot see how it could possibly secure a firmware file that has vulnerabilities?

anyone on here more knowledgeable than me care to add to this?

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed

In reply to Undisclosed Integrator #1 | 08/08/19 02:44pm

I believe the usual digital signing capability applies to everything run in the device so it should stop side-loading.  I agree that if you introduce an exploit inside the vendor supply chain you can end up with a digitally signed exploitable binary being delivered in the product.  That would be why it's apropos to be discussing vendor reputation questions in crazy places like ipvm.com, right?

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #2

08/08/19 02:11pm

Vivotek cameras dont use HiSilicon?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Dennis Raefield

Security Integration, inc.
08/08/19 04:10pm

To my best understanding, they do use HiSilicon chips, which are manufactured in China.  Seems we (consumers and buyers of video products) let HiSilicon drive out nearly all other manufacturers of low cost chip sets years ago, leaving only them or a high cost alternative like Sony.

I do believe this sudden "Anything but China source of supply" syndrome can only help restart innovation in other countries.  I hope we have the perseverance and patience to demand diversity of sources.  US buyers are quick to forget and go back to the "allure of low price" that China is so skilled at offering.

Read their newest attack fronts: 

New 919 Jet aircraft from China Boeing knockoffs

Chinese Tesla knockoffs.

Chinese electric trucks and self driving Uber vehicles

They already won the:

Stainless steel BBQ from Costco wars, and drove out our US businesses.

Furniture wars, driving out High Point, North Carolina.

Low cost clothing wars, killing Mexico and Central America

5G infrastructure wars

 

China is not bad, they just want total world dominance.  If you can live with that, keep buying "low price".

 

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny

Undisclosed Manufacturer #3

In reply to Dennis Raefield | 08/13/19 05:06am

It should be said that the manufacture of the Honeywell (NDAA complaint) Series 30 cameras was not half baked. The purpose is to manufacture a completely compliant camera. Thus no HiSilicon chips. 

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Dennis Raefield

Security Integration, inc.
In reply to Undisclosed Manufacturer #3 | 08/18/19 04:54pm

Great news. I applaud Honeywell for finding alternative sources.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,201 reports and 959 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports