NVR Cybersecurity Rankings 2024 - Axis, Dahua, Digital Watchdog, Geovision, Hanwha, Hikvision, Speco, Uniview, Vivotek
IPVM has released a ranking of 9 manufacturers' NVR's cybersecurity across 9 categories and 50 criteria. Watch the video below for an overview.
IPVM bought and tested NVRs from nine manufacturers for this ranking, evaluating Axis, Dahua, Digital Watchdog, Geovision, Hanwha, Hikvision, Speco, Uniview, and Vivotek based on the criteria explained in the Cybersecurity Rankings Criteria for IP Cameras, and NVRs Explained.
This report describes the strongest and weakest in nine main categories using 50 criteria.
- Fundamental Built-In Security Features
- Advanced Built-In Security Features
- Attack Surface - WebUI
- Attack Surface - HTTPS / TLS / SSL
- Attack Surface - Disabled Services
- Digital Fingerprinting
- Cloud / P2P Connection
- Firmware Updates
- Manufacturer Cybersecurity Support
This is a cybersecurity companion to our report NVR Rankings 2023 - Axis, Dahua, DW, Geovision, Hanwha, Hikvision, Speco (TVT), Uniview, Vivotek.
Our results are presented in five groups: strong, above average, average, below average, and weak.
Where the research section details each category and an overall ranking based on test results, with a redacted version below:
Executive *******
**** ***** *********** ***********, ******** ***** below.
Differentiators ********
***** *** **********, *** ******* ************** between *** ********* *** ******* ********** was *****/*** **********.
***** *** ************* ***** *****/*** ********, Dahua, ******, *****, *** ******* **** enabled ** *******, ***** ****** **** disabled ** *******. *** *********** ********** was *** *****/*** ******** ******, ***** varied **** **** ******** ** ***********, with *** ******* **********.
**** ****** *** *************' *****/*** ********, and ** **** ** ****** * separate ****** ********* *** ******** *** each *****/*** *******.
**** *** ******* ******** ***** *** strongest ******* *****/***/*** ************, **** ***** and *** **.* ******* ** ******* and ** ******** *******. *****, *****, and ******* *** *** ***** ** default, **** *****, *********, *********, *** Uniview ***** *** *.*. ************* ***** TLS **.* *** **.* **** ****** equally ** *** ******* ******* **** are **** ******* ******** ** ***. However, ** ****** ** ***** ***** versions *** ** *** ** **.* was ******** *** ***** ***** **.* and *** ******** *** *********** ************.
*** **** ****** ******** *** ******** ciphers, *** **** ******* ****** ** resources ******* **************.
****** *******, ******* **** ******** ********** TLS **.*/**.*, ** **** ** ******** ciphers.
*********** *****-** ******** **** ****** ****** variable *******, **** *** ****** ********** not ******** ***, ****** ****, *** Signed ********. *******, *** ********-********** **** did *** *** *****-***** ***** *******.
************ ************* *** ********* **** *******, with **** **** ******* ******** ** all ***** **********. ******** **** ** Materials (****) *** **** **** ******* (LTS) ******** *** *********** ******* ******** for **** *************.
Test ***********
*** ******* ******* ********* *** **** was ******** *** ******** ** *** current *******, ********* *** *** ** factory ********, *** ******* ** **** services *** ******** *** ******* ** default *** **** ** ********* ** be ******* ****** ****** **********.
********, **** ** ***** *** *****/***, were ***** ******** ******* ****** *** test ** ****** ********** ******* ******* manufacturers.
**** ***** *** ** *** ****** NVRs ** ** ***:
- ******* ********: ***** *&* **., ***
- ***** ************: ******** *** ******* ********** Co., ***.
***** ** *** **** *******, **** asked *** ******** **** *** *************, with *** *** ***** **********, **** with ******* *********. ** ***** ********, we **** ****** *** ****** **** their ******** *** *** * *******.
******* **** **** **** **** ** release ******* ******** ** **/****, *** both ******* *** ****** **** ****** updated ******** ** *******.
Strongest *******
**** ******* *** **** ******* ***** on *************, **** ****** ******* ** 3 *** ** * **********. **** was *** **** ************ **** *** strongest ******* ** *** * ************ Cybersecurity ******* ********. *******, **** **** many ****** ********* ********* *** ***-************* HTTP ******** **** ****** ******* ****** information ** * ********* ********.
Above ******* **********
****** *** **** ******* ** ****** Surface - *****/***/*** *** ******* **************, average ******* ** * *** ** 9 **********, ******* *** ******* *** secure ****.
********* *** ****** ******* ** *****/*** Connection, ******* ******* ** * *** of * **********, ******* *** *** TLS **.* *******, ******** ** *** brute ***** ***** ******* *** ***** enabled ** *******.
****, ***:
- ***-******* * *** / ***** ************* Tested
- ***-******* * *** / *** *************** Analyzed
- ******** *************** ** ********* ***-*******, ********* Hides **** ******
Average **********
***** *** **** ******* ** *********** Built-In ******** ********, ******* ******* ** 4 *** ** * **********, ******* TPM *** *** **.* *******, ******** it *** ***** ***** ***** *******.
******* ** *** ********* ** *** manufacturers ** ******** *****-** ******** ********, with ***** *****'* *** ******** ******** directly ********** **** *** ***. *******, Vivotek ** ******* *** *******, ****** boot, *** ****** ********. *** *** not ********* ***** ****-****** ******** ** the ***.
*** **** **** ************* ***** ***** ***** ******** ****** App ******.
Below ******* **********
******* ******** *** **** ******* ** Attack ******* - *****/***/*** *** ******* Fingerprinting, ******* ******* ** * *** of * **********, **** *********** *** advanced ******** ********, ******* *** *******, secure **** *** ****** ********, *** not ********** ***** ****-****** ******** ** the ***.
***** *** **** ******* ** ****** Surface - ******** ********, ******* ******* in * *** ** * **********, missing *** *******, ****** ****, *** signed ********, *** *** *** ******** their ****-****** ******** ** *** ***.
******* *** ****** ******* ** ******** Update, ******* ******* ** * *** of * **********, ******* *** ******* and ****** ****, *** **** ******* in ******** *****-** ******** ******** *** Cloud/P2P **********.
Weak *********
********* *** ******* ******* ** * out ** * ********** *** ** one ** *** *** ************* **** distributed *********** ********, ******* *** *******, secure ****, *** ****** ******** **** weak ******* ** ***** *** ******** security ********.
********* **** ******** ** ***** ***** Authentication *** *** ** *** ****.
Summary *****
***** ** *** ********** ***** ******* tested *******, *** *****, ** **** provide ******** *********** ** **** **** (click ** *******).
Fundamental *****-** ******** ********
*********** *****-** ******** ******* *********** *** based ** ********* *** ******** **** ensure ****** ****** ****** *** *** prevent ********** ******* **** ******** ******.
***** ****** **** *** **** ********* by ****, *****, *** *********, ****** firmware *** **** ******, *** **** was *** **** ************ ** ******* a ******* ******** ******.
** ******* ********* *** * ****** feature ***** **** *** *** ******* from ******* ******** *** *********. ** address ******* *** ***** ************** *** are ****** *** ********* ***** ***** of *******.
***** ******* ** * ****** *** effective ****** ** **** **** ** prevent * *****-***** ****** ** ******* out *** * ****** **** ***** a *** ********* ***** ********.
Advanced *****-** ******** ********
******** *****-** ******** ******** *********** ** based ** ************* ********** ** ******* devices **** *******.
****, *****, ******, *** ********* ******* the **** ****** **** ***.** ***-***, and ***** ******** **** ***-***, ***** is ***** ** ******** ******* *** is **** ****** **** ***.
******* ** *** ********* ** *** manufacturers ** ******** *****-** ******** ******** with ***** *****'* *** ******** ******** directly **** ***** ****:
Attack ******* - *** **
***** ************* ******* *********** *** ***** on *** **** ***** ********* *** information ********* ****** *** ************** *** authorization.
*** ************* ******* *********/******** **********, ****** Geovision, ***** **** ******** ***** **************, which ** ****** ******** *** **** easy ** ******.
***** **** ************* ****** *** *** UI ****** **************, ** ***** ** testing **** *********** *** ** ************** solutions *** **** ********** *** ******** functionality, ***** ** * ********* **** of ******.
** ******* ** * ********** *********** WebUI ************** ******** ** ******** ************** ****** **** **** ******** on ** ****.
***-************* ******** ******
********* ********* *** *** *** ********* is ***** ******** ** *** ***** path *** ******** **** *** *****.
****** *** *** **** ************ **** strictly ******** ********** ***** ****** ** could ****** ******** **** *** *** interface.
** ********, ********* ****** ****** *** pre-authenticated ***** ****** *********.
******* **** ********
****** *******, ** ********** **** ********* has * ******* **** ******* **** a ******* ********, ***** ****** ** used ** *** **** *** *** interface.
******* *******
*****, ******* ********, *** ********* **** the **** ************* ** *********** ******* timeouts ****** *******.
Attack ******* - *****/***/***
*** *********** ** *****/***/*** ******** *** based ** ******* ***** ** ******* and ******** ** *******, ***** *** protocols *** ***** ****, ***** ******* are ***** ****, *** **** ************* issues *** *****.
****, ******* ********, *********, ******, *********, and ******* **** ***** ******* ** default *** ** *** ******* ******** protocols **** ** *** **.* *** v1.1.
**** ** ******* ***** ** *****, Speco, *** *******, ** ***** **** Uniview ******** ******** *** **.*/**.* *** ciphers. ******** ******* **** **** ****** among *** **** ******.
*******, ***** ****** ** ***** ********** even ****** *** ********** *** **** HTTP, ***** ***** *************' **** ****'*.
Attack ******* - ******** ********
*** ******** ******** ******* ** ***** on *** **** ********, ***** *** be ******, *** ******* ** *******, increasing *** ****** *******.
**** ** ******* ** ******* ** all *** ************* ******* **** ** the ******** **** ** ****** ***** in **** *******.
***** *** ******* **** **** ***** to **** ***** ******* ** *******, and ***** ** ** ****** ** have **** *** ***** ******* ** default. ***** ***** ******** *** ** disabled, ** ** **** ****** **** they **** *** **.
**** ******* *** ******* ***, ** found ******* **** ***** **** ************** services ** *** ***** **, ****, 6060, *** ****.
****** *** ************* *** ****** ************** with ****, ****** ******* ******** *** Geovision, ***** *** ***** **************.
******** *** ******* *** ********* *** keeping *** ******* **** ** ** cameras, ** ** ** *********** ******* to **** **** ** ********. ** should ** ******* ** ***** *** use *** *******.
Digital **************
******* *********** *********** *** ***** ** the ********** **** ***** *********** ********** about *** ******, **** ** ** address, *****, ******** *******, ***.
** ***** **** ******* *** **** Discovery ******** ** *** ********* ** disabled ** **** *************, ****** ****, which *** ** ******* ** *******.
******** **-*********, ****/****, *** *********** ********* protocols **** ****** ***** ****** ****. However, ****/**** ** **** *** ********* purposes *** *** *** *** *********.
************, *** ***** *** *********, ** recommend ******* *** ******* ** ****** ***** *** ********* Devices ****** ************ **** ******** ** ** ******** 2022.
*** ********* ******** ** ******** *** local ***. **** **, ** *********** sends * ******* ** * ********* address (*.*., ***.***.***.***) ** ********* ******* (e.g., ***.***.***.***), ***** *** ********* **** be ******** ** *** ******. *******, this **** ** ******* *** **** be ******** ** ******** ** ********* by ****** ********* *** *********/********* ******* with *** ******** ** *******. **** means *** *** ****** *** ****** outside *** ***** *******, *** *********** can ** ********* ********.
***** *** ***** ******** ** *** information ********* ******* ***** ************** **** provide **** *********** ***** *** *******.
****
** ********** *** ************, *****, *** Firmware ******* *** **** ********:
Digital ********
***** ** **** ****, ** ********** that *** ******* ******** *** ** a ***** *** *******.
*****
** ********** *** *****, ******** ** address, *** ******** ******* *** *********** discovery ******** *** ********:
******
************, ** ********** *** *** ***** using ****** *******.
Cloud/P2P **********
***** *** *** ********** *********** *** based ** *********** ** ******** **********, encrypted ** ***-********* *************, ***** ***** leave ******* ********** ** *******.
*** ************* ***** *****/*** ********, ***** Dahua, ******, *****, *** ******* **** enabled ** *******, ***** ****** **** disabled ** *******.
******** ***** ******** ******* ****, ****, Hikvision, ******, *** ******* **** **** found ** ******* ***** *****/*** *******.
*****, ******* ********, *********, *****, *** Uniview *** *** ******* ***** *****/*** traffic, ***** ** **** ***** * mix ** ******** *** *********** *********.
**** ****** *** *************' *****/*** ********, and ** **** ** ****** * separate ****** ********* *** ******** *** each *****/*** *******.
Firmware ******
******** ****** ******* *********** *** ***** on *** ************ ** ***-********* ******** for ************ *** **** ** ******** updates.
*** ************* ***** ***** ******** ********, with ******* **** ** ******* *** right ***** *** *******. **** *** the ******* ** **** *** ***** model *** ********* ******** ** ***** website.
****, *********, *** ******* ******** **** not ********* *** ***********, ***** *** other *************' ******** *** *********.
***** **** ******* ** *** **** and ***** *****-** ********, ** ****'* consider ********* ******** ******* ** ******** for ******** *******.
** ******** *** ******* ******** ** the ************'* ******* *** **** *****-** functionality, ***** ** **** ***** **** Cloud/P2P **** ** ******* ** *** cloud ******** *******.
************, *** ******** *** ******* ******* Cloud/P2P **** ** ******* *** *** built-in ******* ** ****, ****** ** some *********** *****.
**** ** ***** ** ******* ***** Cloud/P2P, *** *** ****** **** *** online ******* ***** *** **** ** disabled.
**** *** ******* *****/*** ** ********, the *** ******* **** * *** version *** *** **** ***** ** an ***** *** ********.
********* *****/*** ** ******** ** *******, and *** *** ******* *** ******* version ** *** ******, ******* ** error ******* *** ******* ********* *** a ***** *******.
Manufacturer ************* *******
************ ************* ******* *********** *** ***** on *** ************'* ******* ************* ******* and *****, ********* ******** *** ******** transparency *** ****-**** ******** *******.
***** *** ************* ******* ***** ******** guides *** ******** ******** ***** ****-****** licenses, ******* ********, *****, *** ******* stood *** ** *** ********** ***** open-source ********.
*******, ******* ******** **** **** **** the****-****** ******* ********** ***** ** ***** on ***** *******.
**** *** ****** ******* ** *** seven **********, *** **** ************ **** provides * ******** **** ** ********* and * *** ****** *******. ****, Digital ********, ******, *** ******* ***** LTS ********.
***** *** ************* ******* ************* ********, Speco ***** *** ** *** ********* one, *** * ****** ** ******'* website ******* **** **** ****, *** of ***** **** ******* ** *** Hardening ***** *** *** ************* ******** Policy.
*************** *******
******* *** * ****** ******** ******* service, ********** ** ******* ***** ********** ******* ****** ****** **** * customer ***** **********. *** ******* ** disabled ** ******* **** *********** ******* and ****** *********** *************.
*** ********
****, *****, *********, *** ******* ***** administrators ** ****** *** ******* ***** WebGUI, **** **** *** ********* * shell **** ***** ********** ******* ** root **********. ***** *****, *********, *** Uniview **** ***** ********** ********* ******.
******** *** ******* ** ********** ** devices, **** **** ***** ** ** enabled ** *******, ***** ** **** cyber *******.
**** *** ***** **** **** ****** default **** ****** **** *** ** enabled *** ******* ******** * ****** SSH **** ** ** ******* **** lower **********, ** **** *****.
******** **** ****** ** **** ******* is ***** ******** *** ******** ********** configuration.
** ********, * ********* ***** *** a ********** *** ******* ******* ***, as **** ***** ** *****'* ********* shell.
****** *** ************* ** *** ******* NVR, **** ********** ******* ******* ******** that ******* **** ******** ** *** shell, ***** ** *** ********* ** the ******. ** ********, ** **** found **** ** *** ******** ** activate * ****** ******.
*******, ******* **** **** **** *** SSH ***** ******** * **** *******, and *** ************* ******** **** ** generated ******* * ******* ******** ****.
** ********, ******* **** **** **** that *** ****** ****** **** ** removed ** *** **** ******** ******** version.
*** ********* *************' **** *** ******** versions **** ******.
- **** *****
- **.*.**
- ***** *******
- **.***.*******.*.*, ***** ****: ****-**-**
- ******* ******** **** ** **** (**-****)
- **.*.*.*
- ********* **-********
- **.***** ****-**-**
- ****** * ****** (***-*****)
- *.**.***************
- ********* ************ (**-******-**/**)
- **.**.*** ***** ******
- ***** **** ****** (*****)
- **.*.* ******
- ******* **** ****** (******-****-**)
- ***-*****.**.**.******
- ******* * ****** (*******)
- *.*.*.**