Stanley Makes "Multi-Million Dollar Investment" Into Banned Hikvision Products

By John Honovich and Charles Rollet, Published Aug 09, 2019, 08:10am EDT

Just days from the US government ban going into effect, US mega-corporation Stanley has dramatically increased its imports of banned Hikvision products.

IPVM Image

They are touting online:

IPVM Image

Indeed, Stanley is encouraging US government buyers to continue to deploy their Hikvision OEMed products until the very last day:

IPVM Image

However, the NDAA itself says it is a prohibition on both purchasing and use:

IPVM Image

*** **** ** *** wants ** ********* ** as ******** ******** ***, Stanley *********** *** ********** of ******** **** *** US ********** *** ********** called * ******** **** is ***** * *********.

******* ** *** ******** about *** '*****-******* ****** investment', ** ****** ******* show * ***** ** imports ** **** ****:

IPVM Image

*** ************** ******* ******* ******* imports **** ********* **** 8/2018 ** */****.

******, ** *** **** week ** ****, **** imported **** **,*** ******, more **** **** *** in *** ** **** prior ** **** ****:

IPVM Image

**** ** ****** ******** of *******, **** ******** a ************ * ****** per ~$*** ****** (*.*., $20 *** ***** ***** 100,000+ ******).

Stanley **********

************&****** ** * ***-****-*** American ******* **** ***** *******; ** ************ ************* ********** ***** during *** *** **** helping ******* *********"******* ****-********"****** ** ***** ***** tools.

IPVM Image

******* ** * ******* 500 ******* **** ~$** billion ** **** *******, according ** ********* ******.

************* ******** ******** ******* in ******* ** *********** ***. IPVM****************'* **** ******* ** the $** ** $*** million *****.

*******'********* ********, ***** **** **** beyond ** ******* **** integration *** ***** *******, has **** ****** ********* for * ****** ** years. ** **** $*.** billion ** ***** ** 2018 **** ***** **% profit ******, * ******* from **** $*.* ******* in ***** **** ****** margins **** ***** *****, per *** ****** ******:

IPVM Image

**** ******* ********* **** 2019, **** ******** ***** falling*% ** ******% ** ********** ** *** **** before.

China ****** ******

******* ********* ****** *** tariffs ***** ** *** last ************, ****** **** ***** tariffs "***** ****** ** an ******** ** ****** chain ***** **** *** Company *** *** ** able ** ******":

IPVM Image

Inventory ********* ****** ***** ** *******

**** ***** ***** ********* on ***** ***** ******* have ******* ** ** inventory ****** ******** ******* of *******, ******* ********** in ********** ** ** full,********* ******** ********.

*******, **** ***** ***** have *********** ****** ************* *** of *****. ********, ******* **** is *** ****** ******* with ******* *** **** the **** **** *********** US ********** ***.

3xLogic, ***** ********* *****, ********** **** ***

******** ****************** ********* *** ******* Security ******* *********** ****, ** ********** the *** *** *** firm's *** ** ********* cameras:

** ******; ** *** cameras **** *** *** one ***** ********. ******* are **** **** **% of *** ******* *******.

*******, *******, ******* **** some ********** ** "*******, Sonitrol *** ******* **** made * *****-******* ****** investment" **** ****** * massive **** ** ********* cameras.

Stanley ****** "***** *******" *** "********* ******** *********"

********** ***** **** ********** into ******* **** **** imminently ** ******, ******* touts ****** ** ** "ideal *******" ************* ********:

[******* ******** **] *** ideal ******* *** ******* and *********** **** ********* of ******** *** *****, state *** ******* ********** agencies

IPVM Image

**** ****** *** **** only **** ******* ********* of ******* *********, *** ban *** ******* ** spread, ******* ***** ** ********** ******* ** *******, ********** * ****** ******** of ****.

NDAA ********* ****** ***********

** *** **** ******, 3xLogic **** *** ******* the ****** ***** ** the ****, ************ ******, ***** ***** *** US ********** *** ********* anyone ******* ****** ********* (like ********* *** *******). Instead, ******* ******:

*** ****** ***** **** not ** **** ****** untilAugust ****. **** **** *** these ******** **** ***** used ** ******** ****** by *** ******* **********.

**** ** **********. ** 3xLogic ******* **** ** know **** ******* ***** cameras ***** **** ** them ***** *********** **** participating ** ******* *********, many *** ********** ****** these ********.

Contrast ** *********'* **** ********

*********, ************ ***** *****, *** ***** * contrasting ******** ******** * *** **** compliant ****** ********** ** ********* ************ Vivotek.

Broader ******

******* ******* *** ********* haul **** ****** *** product ** ****** ** clearly ***** ** * desire ** **** ********** from ***-**** ******* *******, rather **** *********** *** "high *********" *** "********* security *********."

*** ***** ******** ***** the ********* ****** ****** to ** **** **** worrying **** ** ******* for *******' **********. *** Stanley ** *** *** only ***. ***-**** ******* are **** * **** for **** **** **** the ***** ******* ********** ******* the ******* *** ***** **** (like *******), ***** ** always ***, * ***** after *** *** ******.

Comments (42)

I mean why? They couldn’t have invested that much in R&D with their access integration to justify that massively import. There’s dozens of other options they could have used. 

Agree: 13
Disagree
Informative: 1
Unhelpful
Funny

I mean why? They couldn’t have invested that much in R&D

Good question. Generally speaking, we have seen some denial (think SIA) and procrastination. Hikvision is likely making incredible deals right now for whoever wants to continue (see Hikvision USA's decline). That combination may prove attractive.

It is an imprudent long term strategy but...

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

Being familiar with some of Stanley's other brands, Proto, Vidmar, and now Lista. This Kind of baffles me. I'm not going to even DDG it but I can take a guess that they must have a few US Government contracts. Seems kind of backwards.

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny

This is really disappointing to read. I have met Kushner on several occasions, and would not have pegged him as the kind of person to trade dollars for integrity like this.

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny: 7

Agree
Disagree
Informative: 2
Unhelpful: 3
Funny: 19

I think Stanley have made a huge error and it will be very costly, shocking approach..

Agree: 7
Disagree: 1
Informative: 1
Unhelpful
Funny: 2

I hope Stanley and those involved do something before phase 2 hits next year. Could easily become a real mess real quick if action isn't taken. This nonchalant blanket statement on their part makes me think they'll just crack open a cold one and wait for all this to simply blow over...

Agree
Disagree
Informative
Unhelpful
Funny: 1

Perhaps they got an amazing deal from a beaten down Hik?  Perhaps their $2B in revenue affords them enough channels and projects to feel comfortable moving that inventory?  Perhaps it's a bit of risk management while evaluating additional vendors?  Perhaps they had to keep inventory low during the first half of the year to make a quarterly earnings call or two?  Perhaps they bought more dense products, not just cameras?  Perhaps, perhaps, perhaps!  I'd think Stanley's size, processes and channels affords them the ability to simply take larger calculated risks with suppliers and inventory management.

As for the marketing, if their lawyers have given the all-clear, isn't it Stanley's fiduciary duty to sell all they can into all their verticals?

Agree: 2
Disagree
Informative
Unhelpful
Funny

As for the marketing, if their lawyers have given the all-clear

I certainly don't know what, if any, lawyer reviewed this. However, I am a bit skeptical that it was reviewed by legal, e.g.:

stanley hikvision quote 2

In my experience, lawyers would be more detailed and qualified in answering such a question.

For example, contrast how JCI / Tyco is describing its Dahua OEMed Essentials line:

JCI / Tyco is not telling buyers what to do at all here, unlike Stanley. JCI / Tyco is putting up a disclaimer, leaving it up to the buyer to evaluate whether such 'restrictions' apply to them. That is what strikes me is a vetted legal stance. 

Agree: 3
Disagree
Informative: 4
Unhelpful
Funny

Definitely a vetted legal stance but I'd still be shocked if these were not lawyer approved responses, especially considering they deal with government directives.  The NDAA FAQ, short and concise as it is, seems crafted to answer most commonly asked questions and give the green light to continue Fed sales until August 2019.  

Now that it's August 2019, doesn't the big July 2019 purchase suggest the inventory will be used mostly for commercial projects anyway?  Plus they get the added benefit of telling Fed customers, as well as others, hey 'we're stocking up in case of drought; we're a reliable partner.'

Agree: 1
Disagree
Informative
Unhelpful
Funny: 1

Plus they get the added benefit of telling Fed customers, as well as others, hey 'we're stocking up in case of drought; we're a reliable partner.'

Starting this Tuesday, It's illegal for Stanley to sell these products to Fed customers so how is this a benefit to either Stanley or the Fed here?

I don't doubt some benefit for commercial customers, who don't care about the ban but from what we have seen, a lot of US commercial customers (above the SMB) care significantly about this.

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny

JCI/TYCO isn't any better than Stanley.  JCI laid the entire operations department off and moved production out of the US.

Agree
Disagree
Informative
Unhelpful
Funny

A few general notes --

1. The security specific impacts of the tariffs on Stanley's bottom line (i.e. the reason for that disclosure in their 10-K) are completely negligible, to the point of not being relevant in any way.

2. It's Matt Kushner, not Mark.

3. Matt is not the CEO of anything, he's the President of the Products division -- it's own entity within the Stanley umbrella, and he has no relationship with the integration side whatsoever.

4. Stanley/3Xlogic's defense of this will be that they write their own firmware for the cameras. While that may or may not be true in the first place, I also don't think it's a defense of any kind.

5. I'm completely disgusted at this. Pathetic on Stanley's part, but I have absolutely no question in my mind that it was driven by a financial incentive -- I guarantee they got an absolutely bonkers deal on that hardware, and some bean-counter somewhere made the decision to do this. Par for the Stanley course.

Agree: 4
Disagree: 1
Informative: 5
Unhelpful
Funny: 3

Stanley/3Xlogic's defense of this will be that they write their own firmware for the cameras.

I have not heard that defense. That said, it's easily checked and refuted. For example, parts of the user manual are copied and pasted.

Hikvision manual selection:

Same Stanley 3xLogic manual section:

And 3xLogic uses Hikvision's firmware numbering / naming system, e.g., 5.3.5 for the VX-6S-OD3-RIAWD currently (which is actually really old Hikvision firmware but that's another issue...)

Agree
Disagree
Informative: 4
Unhelpful
Funny

Matt Kushner is the CEO/President of products and solutions.  Matt does have a lot to do with the integration side.  3xLogic does indeed write their own firmware.  The 3xLogic product plays in the retail space more then the government market.

 

Agree
Disagree
Informative
Unhelpful
Funny: 1

1. Maybe someone should tell Matt he's the CEO of something, since even his LinkedIn says "President". Actually, no...let me just repeat myself, he's not the CEO of anything, like I said before.

2. Matt doesn't have a lot to do with the integration side.

3. 3xLogic does not write their own firmware, they make basic changes to the Hik firmware as has been pointed out in this thread.

4. You finally got something right -- yes, 3xLogic is focused more on retail than government. That still doesn't change the fact that this move by Stanley is utterly shameful, and I'm disappointed in their leadership -- many of whom I know personally -- for allowing this to happen.

Agree
Disagree
Informative
Unhelpful
Funny

Your second point is incorrect.  Matt now runs both the product/manufacturing side of Stanley as well as their global integration business.  All security businesses in Stanley report to Matt.  This change occurred in June.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Your third point is incorrect.  Matt now runs both the product/manufacturing side of Stanley as well as their global integration business.  All security businesses in Stanley report to Matt.  This change occurred in June.

Agree
Disagree
Informative
Unhelpful
Funny

Stanley operates worldwide, there are more markets to feed products to.
There might be more for them to make outside the US than inside.

They are also very active in Latin America, Europe, Asia.
The Huawei/Hik/Dahua ban is only a problem in the US Market.

 

Agree: 5
Disagree: 2
Informative
Unhelpful
Funny

[IPVM Note: Poster works for Stanley]

Jonathan de Chateau is spot on. I am no more informed after reading this sensationalized article other than the writer doesn't like Stanley, 3X Logic, doesn't understand the leadership of the organization he is writing about, or appreciate the effort this company makes to sell products that benefit their customers (writing their own firmware / product availability) or their shareholders (typically larger purchases receive a deeper discount). 

A large company made a sizable purchase - big deal. I wonder where the the computer or phone the writer is using was made?

Agree: 4
Disagree: 4
Informative
Unhelpful: 4
Funny: 2

 wonder where the the computer or phone the writer is using was made?

Hopefully not in China, some of their big brands, like Lenovo, have had multiple incidents of hosting spyware and other software that can steal personal data:

https://www.inverse.com/article/36136-lenovo-settles-spyware-laptop-case-ftc-32-states

https://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/

https://malwaretips.com/threads/lenovo-caught-pre-installing-spyware-on-its-laptops.86894/

 

Agree
Disagree
Informative: 1
Unhelpful
Funny: 3

No, your analysis is wrong, Jonathan.

Stanley operates worldwide, there are more markets to feed products to

These tariffs only apply to goods shipped from China to the US, so Stanley's own statements about stocking up inventory to avoid 'increased tariff fees' is a US-specific claim. If Stanley wanted to ship products from China to the Netherlands or New Zealand, there is no need to address any tariff concern.

The Huawei/Hik/Dahua ban is only a problem in the US Market.

Not according to Hikvision itself. Their just-released H1 2019 financial transcript admits they have faced problems both in the US and other countries:

There is a significant decline. Due to the impact of the US National Defense Authorization Act and the US Department of Commerce’s “physical list” sanctions, concerned that the US revenue has shown a negative growth since the second half of last year, and the company is expanding its mid- to high-end market because of some interference from non-market factors has not made much progress in many countries in a short period of time.

I understand that as a Hikvision commercial endorser, you want to defend them:

But try to do some research first before posting such obvious flawed remarks.

Agree: 4
Disagree
Informative: 7
Unhelpful: 2
Funny: 4

Why is there no "burn" button?

Agree
Disagree
Informative
Unhelpful: 1
Funny: 3

It keeps amazing me how aggresive you are to your customers John.

I wonder how many times you will try to slap me in the face with a video or something of that nature. I never hid myself, I never pretended not to endorse Hik.

You however make sure you are nowhere to be seen or found. It's stands to wonder why that is.

 

Agree: 1
Disagree
Informative: 1
Unhelpful: 1
Funny: 1

nowhere to be seen or found

I comment regularly on IPVM, on LinkedIn and in many global newspapers such as the Financial Times, Bloomberg, etc. What would you like me to do to be 'seen' or 'found' more?

Agree
Disagree
Informative
Unhelpful
Funny

Yet You call me out for being visible, not in writing but with videos or photos.

Other than your name there is nothing to be found. 

Agree: 1
Disagree
Informative
Unhelpful: 1
Funny

Other than your name there is nothing to be found.

In the past decade, I have written far more about this industry than literally anyone else.

not in writing but with videos or photos

How is that germane? Would you believe me more if I was saying these things on a video at Hikvision's office?

Agree
Disagree
Informative
Unhelpful
Funny: 1

You should be up for a medal any day. I’ll leave you to lecture other customers. 

I quit reading and replying a few weeks ago and I regret restarting with replying already.

Agree
Disagree
Informative
Unhelpful: 1
Funny: 1

I regret restarting with replying already.

Jonathan, you need to think through things before you reply. Specifically, you have a tendency to make specific factual claims that can be refuted. Either avoid those (just make emotive statements like "I love Hikvision" or "The US government is bad") or make sure your factual claims are backed by evidence. Happy to engage with you.

Agree: 2
Disagree
Informative
Unhelpful: 2
Funny: 3

What would you like me to do to be 'seen' or 'found' more?

You could try standing in front of any of the thousands of Hacked Hikvision IP Cameras, maybe then you would be more easily found online. I'd wager the bulk of those are still vulnerable.

Agree
Disagree
Informative
Unhelpful
Funny: 4

Stanley Security....Stanley CSS.

Get out of the security business.

Bye Felicia!

Agree
Disagree
Informative
Unhelpful: 2
Funny

Well Stanley did operate worldwide, they just announced layoffs and the shutdown of their Australian security branches.  

Agree
Disagree
Informative: 3
Unhelpful
Funny

I can't imagine that it would matter if Stanley wrote their own firmware. Couldn't there still be back doors, or other vulnerabilities, hard coded into the chip? And aren't the main chips in these cameras also banned anyway?

Agree
Disagree
Informative
Unhelpful
Funny

What will be interesting to see is how soon the major media "pick up" on this story, if at all. 

IPVM - where news originates.

Well done.

Agree
Disagree
Informative
Unhelpful
Funny: 1

I find the ban on hikvision valid but, if the custom firmware on a rebranded camera stops the security risks then all it's doing is hurting the industry for the benefit of isolationist politics.

Agree
Disagree
Informative
Unhelpful
Funny: 1

The problem is that most "custom firmware" is little more than some superficial UI changes, and maybe the addition of a few custom API calls to facilitate an alternative to ONVIF for device discovery or configuration.

The majority of manufacturers that are OEMing Chinese product to create a value-priced line are not doing extensive firmware customization and review, they are doing just enough to make it non-obvious that it is a Hikvision (or whatever) camera, and just enough to support some of their legacy 1-off APIs.

On top of that, even if you wrote 100% of the firmware from the ground up, there is the issue of the embedded code in the SoC, which is basically a "virtual computer" unto itself. And a computer that the OEM has practically zero insight to.

You can think of firmware as being a hostage to the SoC, and any microcode on the SoC. Any communication the firmware has with the outside world (network), must pass through the SoC, and therefore the SoC can mount an almost impossible to detect man-in-the-middle attack on any firmware, custom or not.

Much of cyber security ultimately relies on trust and integrity. It is impossible (or, highly impractical at least) to test every single SoC you receive to ensure it is not compromised in any way. 

Anyone telling you they have "solved" the inherent untrustability of HiSilicon SoCs through custom firmware is lying, incompetent, or both. This issue is not solved with custom firmware, it is not solved with open-source firmware or source code review, it is not solved with HTTPS, private certificates, VLANs, air-gapped networks, encrypted firmware, closed systems, or any combination of the above.

Agree
Disagree
Informative: 2
Unhelpful
Funny

if the custom firmware on a rebranded camera stops the security risks

#13, thanks for your first comment. The 'custom firmware' or 'we write our own firmware' is almost always bogus.

#1 has already made the technical case, so I won't repeat it. I will add that a lot of OEM employees will claim that but when asked for details or to explain why most of the product is exactly the same, they have no response.

For example, Stanley 3xLogic OEMing is so fundamental, they literally copied significant chunks of Hikvision's user manual. That's not what true custom firmware development consists of.

Hikvision manual selection:

Same Stanley 3xLogic manual section:

Agree
Disagree
Informative
Unhelpful
Funny

From what I have seen of Stanley in the security space it's mostly all commercial projects in my area. There will be plenty of these companies that still want cheap.

Also I haven't done a ton a federal work, but what I have done they require extensive security audits on the products post configuration that are placed into service, but haven't seen or heard of any audit by the feds of other offerings by the vendor in this space for contracts. I am wondering how they will go about phase 2 with blacklisting a company for having such and offer.

Verizon, AT&T and the big telecoms will be a good lead to follow as they have the Brut force to test blacklisting as they have a ton of soon to be blacklisted phones that they must/should continue to support. After all they got the govt to reverse net neutrality which has been hugely affecting us. Then again it could be why these telecoms are having major service issues everywhere right now.

Agree
Disagree
Informative
Unhelpful
Funny

The 3xLogic firmware sits on top of the HIKVision firmware to add DVR capabilities among other things, it doesn't replace it, the HIK firmware is still all there.

Agree
Disagree
Informative
Unhelpful
Funny: 1

3xLogic firmware sits on top of the HIKVision firmware

Generally speaking, I don't think it makes sense to describe firmware sitting 'on top' of firmware. There's a single firmware and it can be modified by the original manufacturer to include or remove features the buyer wants. Think of buying a home and painting the walls and/or adding a bathroom. It's still the same home just with modifications.

Agree
Disagree
Informative
Unhelpful
Funny

While I like the house analogy, I think of situations like this as 'sitting on top' because the original manufacturer (OEM) generally does not allow any modification to the core firmware, they provide API endpoints and the partner then writes what is effectively completely separate software that uses those endpoints, it's two software programs running on one operating system/CPU that talk to each other. In theory, you could delete that partner's portion of the software and be back at the original OEM state. In this case, on the camera you can go to Open Platform -> Application and delete the 3xLogic camera server application.

This is not much different than cameras that offer app stores to add analytics capabilities, etc. and from a vunerability perspective, the OEM is still responsible for any vulnerabilities in the core firmware and the partner owns responsibility for their application.

So with the house analogy, HIK has provided the house and 3xLogic has provided the Furniture? :-)

Agree
Disagree
Informative
Unhelpful
Funny

it's two software programs running on one operating system/CPU that talk to each other.

"Firmware" is really a term for a collection of code that enables a device to bootup and function. It's a mini operating system, and associated utilities/programs.

A typical firmware build for an IP camera will start with a minimal linux build (eg: BusyBox), and then have various other programs added into it to facilitate functionality for the camera (eg: a webserver for the config UI, ffmpeg offshoots to encode video streams, ONVIF handling, some kind of watchdog program to handle resetting services that might get hung, etc.).

When an OEM customizes firmware, they may add some utilities/helper programs of their own to handle stuff like custom functionality, but these additions would be running "along side of" rather than "on top of" anything provided by the original manufacturer as part of the firmware development kit. 

In some cases the OEM can customize the firmware to the extent they might replace certain core functionality that the manufacturer provides in the firmware. For example, Dahua firmware has the "sonia" binary, which handles a big chunk of the functionality around the web UI, video encoding, streaming, etc. You could write your own sonia-like code if for example you wanted to try and reduce latency of video by optimizing the encoding and streaming. In this case, you wouldn't be able to just delete the customized portion of the firmware and be back to a clean OEM build, as you would be deleting something that was fundamental to the camera being a camera.

I have not looked at 3xLogic's camera firmware, so I don't know how extensive their customization is, or is not.

 

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,267 reports and 968 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports