Verkada Global Admin Vs Hikvision Backdoor

By John Honovich, Published Mar 29, 2021, 10:52am EDT

Which one was worse? And what does this say about video surveillance cybersecurity?

IPVM Image

In 2017, Hikvision's backdoor shook the industry. Now, in 2021, Verkada's "global admin access" lead to a breach that made global news.

Untrustworthy

Both companies proved to be untrustworthy as these were the consequences of dangerous and unethical design decisions. Many 'hacks' are the result of exploiting obscure or unseen coding patterns that the provider did not foresee. These were not.

With Hikvision and Verkada, both of these companies put these in on purpose, hiding them from the public until outsiders publicized, forcing the companies to make changes after years of secretly including them.

Hikvision ********

********* ****-***** * ***** string ******** ****** ******** of ** ****** ****** that **** ******** ** requests ** *** ****** allowed ***** ****** ******* logging ** ** **** knowing **** *** ******** was.

**** ************ **** ** the ***** ***** ******** below:

******* ****** *****

******* *** * **** more ********* '********', ** what ******* *** ********* as "****** ***** ******', which *** **** ******* access ** *******, ** allowed ****** ** **********, analytics, **** **** ** the ********** ** ** the *******.

** *** ***** *****, Verkada ****** *** ********* removing '****** ***** ******', at ***** ******:

Cloud ******* ** ***

*** *********** ********** ******* these *** *************** ** that ********* *** ******** in ******** **** *** not *****-*******, ********* **** end **** ** ****** the ******** ** ****** the ************* ***** *******, being ***** *******, *** able ** ****** *** device's ******** *** ** once.

Dangers ** ***** / ******* ***** *****

**** *****-******* *******, *** provider *** *** ** their ********* ******** **** want. *** **** **** is *** **** *** chance **** *** ******** can ********** ***** **** the ******** ** ****** on ****. **** ** not ******* ******* **** granularly *** **** ** one ****, * ******** would ***** **** ** prove *** ******* *** nefarious *** *** ****** a ****** **** ** managing *** ****** (***** an ************* ******** ***** certainly *****).

*** ****** ** * cloud ****** ** **** once ********, *** ******** can *********** ** ******* to ***** *** ******** / ***** ******, ********* the ******** ** *** lying ** ********* ***** that (***** ***** ***** be **** ** ******).

Dangers ** *** ***** / ********* ********

**** ******* **** *** not ***** *******, * general ***** ***** **** the ******** ** ******* in ***'* ************ **** a ******** *****-**. ***** and ****** *** ******** is ******* ** ****** the ********, *** ******** will ******, *** ****** or *****. ********, ******** one ******** *** ********, the **** ****** ** a *** ******** ***** implanted **** ******** *** remain ******* *** ***** if ** ***** *** backdoor ** ***** *** a ******** ****** ******** it ** *******.

Verkada ********

*** **** ****** ******* of ******* ***** ******* is ****, *** *****, they **** ******** ***** marketing ** *** ******* that **** *** *********** and ***** ******* *********** are ***** *** *********,*** *******:

IPVM Image

***:

IPVM Image

*** ******* ******** '*********' and '*****? *****. *** American ******* ****** ******** 'DANGEROUS' *** '*****'? ** 'Tricky-Verk' *****, ***, **** are.

Which ** *****?

*** **** ****** *** with **** *********.

** *** *** ****, at ***** **** *********, you *** *** ** barricade / ***** /********** ****** **** *** Internet ***, ** *** do ** ********* *** never ************* ***** ****** connectivity *** *** ** sure *** **** *** be ******** ** ******** adversaries, *** ***** ** ok. ** ******, **** is ** *** ******* of ****** ** ********* or ********** *** ****** and *****-***** ****** (*.*., police ** ** *********).

***********, ********* *** **** offers *****-******* ***** ************ (e.g., ***-*******) *** ** you *** ***** **** the **** **** ** Verkada - *** *** trust **** ********* **** not ****** ** ***** others ** ****** **** video?

Trust *********

***** ** *********, ** one *** **** ** certain **** * ******** is *** ******* * Hikvision ** * *******. Often ******, ******* ***, "Show ** *** ***** that ******* * *** a ********?" ** ******, when ***** ** ***** made ******, *** ******* fixes ** (** ****** because **** **** ** unsolved ******** ** * threat ** ********). *** proving **** *************** ** hard *** ********* *** hide **** *** ***** (as ********* *** ******* both *** ****). *** can ***** ** ******* that ********* ** ******* or **** ** ******** or ***** ** ******, etc. **** *** ***** new *********. *** **** to ** **** ** trust **** **** **** job, **** ************'* ******, and, ** **** *********, even ******'* *****.

Vote / ****

Comments (28)

Undisclosed Manufacturer #1

03/29/21 03:05pm

* **** *** * VSaaS *******.

* ***** **** *** Verkada ****** *** ***** than ********* ******* ********* could ** ********** ********* with ******* *** ***** be *******. **** ********* customers********* ********** ******, **** if **** ****'* ********* do **.

*** ** ******* **** Hikvision ********* ****'* **** their ***** ******** ***** Verkada ***. ** ** me, **** ***** ** worse *** ******* ** well.

Agree: 24
Disagree: 1
Informative
Unhelpful
Funny

Undisclosed Integrator #5

In reply to Undisclosed Manufacturer #1 | 03/29/21 05:52pm

**** ** **** **** bad, *** ***** ********* hard-coded *** ******** * would ******** ** ***** a ****** *****? * personally *** *** ******* that ********* *** ****, but ****'* ****** ****** Verkada ** **** **** huge ** * ****. Verkada ***** ** ** more ** ******** ** negligence ** ******** ****** controls. * ***'* ***** either *** :)

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed Integrator #5 | 03/29/21 11:27pm

** ***'* * ****...

Agree: 3
Disagree: 1
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | 03/29/21 03:13pm

Agree: 7
Disagree
Informative
Unhelpful
Funny: 9

Undisclosed Integrator #3

03/29/21 04:44pm

** ***** *** ************* exist ** **** ******** standalones ***/***'*, *** *** servers **** ***** **** feature *** ** ********, although *** ***** ** the ******* ** ******. These ******* *** ***** providers *** *** **** access ** *** ******* is ****** **, ***** the ** **** ** serial ****** **** ******* with *** *****, ** even * '*******' ** at * **** ***** in *** ********. *********'* QR ************* **** ***** the ********** ******** ******** by ********* ** ***** OEM's. ** *** **** verified ** ***** *******, even **** *** ******* only **** ******* *** access.

******** ******* *** ***** based ******* ********* ****** access ** *** ******* can *** ******* ****. The ******* *** ***** OEM ******** ** **** from ********* ** *****.

***** ***** ******* *** provide '*** **** **' access. ** * ****** obtained, ** ****** ******** server ** ** **** (as ******** **** *******), access ** **** ** possibly *** ****** *******/*******/******** is ******.

***** ********* *** ***** targets *** ******* *******, as * ****** ** address ******** ****** ** many *******. **** **, cloud ******* *** **** likely ** ******* **** level ****** ** *** network ** ***** *** system *******.

**** *** *** ******** risks. ***** ******* *** IOT ******* ******* **** risks ** ******** ***** wide. *** ******** ***** to ******* **** *****, and ********* **** ********* and **********.

** *** **** ****, Dual ****** ****** *** a **** *****, *** as **** ** *** backdoor ****** ** ****** firmware ** **, ***** is ****** * ****.

* ***-************ ** ******** reliant ******* ***** ** to ********* *** ****** access *****. ** *** be * **** ** manage, *** ***** ** worth ***********.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed Integrator #3 | 03/29/21 11:25pm

***** ** ****** ********* engineered **** *** *******-*****... MFG - " **'** incorporated * ***** *********** related ********** ** **** spec. ** ***** ** fact, ***** ** ** need ** ******** **." OEM -" **, **, our **** **** ***** be **** ******** ** it ****** *****? ** problem"

Agree
Disagree
Informative
Unhelpful
Funny: 1

Undisclosed Integrator #4

03/29/21 05:09pm

***** *** *** "**** were *** ****** ******** of *****" ******?

Agree: 8
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed Integrator #4 | 03/29/21 11:19pm

******* "********" ****. * would **** * "***** in ******* ******" **** we ****** *** "******/**" box ***** ******/** *****'* fit, ** ******, * properly *********** ****.... *'** re-read *** ******** *** response-options ***** **** ** be **** **** * could **** **** ******* didn't ***** ** ****.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

03/29/21 06:06pm

****** ******** ** ***** -

***** ** *** ************* an ***** **** ** not ******* ** ***** products. *** **** ********** is ******** ****** ******* providing ******* ****** *******, Security, *** ************* ******* provided ** **********, *************, industrial, **********, *** ******* consumers.

******, ******, ****, *** many ****** ******* ‘*****’ products **** *** ** Code ***/** ************* ********** that *** ****** ********* and ***** *** ***** network *******, ** ***** to ******* ‘**** ******’ to ***** *******. ** is *********** ****** ** use, *** ** **** requires ********** ***** **** each ************ **** ***** that ****** ** **** providing *** ******* ********.

** *** **** **** nothing ** ***** ****. Collection ** **** ** big ********. ***** *** the ******** ***** ** the ***** ********, ** provided **** *** ******* explaining *** ********* ***** to *******.

*** ******** ******** *** millions ** ********* ***** wide **** ****** **** ‘easy ******’ ** ***** to ** **** ** monitor *** ******* ******* that *** ** **** networks **** ********** *** private ***********. *** ***** suspect **** *** ********* providing ***** ******** **** have *** **** **** vetting, *** ********** ******* risks ********** **** *** these *******.

** ***** ** **** for **** ** ** an ******* **** ******** how **** ********** *****, the *****, *** ********. Also ** **** ******* provide *********** ** *** integrators, *** *** ***** might ******** *** **** when ***** ******** **** apply ***** ************.

Agree: 2
Disagree
Informative: 3
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed Integrator #3 | 03/29/21 11:14pm

***, ** * ****'* already **** **** * didn't ***** ** #*, I ***** **** ******* your ******** *** ****. Good ********.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #6

03/29/21 06:22pm

*** *** **** **** since *** ******-**** **** on ******* ***** ****** control *** **** ***********?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #11

In reply to Undisclosed Manufacturer #6 | 03/30/21 07:34pm

******* **** *** **** watched ******* ** ***** St. ****’* ********, ** Arizona, *** **** **** able ** *** * detailed ****** ** *** used ******* ****** ******* cards ** **** ******* doors, *** **** **** did **.

**** *** ******** *******.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed End User #11 | 03/30/21 09:35pm

"******* **** *** **** watched ******* ** ***** St. ****’* ********, ** Arizona, *** **** **** able ** *** * detailed ****** ** *** used ******* ****** ******* cards ** **** ******* doors, *** **** **** did **."

**** *******. ****'* *** it ** *** *******-**** or * ********* *********....**** not ** *** ***** agency... * **** ********.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #7

03/29/21 11:10pm

** *****'* ****** ***** one ** *****; **** of ** ** ****. Many **** (*** **** video ********/********* ***'*) *** doing **, **** **** happened ** **** ****** caught. ****.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #8

03/30/21 01:32am

******* ** ********** ***** because ***** ** ** way ** ****** ******* it ***** *** ******* cannot ** ******* **** the ***** ******. *** TruHikVision ******* **** ******* from *** ***** **** day ***, ***** ** ACLs *** ***** ** putting **** ** ******* vlans **** ** ***** to/from *** *****. *** dual *** **** ******** as ******* ***** ** view **** ***** ** the ******* ******* *** the ****** *********** *** is ****** ****** *********** ACLs ** **** ******* VPN ****** *** **** limited ****** ** ********* on *** ******** *** can ***** *** **** or *** *** *******. So **** ** *** NVRs ********** **** * backdoor *** **** ** bad ****** ***** **** to **** **** ******* employees **** ******, ****** and ******* ** ********* or ** ******** *** manages ** ********** ********** a ********** ** *** private ***. *********, ******* we ***** *** ****** (Hik ** **** **...) is ** ****** ******* since ** *** ********* from * **** **** trust ***** ******.

* ****** ** ****** this ***** **** ************ our *********** *** ***** both ********* *** ******* as **** ** ****** support.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed End User #10

In reply to Undisclosed End User #8 | 03/30/21 03:43pm

* ********** *** ***** video ***** ** ***********, but * ****** ** local ***** ***** **** have *** ******** ** security, ******* ****** ********* it. ** ***** ** a **** ******* ** firewall ** ***** ******* at ***** * ** prevent ***-*** ******** ******** traffic. * ***'* **** the ***** ** ****, and ** **** ********* if **** ** **** an ******** ** ********?

Agree: 1
Disagree
Informative
Unhelpful
Funny

Andrew Myers

In reply to Undisclosed End User #10 | 03/30/21 04:26pm

******** *** ** ** illusion ** ******** ** it ***'* ********** ********. With ******* *** **********, it's ** ** *** to ********* ********. **** devices ******* **** ***********, it's ** ** **** to ********* ** ********. Outsourcing ** * ***** strategy ** *** **** of ******* ********* ** too ****. *** ** sure ***'** *********** ** the ***** ************.

** *** **** *** resources (*********, *****, *********), local ********** ****** *** to ******* **** *** beyond ******** ***** *** possibly *****. *** *** setup *********, *****, ****, manage *******, ******* *** traffic ****, *** ** reasonably **** **** ** one *** *********** **** video ******. **** ***** video, *** *** *** do ** ***** *** provider. *** *** ***** know *** ******* **** your ******** *****'* **** an ******** ***** ******** your *****.

Agree: 3
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed Integrator #9

03/30/21 12:46pm

* ***** ******** ** worse ** ** *** 100% ***********.

******* *** **** ****** poor ********** *** *********. Bad ******** *** *** intentional.

Agree: 1
Disagree: 4
Informative
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed Integrator #9 | 03/30/21 09:05pm

"******* *** **** ****** poor ********** *** *********. Bad ******** *** *** intentional. "

*** *** **** ***** that? ** ********** (** years ** ** ** many **********, **** ****** and ******* *******), ***, and ******* ********, *** otherwise ** **.....

Agree
Disagree: 1
Informative
Unhelpful
Funny

Undisclosed End User #8

03/30/21 12:51pm

*** ** *******'* ****** admin, *************?

Agree: 3
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #5

In reply to Undisclosed End User #8 | 03/30/21 01:02pm

******** *** ***** ***** account *** * ******* server *** ****** *** intentional. ********* ** ********. They **** **** * blog **** **************** ** ***** ** bashing *** ********* *** there, *** **** **** that *** **** ******.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #8

In reply to Undisclosed Integrator #5 | 03/30/21 01:10pm

** * ***. *** vulnerability *** ****** ** trust *** ***********, ** was *** ******** ** the ***** ***** ******** that *** *************. ******'* that ** **** ** the ********* ********? ********* didn't *** **********, *** they?

Agree
Disagree: 1
Informative
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed End User #8 | 03/30/21 09:12pm

****** ** ***** *** unintended. **** ****** ****** your *****. ********* ** Vulnerability *** ********** *** unanticipated. ******* ** ******** spy ** ****** *** "tools" ***** *** ***** of "*******" *** ***********.

Agree
Disagree
Informative
Unhelpful
Funny

Michael Miller

In reply to Undisclosed Integrator #5 | 03/30/21 01:52pm

* ****** ***** *** Avigilon ******* ********** **** really ******* **. * have * *** ** Avigilon ******* *** * must ** ***** ********* wrong ******* * ***'* have *** ****** ** $67,500 * ***** *** maintenance *** ******* **** $90,000 * **** ** licenses.

IPVM Image

Agree
Disagree
Informative: 1
Unhelpful
Funny: 4

Undisclosed Integrator #12

03/30/21 07:46pm

*** * ***** ****

******** ******

** *** ***** **** Verkada

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

Undisclosed Integrator #7

In reply to Undisclosed Integrator #12 | 03/30/21 09:28pm

*** ******** ******* *** not **** **** *********** (the ****, *** *** cover-up). *** ***** ** was, ** ** *******, intentional. ******* *** ************* using ******* *** *********** specifically ******** ** ***** full ****** *** *********** nefarious *******. ********, **** many ***** ************* *********** a ****** ** *****( if *** ******** *** indirectly *** *** ***** partner). *** ********-*** *** the *****-**.

Agree
Disagree
Informative
Unhelpful
Funny

Andrew Myers

In reply to Undisclosed Integrator #12 | 03/30/21 09:30pm

* *********** *****. ******* over ******* ******* ***** cyber ******* ****** ****. In ******, *** ******* thing *** **** **** access ** *******, *** pwning * ****** ***** pwning * ****** (********** if *** ****** *** on * **** **** it ****** **** ****🤞).

*******, *** ******* **** gave ****** ** **** high ******* *******, **** Tesla *** **********. ********* on *** ****** *********, that ***** ********* ********* espionage. *'* *** **** if ******** *** *** customers **** *** **** prominent. *** *** ******** breach ***** ** *** it ** *** ***** number ** ***** ** medium **********.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Avatar

Hauke Kerl

04/07/21 03:27pm

Both *** ************.

*** ** *** ***** (easily) ******** ** ******* oneself **** ******* *** Hik ********. ** *** way, ** ********* *** IP ******* (***** **** at ********) **** *** something **** **** ** the ****. **** **** out *** *** ***** embarrassing *** ********. (****** *******)

**** *******, * ***'* really **** **** ** say. ***** ***** ** be * *** ***** wrong ** *** *******. ISO ***** ****** ** a ******* *** ********* like **** *** *** there **** ** **** internal ******** ********. *** a ****** ***! ** other *****, ***** ** a *** ***** **** the ************.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,891 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports