Verkada Global Admin Vs Hikvision Backdoor

By John Honovich, Published Mar 29, 2021, 10:52am EDT

Which one was worse? And what does this say about video surveillance cybersecurity?

IPVM Image

In 2017, Hikvision's backdoor shook the industry. Now, in 2021, Verkada's "global admin access" lead to a breach that made global news.

Untrustworthy

Both companies proved to be untrustworthy as these were the consequences of dangerous and unethical design decisions. Many 'hacks' are the result of exploiting obscure or unseen coding patterns that the provider did not foresee. These were not.

With Hikvision and Verkada, both of these companies put these in on purpose, hiding them from the public until outsiders publicized, forcing the companies to make changes after years of secretly including them.

Hikvision ********

********* ****-***** * ***** string ******** ****** ******** of ** ****** ****** that **** ******** ** requests ** *** ****** allowed ***** ****** ******* logging ** ** **** knowing **** *** ******** was.

**** ************ **** ** the ***** ***** ******** below:

******* ****** *****

******* *** * **** more ********* '********', ** what ******* *** ********* as "****** ***** ******', which *** **** ******* access ** *******, ** allowed ****** ** **********, analytics, **** **** ** the ********** ** ** the *******.

** *** ***** *****, Verkada ****** *** ********* removing '****** ***** ******', at ***** ******:

Cloud ******* ** ***

*** *********** ********** ******* these *** *************** ** that ********* *** ******** in ******** **** *** not *****-*******, ********* **** end **** ** ****** the ******** ** ****** the ************* ***** *******, being ***** *******, *** able ** ****** *** device's ******** *** ** once.

Dangers ** ***** / ******* ***** *****

**** *****-******* *******, *** provider *** *** ** their ********* ******** **** want. *** **** **** is *** **** *** chance **** *** ******** can ********** ***** **** the ******** ** ****** on ****. **** ** not ******* ******* **** granularly *** **** ** one ****, * ******** would ***** **** ** prove *** ******* *** nefarious *** *** ****** a ****** **** ** managing *** ****** (***** an ************* ******** ***** certainly *****).

*** ****** ** * cloud ****** ** **** once ********, *** ******** can *********** ** ******* to ***** *** ******** / ***** ******, ********* the ******** ** *** lying ** ********* ***** that (***** ***** ***** be **** ** ******).

Dangers ** *** ***** / ********* ********

**** ******* **** *** not ***** *******, * general ***** ***** **** the ******** ** ******* in ***'* ************ **** a ******** *****-**. ***** and ****** *** ******** is ******* ** ****** the ********, *** ******** will ******, *** ****** or *****. ********, ******** one ******** *** ********, the **** ****** ** a *** ******** ***** implanted **** ******** *** remain ******* *** ***** if ** ***** *** backdoor ** ***** *** a ******** ****** ******** it ** *******.

Verkada ********

*** **** ****** ******* of ******* ***** ******* is ****, *** *****, they **** ******** ***** marketing ** *** ******* that **** *** *********** and ***** ******* *********** are ***** *** *********,*** *******:

IPVM Image

***:

IPVM Image

*** ******* ******** '*********' and '*****? *****. *** American ******* ****** ******** 'DANGEROUS' *** '*****'? ** 'Tricky-Verk' *****, ***, **** are.

Which ** *****?

*** **** ****** *** with **** *********.

** *** *** ****, at ***** **** *********, you *** *** ** barricade / ***** /********** ****** **** *** Internet ***, ** *** do ** ********* *** never ************* ***** ****** connectivity *** *** ** sure *** **** *** be ******** ** ******** adversaries, *** ***** ** ok. ** ******, **** is ** *** ******* of ****** ** ********* or ********** *** ****** and *****-***** ****** (*.*., police ** ** *********).

***********, ********* *** **** offers *****-******* ***** ************ (e.g., ***-*******) *** ** you *** ***** **** the **** **** ** Verkada - *** *** trust **** ********* **** not ****** ** ***** others ** ****** **** video?

Trust *********

***** ** *********, ** one *** **** ** certain **** * ******** is *** ******* * Hikvision ** * *******. Often ******, ******* ***, "Show ** *** ***** that ******* * *** a ********?" ** ******, when ***** ** ***** made ******, *** ******* fixes ** (** ****** because **** **** ** unsolved ******** ** * threat ** ********). *** proving **** *************** ** hard *** ********* *** hide **** *** ***** (as ********* *** ******* both *** ****). *** can ***** ** ******* that ********* ** ******* or **** ** ******** or ***** ** ******, etc. **** *** ***** new *********. *** **** to ** **** ** trust **** **** **** job, **** ************'* ******, and, ** **** *********, even ******'* *****.

Vote / ****

Comments (28)

* **** *** * VSaaS *******.

* ***** **** *** Verkada ****** *** ***** than ********* ******* ********* could ** ********** ********* with ******* *** ***** be *******. **** ********* customers********* ********** ******, **** if **** ****'* ********* do **.

*** ** ******* **** Hikvision ********* ****'* **** their ***** ******** ***** Verkada ***. ** ** me, **** ***** ** worse *** ******* ** well.

Agree: 24
Disagree: 1
Informative
Unhelpful
Funny

**** ** **** **** bad, *** ***** ********* hard-coded *** ******** * would ******** ** ***** a ****** *****? * personally *** *** ******* that ********* *** ****, but ****'* ****** ****** Verkada ** **** **** huge ** * ****. Verkada ***** ** ** more ** ******** ** negligence ** ******** ****** controls. * ***'* ***** either *** :)

Agree: 1
Disagree
Informative
Unhelpful
Funny

** ***'* * ****...

Agree: 3
Disagree: 1
Informative
Unhelpful
Funny

Agree: 7
Disagree
Informative
Unhelpful
Funny: 9

** ***** *** ************* exist ** **** ******** standalones ***/***'*, *** *** servers **** ***** **** feature *** ** ********, although *** ***** ** the ******* ** ******. These ******* *** ***** providers *** *** **** access ** *** ******* is ****** **, ***** the ** **** ** serial ****** **** ******* with *** *****, ** even * '*******' ** at * **** ***** in *** ********. *********'* QR ************* **** ***** the ********** ******** ******** by ********* ** ***** OEM's. ** *** **** verified ** ***** *******, even **** *** ******* only **** ******* *** access.

******** ******* *** ***** based ******* ********* ****** access ** *** ******* can *** ******* ****. The ******* *** ***** OEM ******** ** **** from ********* ** *****.

***** ***** ******* *** provide '*** **** **' access. ** * ****** obtained, ** ****** ******** server ** ** **** (as ******** **** *******), access ** **** ** possibly *** ****** *******/*******/******** is ******.

***** ********* *** ***** targets *** ******* *******, as * ****** ** address ******** ****** ** many *******. **** **, cloud ******* *** **** likely ** ******* **** level ****** ** *** network ** ***** *** system *******.

**** *** *** ******** risks. ***** ******* *** IOT ******* ******* **** risks ** ******** ***** wide. *** ******** ***** to ******* **** *****, and ********* **** ********* and **********.

** *** **** ****, Dual ****** ****** *** a **** *****, *** as **** ** *** backdoor ****** ** ****** firmware ** **, ***** is ****** * ****.

* ***-************ ** ******** reliant ******* ***** ** to ********* *** ****** access *****. ** *** be * **** ** manage, *** ***** ** worth ***********.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

***** ** ****** ********* engineered **** *** *******-*****... MFG - " **'** incorporated * ***** *********** related ********** ** **** spec. ** ***** ** fact, ***** ** ** need ** ******** **." OEM -" **, **, our **** **** ***** be **** ******** ** it ****** *****? ** problem"

Agree
Disagree
Informative
Unhelpful
Funny: 1

***** *** *** "**** were *** ****** ******** of *****" ******?

Agree: 8
Disagree
Informative: 1
Unhelpful
Funny

******* "********" ****. * would **** * "***** in ******* ******" **** we ****** *** "******/**" box ***** ******/** *****'* fit, ** ******, * properly *********** ****.... *'** re-read *** ******** *** response-options ***** **** ** be **** **** * could **** **** ******* didn't ***** ** ****.

Agree
Disagree
Informative
Unhelpful
Funny

****** ******** ** ***** -

***** ** *** ************* an ***** **** ** not ******* ** ***** products. *** **** ********** is ******** ****** ******* providing ******* ****** *******, Security, *** ************* ******* provided ** **********, *************, industrial, **********, *** ******* consumers.

******, ******, ****, *** many ****** ******* ‘*****’ products **** *** ** Code ***/** ************* ********** that *** ****** ********* and ***** *** ***** network *******, ** ***** to ******* ‘**** ******’ to ***** *******. ** is *********** ****** ** use, *** ** **** requires ********** ***** **** each ************ **** ***** that ****** ** **** providing *** ******* ********.

** *** **** **** nothing ** ***** ****. Collection ** **** ** big ********. ***** *** the ******** ***** ** the ***** ********, ** provided **** *** ******* explaining *** ********* ***** to *******.

*** ******** ******** *** millions ** ********* ***** wide **** ****** **** ‘easy ******’ ** ***** to ** **** ** monitor *** ******* ******* that *** ** **** networks **** ********** *** private ***********. *** ***** suspect **** *** ********* providing ***** ******** **** have *** **** **** vetting, *** ********** ******* risks ********** **** *** these *******.

** ***** ** **** for **** ** ** an ******* **** ******** how **** ********** *****, the *****, *** ********. Also ** **** ******* provide *********** ** *** integrators, *** *** ***** might ******** *** **** when ***** ******** **** apply ***** ************.

Agree: 2
Disagree
Informative: 3
Unhelpful
Funny

***, ** * ****'* already **** **** * didn't ***** ** #*, I ***** **** ******* your ******** *** ****. Good ********.

Agree
Disagree
Informative
Unhelpful
Funny

*** *** **** **** since *** ******-**** **** on ******* ***** ****** control *** **** ***********?

Agree
Disagree
Informative
Unhelpful
Funny

******* **** *** **** watched ******* ** ***** St. ****’* ********, ** Arizona, *** **** **** able ** *** * detailed ****** ** *** used ******* ****** ******* cards ** **** ******* doors, *** **** **** did **.

**** *** ******** *******.

Agree
Disagree
Informative
Unhelpful
Funny

"******* **** *** **** watched ******* ** ***** St. ****’* ********, ** Arizona, *** **** **** able ** *** * detailed ****** ** *** used ******* ****** ******* cards ** **** ******* doors, *** **** **** did **."

**** *******. ****'* *** it ** *** *******-**** or * ********* *********....**** not ** *** ***** agency... * **** ********.

Agree
Disagree
Informative
Unhelpful
Funny

** *****'* ****** ***** one ** *****; **** of ** ** ****. Many **** (*** **** video ********/********* ***'*) *** doing **, **** **** happened ** **** ****** caught. ****.

Agree: 2
Disagree
Informative
Unhelpful
Funny

******* ** ********** ***** because ***** ** ** way ** ****** ******* it ***** *** ******* cannot ** ******* **** the ***** ******. *** TruHikVision ******* **** ******* from *** ***** **** day ***, ***** ** ACLs *** ***** ** putting **** ** ******* vlans **** ** ***** to/from *** *****. *** dual *** **** ******** as ******* ***** ** view **** ***** ** the ******* ******* *** the ****** *********** *** is ****** ****** *********** ACLs ** **** ******* VPN ****** *** **** limited ****** ** ********* on *** ******** *** can ***** *** **** or *** *** *******. So **** ** *** NVRs ********** **** * backdoor *** **** ** bad ****** ***** **** to **** **** ******* employees **** ******, ****** and ******* ** ********* or ** ******** *** manages ** ********** ********** a ********** ** *** private ***. *********, ******* we ***** *** ****** (Hik ** **** **...) is ** ****** ******* since ** *** ********* from * **** **** trust ***** ******.

* ****** ** ****** this ***** **** ************ our *********** *** ***** both ********* *** ******* as **** ** ****** support.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

* ********** *** ***** video ***** ** ***********, but * ****** ** local ***** ***** **** have *** ******** ** security, ******* ****** ********* it. ** ***** ** a **** ******* ** firewall ** ***** ******* at ***** * ** prevent ***-*** ******** ******** traffic. * ***'* **** the ***** ** ****, and ** **** ********* if **** ** **** an ******** ** ********?

Agree: 1
Disagree
Informative
Unhelpful
Funny

******** *** ** ** illusion ** ******** ** it ***'* ********** ********. With ******* *** **********, it's ** ** *** to ********* ********. **** devices ******* **** ***********, it's ** ** **** to ********* ** ********. Outsourcing ** * ***** strategy ** *** **** of ******* ********* ** too ****. *** ** sure ***'** *********** ** the ***** ************.

** *** **** *** resources (*********, *****, *********), local ********** ****** *** to ******* **** *** beyond ******** ***** *** possibly *****. *** *** setup *********, *****, ****, manage *******, ******* *** traffic ****, *** ** reasonably **** **** ** one *** *********** **** video ******. **** ***** video, *** *** *** do ** ***** *** provider. *** *** ***** know *** ******* **** your ******** *****'* **** an ******** ***** ******** your *****.

Agree: 3
Disagree
Informative: 2
Unhelpful
Funny

* ***** ******** ** worse ** ** *** 100% ***********.

******* *** **** ****** poor ********** *** *********. Bad ******** *** *** intentional.

Agree: 1
Disagree: 4
Informative
Unhelpful
Funny

"******* *** **** ****** poor ********** *** *********. Bad ******** *** *** intentional. "

*** *** **** ***** that? ** ********** (** years ** ** ** many **********, **** ****** and ******* *******), ***, and ******* ********, *** otherwise ** **.....

Agree
Disagree: 1
Informative
Unhelpful
Funny

*** ** *******'* ****** admin, *************?

Agree: 3
Disagree
Informative
Unhelpful
Funny

******** *** ***** ***** account *** * ******* server *** ****** *** intentional. ********* ** ********. They **** **** * blog **** **************** ** ***** ** bashing *** ********* *** there, *** **** **** that *** **** ******.

Agree
Disagree
Informative
Unhelpful
Funny

** * ***. *** vulnerability *** ****** ** trust *** ***********, ** was *** ******** ** the ***** ***** ******** that *** *************. ******'* that ** **** ** the ********* ********? ********* didn't *** **********, *** they?

Agree
Disagree: 1
Informative
Unhelpful
Funny

****** ** ***** *** unintended. **** ****** ****** your *****. ********* ** Vulnerability *** ********** *** unanticipated. ******* ** ******** spy ** ****** *** "tools" ***** *** ***** of "*******" *** ***********.

Agree
Disagree
Informative
Unhelpful
Funny

* ****** ***** *** Avigilon ******* ********** **** really ******* **. * have * *** ** Avigilon ******* *** * must ** ***** ********* wrong ******* * ***'* have *** ****** ** $67,500 * ***** *** maintenance *** ******* **** $90,000 * **** ** licenses.

IPVM Image

Agree
Disagree
Informative: 1
Unhelpful
Funny: 4

*** * ***** ****

******** ******

** *** ***** **** Verkada

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

*** ******** ******* *** not **** **** *********** (the ****, *** *** cover-up). *** ***** ** was, ** ** *******, intentional. ******* *** ************* using ******* *** *********** specifically ******** ** ***** full ****** *** *********** nefarious *******. ********, **** many ***** ************* *********** a ****** ** *****( if *** ******** *** indirectly *** *** ***** partner). *** ********-*** *** the *****-**.

Agree
Disagree
Informative
Unhelpful
Funny

* *********** *****. ******* over ******* ******* ***** cyber ******* ****** ****. In ******, *** ******* thing *** **** **** access ** *******, *** pwning * ****** ***** pwning * ****** (********** if *** ****** *** on * **** **** it ****** **** ****🤞).

*******, *** ******* **** gave ****** ** **** high ******* *******, **** Tesla *** **********. ********* on *** ****** *********, that ***** ********* ********* espionage. *'* *** **** if ******** *** *** customers **** *** **** prominent. *** *** ******** breach ***** ** *** it ** *** ***** number ** ***** ** medium **********.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Both *** ************.

*** ** *** ***** (easily) ******** ** ******* oneself **** ******* *** Hik ********. ** *** way, ** ********* *** IP ******* (***** **** at ********) **** *** something **** **** ** the ****. **** **** out *** *** ***** embarrassing *** ********. (****** *******)

**** *******, * ***'* really **** **** ** say. ***** ***** ** be * *** ***** wrong ** *** *******. ISO ***** ****** ** a ******* *** ********* like **** *** *** there **** ** **** internal ******** ********. *** a ****** ***! ** other *****, ***** ** a *** ***** **** the ************.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,891 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports