Warning: ADI and Tri-Ed Video Products Major Security Risk

Author: John Honovich, Published on Sep 22, 2015

Recently, ADI and Tri-Ed both started OEMing Hikvision products. Reference - IPVM test on ADI W Box, IPVM test of Tri-Ed Northern Video.

Both ADI and Tri-Ed are using old firmware (respectively 5.2 and 5.1) that were involved in major Hikvision hacks from March 2015. Since then, Hikvision has released a significant upgrade (see IPVM Hikvision 5.3 test results) to help mitigate the core problems.

Why ADI and Tri-Ed are still using risky, out of date firmware is unclear.

[UPDATE: Tri-Ed has fixed / upgraded to 5.3]

However, this is clearly shown when connecting ADI and Tri-Ed cameras to Hikvision's VMS:

This month, Hikvision has been hit with another hacking incident (this time for its mobile app). While ADI and Tri-Ed's app versions do not appear to be infected for this (because they are using older app versions that were not compromised), this does underscore Hikvision and their OEM partners continued risk for other attacks (such as out of date 'risky' camera firmware).

Upgrade Not Possible

IPVM has verified that upgrading ADI and Tri-Ed OEMed cameras with the 'strong' security version from Hikvision will not work. Unforunately, as of this publication, there are no released ADI and Tri-Ed versions available.

Risks

The reality is that the average ADI and Tri-Ed user is likely buying for low price and on the shelf convenience, not considering such issues. However, it does not mean these issues disappear.

Worse, once this is installed, the firmware may not be upgraded ever (or for years) leaving these vulnerabilities open indefinitely for attack.

If and when upgraded 'strong' security firmware versions are released, we will add to this post.

[Update March 2016: Tri-Ed has released the 5.3 firmware. ADI has not.]

4 reports cite this report:

ADI Finally Fixes Hikvision OEM'd Security Risk on Jun 09, 2016
After refusing for months to fix the obvious security risks, ADI has given in and fixed it. Two important lessons here: ADI knows little about...
ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved] on Mar 09, 2016
More than a year after massive hacks against Hikvision was disclosed; More than 9 months after Hikvision issued improved security firmware, mega...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity and the risk of being the next Hikvision, Foscam or Trendnet, show...
The Hikvision Hacking Scandal Returns on Sep 22, 2015
With a vengeance. The last time, the industry mostly shook it off. This time, it is clearly much worse. In this note, we examine Hikvision's...
Comments (20): PRO Members only. Login. or Join.

Related Reports on Hacking

Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Hikvision 'Phone Home' Raises Security Fears on Nov 10, 2016
The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has...
Genetec Expels Hikvision on Nov 08, 2016
Genetec has removed support for Hikvision devices, deeming them 'untrustworthy', citing customer concerns about Chinese government ownership /...
Now Knocking A Country Offline - The Video Surveillance Driven Botnet Wreaks Havok on Nov 03, 2016
The video surveillance driven botnet is now attacking an entire country. The Mirai malware that took advantage of poor security in Xiongmai, Dahua...
Dahua Says They Are Botnet Attack 'Victims' on Oct 26, 2016
'Victim' or 'accomplice'? Dahua has issued a new press release, referring to their products as 'victims' of the massive botnet attacks hitting the...
The Xiongmai Botnet 'Recall' Will Not Work on Oct 25, 2016
The Xiongmai 'recall' has been the topic of global news, following the unprecedented bot net attacks that use their equipment, among...
Video Surveillance Manufacturers Risk Lawsuits For Botnet Attacks on Oct 24, 2016
The unprecedented scale of internet outages on October 21st from botnet attacks risk triggering lawsuits against video surveillance manufacturers,...
Hacked DVRs Surge To 400,000 on Oct 19, 2016
The global internet is under attack from record breaking botnets. And it is getting worse, Mirai doubled in size in the last month. Shamefully,...
Dahua ‘Duplicitous’ Says Botnet Victim on Oct 11, 2016
The victim of the record-breaking botnet, Brian Krebs, is calling Dahua duplicitous in its statements about the Mirai botnet. He says Dahua should...
Why Surveillance Pros Rationally Won't Care About The Massive Dahua Attack on Oct 05, 2016
The physical security industry has been fairly indifferent to cyber security (e.g., see the Cyber Security For Video Surveillance Study). Here, we...

Most Recent Industry Reports

Pelco Favorability Results on Dec 02, 2016
This is the first in a series of studies of manufacturer favorability. 100+ integrators rated and explained their views of each manufacturer. We...
Hikvision CEO Declares 'We Do Not Cut Rates" on Dec 02, 2016
Hikvision has led another press trip to China, and this time Hikvision's CEO is sharing insights into their competitive strategy, including...
Network Security Audit App (March Networks) Examined on Dec 01, 2016
Verifying one's video surveillance devices are locked down against common cybersecurity vulnerabilities is increasing important, as hacks using...
FLIR Acquires Drone Manufacturer For $134M on Dec 01, 2016
FLIR has acquired Prox Dynamics, a Norwegian maker of small military-grade drones, for $134M.  FLIR president Andy Teich provided additional...
Down to $50 IP Cameras From Honeywell on Dec 01, 2016
$100 IP cameras are literally old news. And you do not need to buy from spam email vendors anymore to get $50 ones. [premium_content] You can...
Distributor Offers Local Job Site Delivery on Nov 30, 2016
Local distribution branches are a big differentiator for many integrators, as they facilitate quickly picking up supplies locally without having to...
Dump Axis and Hikvision, Arecont Will Pay You on Nov 30, 2016
Do you want to get rid of your Avigilon, Axis, Bosch, Hanwha Samsung, Hikvision, Pelco or Sony cameras? Now, Arecont will pay you to dump them for...
CODEC Guide 2016 on Nov 30, 2016
CODECs are core to surveillance, with names like H.264, H.265, and MJPEG commonly cited. How do they work? Why should you use them? What issues may...
Free Online NFPA, IBC, and ADA Codes and Standards on Nov 29, 2016
Finding applicable codes for security work can be a costly task, with printed books and pdf downloads costing hundreds or thousands. However, a...
Selecting Wood Drill Bits For Installers on Nov 29, 2016
Running cables through studs is common for roughing in residential and some older commercial installs. To do this, you will need to drill holes in...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact