Warning: ADI and Tri-Ed Video Products Major Security Risk

Author: John Honovich, Published on Sep 22, 2015

Recently, ADI and Tri-Ed both started OEMing Hikvision products. Reference - IPVM test on ADI W Box, IPVM test of Tri-Ed Northern Video.

Both ADI and Tri-Ed are using old firmware (respectively 5.2 and 5.1) that were involved in major Hikvision hacks from March 2015. Since then, Hikvision has released a significant upgrade (see IPVM Hikvision 5.3 test results) to help mitigate the core problems.

Why ADI and Tri-Ed are still using risky, out of date firmware is unclear.

[UPDATE: Tri-Ed has fixed / upgraded to 5.3]

However, this is clearly shown when connecting ADI and Tri-Ed cameras to Hikvision's VMS:

This month, Hikvision has been hit with another hacking incident (this time for its mobile app). While ADI and Tri-Ed's app versions do not appear to be infected for this (because they are using older app versions that were not compromised), this does underscore Hikvision and their OEM partners continued risk for other attacks (such as out of date 'risky' camera firmware).

Upgrade Not Possible

IPVM has verified that upgrading ADI and Tri-Ed OEMed cameras with the 'strong' security version from Hikvision will not work. Unforunately, as of this publication, there are no released ADI and Tri-Ed versions available.

Risks

The reality is that the average ADI and Tri-Ed user is likely buying for low price and on the shelf convenience, not considering such issues. However, it does not mean these issues disappear.

Worse, once this is installed, the firmware may not be upgraded ever (or for years) leaving these vulnerabilities open indefinitely for attack.

If and when upgraded 'strong' security firmware versions are released, we will add to this post.

[Update March 2016: Tri-Ed has released the 5.3 firmware. ADI has not.]

6 reports cite this report:

Hacked DVRs Surge To 400,000 on Oct 19, 2016
The global internet is under attack from record breaking botnets. And it is getting worse, Mirai doubled in size in the last month. Shamefully,...
ADI Finally Fixes Hikvision OEM'd Security Risk on Jun 09, 2016
After refusing for months to fix the obvious security risks, ADI has given in and fixed it. Two important lessons here: ADI knows little about...
ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved] on Mar 09, 2016
More than a year after massive hacks against Hikvision was disclosed; More than 9 months after Hikvision issued improved security firmware, mega...
Hikvision Ezviz Tested on Dec 28, 2015
Last month, Hikvision Launched Direct End User Sales with their Ezviz line, sold through online and big box channels direct to consumers. We...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity and the risk of being the next Hikvision, Foscam or Trendnet, show...
The Hikvision Hacking Scandal Returns on Sep 22, 2015
With a vengeance. The last time, the industry mostly shook it off. This time, it is clearly much worse. In this note, we examine Hikvision's...
Comments (20): PRO Members only. Login. or Join.

Related Reports on Hacking

Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note, we review the move, share Hikvision's feedback and examine the...
Wrongly Accused Critical Vulnerability for Vivotek on Jul 13, 2017
Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported...
ONVIF Chairman Criticizes Low Cost Cameras (Also, He Works At Axis) on Jul 12, 2017
ONVIF Chairman Per Björkdahl has taken a strong public stance against low cost cameras that are 'much more vulnerable to attack' as he explains in...
Smartcard Copier Tested (13.56MHz) on Jul 05, 2017
Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure? IPVM focused on the...
No Hack, Still Liable, Court Finds ADT on Jun 20, 2017
Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit. One of the most important...
How To Hack Your Company's Hikvision Recorder on May 29, 2017
Here's how easy it is to hack your company's Hikvision recorder: It does not matter how hard or secret the admin password is. Hikvision will...
Anti-Hack Access Card Shields Tested on May 26, 2017
Keeping your access control card information secure is becoming a big priority, especially since cheaper copiers can hack details easily. Multiple...
Axis Criticizes OEMs: "When You Buy An Axis Camera, An Axis Camera Is What You Get!" on May 19, 2017
When you buy a Honeywell camera, you likely get a Hikvision, Dahua or some other company's product. The same goes for easily 100 different...

Most Recent Industry Reports

Security Robots Are Just Entertainment on Jul 21, 2017
Great entertainment, no real security value.  That is the happy (or sad) state of security robots in 2017. Knightscope robot's drowning, the...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
Competing Against ADT on Jul 20, 2017
ADT is one of the biggest players in the security industry, with ~$4 billion revenue. In 2017, they were acquired / merged with Protection...
Hikvision Launching Deep Learning Recorders on Jul 20, 2017
Hikvision has become a common choice for super low cost NVRs. Now, Hikvision is aiming to move up market, with deep learning NVRs that claim far...
PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
Axis Door Station Tested (A8105-E) on Jul 19, 2017
Axis continues their push into niche markets, especially audio, with network speakers, an IP horn, and video door stations. We bought and tested...
Manufacturer Favorability Guide on Jul 19, 2017
This 120 page PDF guide may be downloaded inside by all IPVM members. It includes our 20 manufacturer favorability rankings and 20 manufacturer...
$8 Billion Utility Georgia Power Enters Surveillance Business Offering Avigilon And Genetec on Jul 19, 2017
Utilities are typically considered major customers of surveillance integrators but one utility, Georgia Power, with $8+ billion in annual revenue...
Knightscope Laughs off Robot Drowning on Jul 18, 2017
A day after a Knightscope robot drowned, Knightscope has issued an 'official statement' making fun of the issue: The implied message is that...
Microsoft Video AI Cloud Services Examined on Jul 18, 2017
Microsoft has released one of the most amazing video analytics marketing videos ever. In it, they detect oil spills, track individual people giving...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact