Warning: ADI and Tri-Ed Video Products Major Security Risk

By John Honovich, Published Sep 22, 2015, 12:00am EDT

Recently, ADI and Tri-Ed both started OEMing Hikvision products. Reference - IPVM test on ADI W Box, IPVM test of Tri-Ed Northern Video.

Both ADI and Tri-Ed are using old firmware (respectively 5.2 and 5.1) that were involved in major Hikvision hacks from March 2015. Since then, Hikvision has released a significant upgrade (see IPVM Hikvision 5.3 test results) to help mitigate the core problems.

Why ADI and Tri-Ed are still using risky, out of date firmware is unclear.

[UPDATE: Tri-Ed has fixed / upgraded to 5.3]

However, this is clearly shown when connecting ADI and Tri-Ed cameras to Hikvision's VMS:

This month, Hikvision has been hit with another hacking incident (this time for its mobile app). While ADI and Tri-Ed's app versions do not appear to be infected for this (because they are using older app versions that were not compromised), this does underscore Hikvision and their OEM partners continued risk for other attacks (such as out of date 'risky' camera firmware).

Upgrade Not Possible

IPVM has verified that upgrading ADI and Tri-Ed OEMed cameras with the 'strong' security version from Hikvision will not work. Unforunately, as of this publication, there are no released ADI and Tri-Ed versions available.

Risks

The reality is that the average ADI and Tri-Ed user is likely buying for low price and on the shelf convenience, not considering such issues. However, it does not mean these issues disappear.

Worse, once this is installed, the firmware may not be upgraded ever (or for years) leaving these vulnerabilities open indefinitely for attack.

If and when upgraded 'strong' security firmware versions are released, we will add to this post.

[Update March 2016: Tri-Ed has released the 5.3 firmware. ADI has not.]

6 reports cite this report:

Hacked DVRs Surge To 400,000 on Oct 19, 2016
The global internet is under attack from record breaking botnets. And it is...
ADI Finally Fixes Hikvision OEM'd Security Risk on Jun 09, 2016
After refusing for months to fix the obvious security risks, ADI has given in...
ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved] on Mar 09, 2016
More than a year after massive hacks against Hikvision was disclosed; More...
Hikvision Ezviz Tested on Dec 28, 2015
Last month, Hikvision Launched Direct End User Sales with their Ezviz line,...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity...
Hikvision Trojan Mobile App on Sep 22, 2015
With a vengeance. The last time, the industry mostly shook it off. This...
Comments (19) : Members only. Login. or Join.
Loading Related Reports