Possible causes and solution(s)
This article informs about improvements in firmware handling and new security mechanisms that help our customers to increase security related to firmware updates and IP camera protection.
BOSCH introduces authenticated firmware signature
- Firmware security with IP cameras and IP video encoders is enhanced by introducing signed firmware. The signature of the firmware file has been strengthened by using a two-factor authentication process for signing any firmware file within BOSCH that is published as "RELEASED FIRMWARE".
This new process has been prepared with firmware 6.50 already and comes into effect with firmware versions 6.51 and newer. Non-released firmware cannot be installed on products in the field. The new signature protects from non-released versions being installed in productive systems.
- As a result any integrator-specific firmware e.g. for Field Acceptance Test or project assistance from BOSCH R&D need to have a special license installed prior to the firmware update (loading a project-specific firmware) to allow a "Development Build" of a firmware. The BOSCH Integration Partner Program Program (IPP) Team and the BOSCH support teams are happy to assist our customers / integration partners where needed.
For all projects where such a "Allow Development Build" license is required, a technical support case must be created with BOSCH technical support and those cases will be tracked and documented.
Introducing a "minimum required version"
- For specific projects with implementation into 3rd party management software, a firmware downgrade to an older firmware version than 6.51 can be required.
- All customers and partners in the need to downgrade are requested to contact their local BOSCH Support. Partners with special Support regulation should contact their known IPP support contact in the region in order to get in touch with the Global IPP support.
- Right now a simple downgrade to a less secure firmware, which might also lack other improvements, is no longer possible in each case. The dependencies and the minimum required version is documented and listed in the Release Letter of any firmware version 6.51 or newer.
- NOTE: All Firmware requests to downgrade to less secure firmware (status 2018-10-16 e.g. 6.44.x). Any downgrade to a firmware version which is not ranked as secure enough must be requested via the BOSCH technical support in your region.
See details published in Security Advisories of BOSCH:
Such a waiver form must be handed out by BOSCH support and signed by Integrator, Installer and/or BOSCH Partner.
Please also be aware that depending on Hardware there is a minimum Firmware version mentioned at the section "Device Overview" at the WEB GUI of all BOSCH IP cameras.
Especially in case of the need to "downgrade" to previous/older Firmware, this Firmware version information must be checked before and taken into consideration.
In case a downgrade to a firmware version above the displayed "Minimum required Firmware is planned or needed, it is recommend to check the downgrade process with the local Technical Support of BOSCH. A downgrade is not recommended in general, as fixes and security improvements added to new firmware is missing in older firmware. (example screenshot here below)
For other firmware releases, newer than 6.51 (status 03/2019) additional dependencies might be introduced. Please make use of the search feature to find additional news on future firmware releases in our Knowledge Base and read through the Release Letter of such newer Firmware.
Firmware file encryption
Update to 6.51 Firmware:
In order to upload version 6.51 to a device running a firmware version below 6.50, you need to upgrade first to version 6.50, since older firmware versions do not support firmware file decryption.