Profile Q deprecation

Slated for March 31, 2022

ONVIF will deprecate Profile Q because its specification requires a Profile Q conformant device to allow anonymous access to all ONVIF commands during the setup process in the factory default state. This does not follow current cybersecurity best practices, which recommend, among other things, that a network device require users to set passwords and other access rights before the device can be used.

The mandatory requirement for full anonymous access in the factory default state is not something ONVIF promotes moving forward, and since the specifications of a profile cannot be changed as it would impact interoperability between conformant products of the same profile, ONVIF has taken the decision to deprecate Profile Q on March 31, 2022. This is when the validity of the test tool for Profile Q will end.

To ONVIF members
ONVIF members can continue to implement Profile Q and submit for Profile Q product conformance until Profile Q is deprecated on March 31, 2022. Existing Declaration of Conformance with Profile Q will remain valid indefinitely, but members may choose to withdraw it.

To end users
If you are an end user with a registered Profile Q conformant product, the product will remain conformant until the manufacturer decides to withdraw the Declaration of Conformance. Existing Profile Q conformant products, however, will remain interoperable with other Profile Q conformant products regardless of whether a declaration of conformance is withdrawn by the manufacturer. ONVIF recommends that users of a Profile Q device in factory default state quickly set an administrator password, which would require authentication for all ONVIF commands in the operational state.

ONVIF recommends following local regulations, industry best practices and staying on top of updates from the marketplace.

Cybersecurity measures
ONVIF has outlined a general, non-exhaustive set of recommendations for best practices within cybersecurity. The recommendations should not be considered as the only source or guideline to combat cybersecurity threats.

The ONVIF Network Interface Specifications include support for TLS (Transport Layer Security), a secure communication protocol that allows ONVIF devices with that feature to communicate with clients across a network in a way that protects against tampering and eavesdropping.

ONVIF has also specified the ONVIF Default Access Policy (Ref. ONVIF Core Specification – 5.9.2.4 Default Access Policy), which provides an acceptable level of security in many systems. This policy specifies that there should be different access classes to services based on different user roles (Administrator, Operator, User).

ONVIF member manufacturers can support TLS and ONVIF Default Access Policy even without ONVIF Profile Q.

Profile deprecation process
Details of the deprecation process are outlined in the ONVIF Profile Policy document.

See also the press release about the deprecation of Profile Q.