Deprecated as of April 1, 2022
Profile Q was for IP-based video systems and its aim was to provide quick discovery and basic configuration of Profile Q conformant products (e.g., network camera, network switch, network monitor) on a network. A Profile Q conformant device is one that can be discovered and configured by a Profile Q client. A Profile Q conformant client is one that can discover, configure and control a Profile Q device over an IP network. Profile Q also covered specifications for TLS (Transport Layer Security) configuration for conformant products that support this feature. TLS is a secure communication protocol that allows ONVIF devices themselves to communicate with clients across a network in a way that protects against tampering and eavesdropping. Special attention should be given to the Factory Default State when deploying an ONVIF Profile Q Device.
ONVIF deprecated Profile Q on April 1, 2022 because its specification requires a Profile Q conformant device to allow anonymous access to all ONVIF commands during the setup process in the factory default state. This does not follow current cybersecurity best practices, which recommend, among other things, that a network device require users to set passwords and other access rights before the device can be used.
The mandatory requirement for full anonymous access in the factory default state is not something ONVIF promotes moving forward, and since the specifications of a profile cannot be changed as it would impact interoperability between conformant products of the same profile, ONVIF has taken the decision to deprecate Profile Q. The validity of the test tool for Profile Q ends as of April 1.
To ONVIF members
Existing Declaration of Conformance with Profile Q will remain valid indefinitely, but members may choose to withdraw it.
To end users
If you are an end user with a registered Profile Q conformant product, the product will remain conformant until the manufacturer decides to withdraw the Declaration of Conformance. Existing Profile Q conformant products, however, will remain interoperable with other Profile Q conformant products regardless of whether a declaration of conformance is withdrawn by the manufacturer. ONVIF recommends that users of a Profile Q device in factory default state quickly set an administrator password, which would require authentication for all ONVIF commands in the operational state.
ONVIF recommends following local regulations, industry best practices and staying on top of updates from the marketplace.
ONVIF has outlined a general, non-exhaustive set of recommendations for best practices within cybersecurity. The recommendations should not be considered as the only source or guideline to combat cybersecurity threats.
The ONVIF Network Interface Specifications include support for TLS (Transport Layer Security), a secure communication protocol that allows ONVIF devices with that feature to communicate with clients across a network in a way that protects against tampering and eavesdropping.
ONVIF has also specified the ONVIF Default Access Policy (Ref. ONVIF Core Specification – 18.104.22.168 Default Access Policy), which provides an acceptable level of security in many systems. This policy specifies that there should be different access classes to services based on different user roles (Administrator, Operator, User).
ONVIF member manufacturers can support TLS and ONVIF Default Access Policy even without ONVIF Profile Q.
Profile deprecation process
Details of the deprecation process are outlined in the ONVIF Profile Policy document.
See also the press release about the deprecation of Profile Q.