The Importance of NDAA compliance in Video Surveillance Systems
When installing a modern video surveillance system, you need to be aware that each camera is an independent computer running custom software applications, connected to a network that likely hosts other critical business infrastructure such as PCs and servers. This network is also typically connected to the internet which creates the potential for your video system to become a bridge between an outsider and your critical data. Most businesses rely on a router, PC operating systems and other trusted devices to keep their business safe from cyberattacks. The video system equipment you choose should also be evaluated as to whether it can be considered trusted and secure, before allowing it inside your organization.
When homeowners consider the security of a video surveillance system they are typically concerned with privacy ; “Could someone hack into my cameras and watch me?”. Businesses will also have privacy concerns relating to video surveillance equipment but there is often a far more pressing question; “Could someone hack into my cameras and access my network and data?”. When government agencies, critical infrastructure providers, and the military assess video surveillance systems they must consider an even greater risk; “Could a foreign entity hack our camera system to launch a cyber-warfare attack?”
It was primarily this last question that in 2019 caused the US government to include sections in the National Defense Authorization Act (NDAA) that banned all products from Chinese video surveillance manufacturers Hikvision and Dahua (and all other products using “HiSilicon” chipsets) from installation in all US government regulated facilities. This coincided with a move to ban Huawei (another Chinese state-controlled technology company) from supplying communications infrastructure in the US. Most NATO countries have followed suit including Canada which banned the use of Huawei communications equipment in May 2022. But are these concerns warranted, or is this just a case of Western countries engaging in a trade war and trying to maintain global market share for their own products? It’s a topic that certainly merits debate, but we believe there are legitimate causes for concern.
To understand what is at the heart of these concerns you need to understand that all modern security cameras require a highly advanced computer chipset. This chipset is responsible for all the camera’s functions including megapixel digital video capture, advanced data compression (H.264 and H.265), multi-channel real-time video streaming, analytics processing, network/web traffic handling, and data security. There are few companies capable of manufacturing the microprocessors required by video surveillance cameras, and even fewer who can do so on a large scale and at a price point consumers are willing to pay.
Between 2010 - 2019 HiSilicon became the world’s largest provider of video surveillance chipsets. So who is HiSilicon and how was this achieved? What few people understood until recently is that HiSilicon is a wholly owned subsidiary of Huawei. HiSilicon, Huawei, Hikvision and Dahua are all connected. They share technology and are ultimately all controlled by the Chinese Government. These links had been deliberately concealed through the creation of multiple shell companies with complex share structures and only started to become public knowledge with the launch of the NDAA in 2019. The following articles offer detailed analysis of these links and some of the reasons for concern: Hikvision, Corporate Governance, and the Risks of Chinese Technology | Center for Strategic and International Studies (csis.org) and Who Owns Huawei? | ChinaFile.
With the backing of the Chinese Government Huawei and HiSilicon have been able to produce advanced technology at extremely aggressive price points. This has allowed them to achieve their goal of embedding their chipsets into home, business, and critical infrastructure networks in every corner of the globe. Despite the creation of the NDAA in 2019 companies all over the globe (including here in Canada) continue to install video surveillance equipment with HiSilicon chipsets onto their networks at an alarming rate.
HiSilicon chips are not only used in all Hikvision and Dahua products, they are embedded in virtually every consumer grade camera on the market including most well-known brands offered by big retailers such as Costco, Best Buy, Telus, Shaw, etc. Versatech has never promoted products from Hikvision, Dahua, or any of the other cheap “consumer-grade” brands. This isn’t because we were aware of the issues around HiSilicon chipsets (few people were before 2019), it is simply that we find these products to be badly designed, cheaply made, and poorly supported by their manufacturers.
But aside from the cloak and dagger stuff are there real-world cases of HiSilicon based products being problematic? Here are some examples of security concerns and potential human rights violations related to Hikvision and Dahua products, as listed on Wikipedia .
UPDATE: November 25/22 - United States FCC has now banned Huwai and ZTE equipment (including HikVision and Dahua) from the US. Along with Huawei and ZTE, the order affects products made by companies such as Hikvision and Dahua, makers of widely used video surveillance cameras. "Our unanimous decision represents the first time in FCC history that we have voted to prohibit the authorization of new equipment based on national security concerns. As a result of our order, no new Huawei or ZTE equipment can be approved. And no new Dahua, Hikvision, or Hytera gear can be approved unless they assure the FCC that their gear won't be used for public safety, security of government facilities, & other national security purposes." (Source CTV News, Nov. 25, 2022 2:30 p.m. PST).
From Dahua Technology - Wikipedia
Cybersecurity vulnerabilities:
In September 2016, the largest DDoS attack to date, on KrebsOnSecurity.com, was traced back to a botnet. According to internet provider Level 3 Communications, the most commonly infected devices in this botnet were Dahua and Dahua OEM cameras and DVRs. Nearly one million Dahua devices were infected with the BASHLITE malware. A vulnerability in most of Dahua's cameras allowed "anyone to take full control of the devices' underlying Linux operating system just by typing a random username with too many characters. "This was exploited, and malware installed on devices that allowed them to be used in "both DDoS attacks as well as for extortion campaigns using ransomware.
In March 2017 a backdoor into many Dahua cameras and DVRs was discovered by security researchers working for a Fortune 500 company. The vulnerability had been activated on cameras within the Fortune 500 company's network, and the data trafficked to China through the company's firewall. Using a web browser, the vulnerability allowed unauthorised people to remotely download a device's database of usernames and passwords and subsequently gain access to it. Dahua issued a firmware update to fix the vulnerability in 11 of its products. Security researchers discovered that the updated firmware contained the same vulnerability but that the vulnerability had been relocated to a different part of the code. This was characterized by the security researchers as deliberate deception.
In March 2021, the Federal Communications Commission declared that Dahua services and equipment "pose an unacceptable risk to U.S. national security. In response, The Intercept said, “the U.S. government has not provided the public with any evidence that Dahua and Hikvision are spying on customers.”
In September 2021, Dahua acknowledged an identity authentication bypass vulnerability affecting over 30 device models that, if exploited, can allow attackers to "bypass device identity authentication by constructing malicious data packets.” In October 2021, TechCrunch reported that The Home Depot and Best Buy stopped selling Lorex-branded Dahua and Ezviz products.
Mass surveillance of ethnic minorities See also: Uyghur genocide and Xinjiang conflict
Dahua has played a role in the mass surveillance of Uyghurs in Xinjiang. In October 2019, the U.S. government placed Dahua on the Bureau of Industry and Security's Entity List for its role in surveillance of Uyghurs in Xinjiang and of other ethnic and religious minorities in China. In November 2020, after security researchers identified facial identification software code with designations by ethnicity, Dahua removed the code in question from GitHub. In February 2021, the Los Angeles Times published an investigation of Dahua's technology for the purpose of Uyghur surveillance.
Security Industry Association expulsion
The Security Industry Association, a U.S.-based trade organization representing electronic and physical security solutions providers the United States, terminated Dahua Technology's membership on June 1, 2021, citing unnamed violations of its code of ethics.
Cybersecurity vulnerabilities
In May 2017, seven series of Hikvision cameras were affected by an improper authentication vulnerability which, if exploited, could allow "a malicious attacker [to] escalat[e] his or her privileges or assum[e] the identity of an authenticated user and [obtain] sensitive data," according to the U.S. Cybersecurity and Infrastructure Security Agency.
In May 2021, Italian public broadcaster RAI reported that Hikvision cameras automatically "opened communication channels with addresses registered in China" once connected to the internet. Hikvision declined to comment on the RAI investigation.
In September 2021, Hikvision announced a command injection vulnerability with the CVE-ID CVE-2021-36260. Forbes reported that the vulnerability, which has a CVSS base score of 9.8 out of 10, left dozens of Hikvision camera models "susceptible to remote hijacking" without requiring a username or password.
In 2022, Axios reported that Hikvision had hired FTI Consulting to conduct cybersecurity audits of its products.
Involvement in Xinjiang internment camps
In January 2019, the U.S. government began considering whether it should sanction Hikvision, which American government officials described as having "provided thousands of cameras that monitor mosques, schools, and concentration camps in Xinjiang."
The U.S. government banned Hikvision from receiving federal government contracts in August 2019 due to security concerns. In October 2019, Hikvision was formally placed on the Entity List by the U.S. government for its role in surveillance of Uyghurs in Xinjiang and of other ethnic and religious minorities in China. Hikvision expressed its opposition to the U.S decision and stated that they believe the decision had no factual basis. They urged the U.S. government to re-examine its decision.
In response to the bans and sanctions, Hikvision has hired former U.S. ambassador Pierre-Richard Prosper "to advise the company regarding human rights compliance" as well as numerous lobbyists, including former U.S. senators David Vitter and Barbara Boxer, former U.S. congressman Toby Moffett, and a former senior OFAC official.
In April 2021, the European Parliament confirmed that it had removed Hikvision thermal cameras from its premises following the approval of an amendment sponsored by Dutch MEP Lara Wolters calling for the removal of "all of Hikvision’s thermal cameras from Parliament’s premises" due to "an unacceptable risk that Hikvision, through its operations in Xinjiang, is contributing to serious human rights abuses."
In July 2021, the UK Foreign Affairs Select Committee published a report stating that Hikvision cameras "have been deployed throughout Xinjiang, and provide the primary camera technology used in the internment camps".
Bans
In January 2021, the United States of America banned government installations of information communication equipment from brands based in the People's Republic of China, including Hikvision, which was of particular concern due to its use by over 300 government agencies.
In June 2021, 224 Hikvision products were banned for one year by South Korea's Ministry of Science and ICT over forged test reports.
In September 2021, the Indian Navy's headquarters "asked its all formations to 'discontinue' procurement of CCTV cameras and surveillance systems from Hikvision," according to The Week. The Week also reported that the Indian Navy had ordered the replacement and destruction of its existing Hikvision cameras.
In April 2022, the UK Department of Health and Social Care banned the purchase of Hikvision cameras.