August 24, 2020

Video surveillance solutions as a tool for Russian and Chinese intelligence

The National Cyber Security Center (NCSC) found that as many as 57 government agencies use video surveillance cameras from Chinese manufacturers with known cyber security vulnerabilities identified in the publicly available vulnerability database CVE.

„Both Hikvision and Dahua cameras are very popular in Lithuania. They are used not only by the public sector but also by large businesses. The key question is whether video surveillance systems, which are common in public institutions, can be used as a tool for Russian and Chinese intelligence, as factory vulnerabilities, intentionally or unintentionally left by Chinese manufacturers, enable remote interception of video camera information.“, says Donatas Zaveckas, CEO of managed Cloud and IT services company BTT Cloud.

According to the NKSC research report, the Hikvision camera does not have automatic update functionality, and the entire update infrastructure is hosted on Chinese and Russian servers. Closed, non-standard protocols are used throughout the Hikvision camera infrastructure. Hikvision is found to use closed SADP (Search Active Device Protocol), which is not encrypted, to detect its products.

In 2017, cyber security researchers discovered a vulnerability in Dahua’s camera software that was activated on Fortune 500’s network cameras, and data was transferred to China during the incident. Using a web browser, the vulnerability allowed unauthorized persons to remotely download a database of device usernames and passwords and later access camera controls. Following these incidents, Dahua released a software update that removed 11 product security vulnerabilities. However, security researchers found that the same vulnerability remained in the updated software, but this vulnerability was moved to another part of the code.

According to Donatas Zaveckas, BTT Cloud among its customers has companies and organizations using Hikvision and Dahua cameras, but the threats identified in the NKSC study have been controlled.

„The security vulnerabilities identified in the NKSC study can be addressed through the correct design and implementation of the hardware and software part of the video surveillance infrastructure, including security software. We have done that for our customers. It must be acknowledged that it is practically impossible to manage software updates without first checking them. But encrypted data can be protected“, says D. Zaveckas.

Users who use cameras from these manufacturers should take into account the recommendations of the NKSC.

1. Isolate cameras and equipment related to their functionality in a separate physical or specifically parameterized logical network that does not interface with servers and / or workstations accessing the public Internet.

2. Organize the download of camera-related hardware and software updates from servers located in NATO or the EU.

3. Real-time audit of camera port activity and generated requests, block redundant requests or flows, use firewalls with verified access instructions for a specific camera model.

BTT Cloud is Lithuanian capital, constantly growing company of managed IT and Cloud services. We manage and maintain customer technology infrastructure: workstations, peripherals, networks.

We have implemented more than 2,000 complex IT solutions of various complexity, some of which include the integration of video surveillance systems into the technology infrastructure of business customers.