Chinese-made surveillance cameras find themselves in a spot of controversy, after a BBC investigation uncovered flaws in devices during several brand tests.
Surveillance and webcam vulnerabilities are common, and we’ve covered them many times on our blog. What’s interesting with this story is that its being presented as some sort of potential threat to national security and infrastructure. From just one of the comments provided to the BBC:
"We've all seen the Italian Job in our youth, where you bring the whole of Turin to a halt through the traffic light system. Well, that might have been fiction then, it wouldn't be now."
All very dramatic, but we’ve yet to see The Italian Job play out in real life. Even so, many devices manufactured by one firm, Hikvision, are used by many local councils across the UK. They’re also used to monitor Government buildings. If a device is vulnerable, it’s definitely worth trying to figure out the scale of the problem. With this in mind, what kind of numbers are we talking about?
According to the BBC, a large-scale freedom of information campaign set in motion by Big Brother Watch tried to find out. No fewer than 4,510 Freedom of Information requests were filed with various public bodies between August 2021 and January 2022. 1,289 responses came back, with 806 of those confirming the use of Hikvision or, another brand mentioned by the BBC, Dahua cameras. Of the 806, 227 local councils and 15 police forces use Hikvision, with 35 local councils making use of Dahua.
That’s certainly a lot of cameras. What risk was discovered?
The BBC asked experts to try and compromise a Hikvision camera under test conditions, though specifics are hard to come by. Is “a test network with no firewall and little protection” an accurate reflection of a local council or Government network? Is it fair to assume the manufacturer would be at fault for organisations not applying updates and patches dating back 6 years?
I ask this, because the results with the tested (six year old) camera found a vulnerability from 2017. The testers claim the flaw as “a back door that Hikvision built into its own products”, with somewhere in the region of 100,000 cameras online “still vulnerable” to this issue. Which means that a lot of organisations actually are failing to update their devices.
Having compromised the camera and gaining access to visuals, testers now established if they could access the Dahua cameras by forcing their way into the software controlling them. Once again, they were able to do it and this time gained access to the camera’s microphone.
In both cases, vendors claimed to have patched both of these vulnerabilities soon after the issues came to light. In fact, Hikvision released an open letter to those responsible for the investigation. It reads:
To claim that this stunt has uncovered a security breach or an intentional backdoor in June 2023 is farcical. It sensationalises a problem that was already fixed to universally recognised CVE standards. Furthermore, this test has not been conducted on a typical network, but rather an unsecured one. This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC have run.
It goes on:
Hikvision’s conduct with regards to this vulnerability has followed all internationally accepted standards of best practice. When made aware of the vulnerability in March 2017, Hikvision patched it in less than one week. The vulnerability – and Hikvision’s patch – were subject to further scrutiny in the US with the then-Chairman of the US House of Representatives Small Business Committee noting in a public hearing that Hikvision’s work with the US Department of Homeland Security on this vulnerability meant that any continuing issues resulting from unpatched equipment would lie with ‘small businesses that do not engage with the government or the DHS regularly’.
Going further, the Deputy Assistant Secretary for the US Department of Homeland Security Office of Cybersecurity and Communications said they ‘worked with the company’ to resolve the problem and that ‘standard practice was followed’.
All in all, this one is a bit of a mess and likely won’t be untangled soon. Whether your own devices are brand new or a few years old, they’ll typically prompt you to perform an update. Whether you think years old devices should be taken offline for safety reasons, or that organisations are solely responsible for their security, one thing is for certain: You can feel much more reassured that your own devices are safe by hitting that update button as soon as you possibly can.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.