Federal agencies fear undetected Chinese security cameras

Many U.S. federal agencies do not know what or how many Chinese security cameras they’re using, leading to growing concerns that undetected cameras will still be operational in agencies after the August deadline.

Concerns on the security of Chinese manufactured technology and its capacity to be used by Beijing to spy on U.S. federal agencies has led to a series of bans on Chinese technology in the United States.

Last year Congress set out a ban on all Chinese-made surveillance cameras within federal agencies by 13 August. However, thousands of devices remain in place and there is a concern that it’s going to be close to impossible for agencies to identity all devices that violate the ban.

The problem on identifying the devices stems from complex supply chain logistics and licensing agreements, meaning a camera badged as ‘made in the U.S.’ can still contain banned Chinese hardware.

Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities,” said Representative Vicky Hartzler, a Republican from Missouri. Removing the cameras will “ensure that China cannot create a video surveillance network within federal agencies.”

This concern led to an amendment to the National Defense Authorization Act (NDAA), which outlines the Defense Department’s budget and spending each year. In it, federal agencies were directed not to purchase Chinese-made security cameras. In particular the amendment highlights Hangzou Hikvision Digital Technology Co. and Zhejiang Dahua Technology Co. as two manufacturers who raised security concerns with the U.S. government and surveillance industry.

In 2017 ReFirm Labs found Dahua cameras to have covert back doors enabling unauthorised people to access cameras and send information to China. Spokespeople for the Chinese firms have outlined that whilst the Chinese government is a significant shareholder, both businesses operate without government involvement.

Forescout Technologies, a firm hired by a number of federal agencies to determine what systems are running on their networks, state that at least 1,700 Hikvision and Dahua cameras are still operating in places where they have been banned. However, the real number is estimated to be much higher as many agencies aren’t able to detect banned devices.

A further complication is that many cameras branded as non-Chinese are actually Dahua or Hikvision cameras that have been imported and re-packaged. Sold from OEMs to intermediaries and then sold in to government agencies and enterprise. Effectively, two cameras running identical Dahua firmware could carry completely different labels and packaging.

 

Take control of technology with strong multi-factor authentication

The lack of control over technology installed across federal agencies is symptomatic of the explosion in IoT devices across federal government and enterprise. With thousands of connected devices added into secure infrastructure, organisations have lost control on the devices they have operating within secure environments.

At Intercede we have been pioneering work in securing IoT devices, particularly with surveillance camera technology, providing governments and enterprises with the technology they need to take control of their surveillance cameras.

Utilising public key cryptography, Intercede has worked with a German-based technology company to deploy and manage identity credentials on cameras.

“With Intercede’s MyID credential management software, identity and ownership credentials can be issued to each camera. The cryptographically protected credentials identify the camera as a trusted device and grant it network connection permissions” said Chris Edwards, Chief Technical Officer at Intercede.

“The central MyID management system oversees certificate renewals throughout their lifetime.  This supports the reliable transfer of location and ownership through enforced registration and revocation processes.”

“In addition, MyID locks the cameras down so that smart card credentials are needed to administer them, with different levels of operator access. This significantly reduces the threat of unauthorised individuals taking control of cameras to redirect, view and steal video footage.”

Intercede Lab, the Research and Development wing of Intercede, are actively engaged in exploring the potential of MyID credential management across security cameras and industrial internet of things (IIoT) technology.

If you are interested in finding out more about MyID for surveillance cameras, IIoT or Intercede Lab contact us now via the form below to discuss further.