Amazon Powers Dahua and Hikvision Sales and Cloud Services

Published Sep 26, 2022 10:35 AM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Amazon prolifically sells relabeled Dahua and Hikvision products in the US and provides the cloud services that run remote monitoring of surveillance systems. Amazon's business ties to the NDAA-banned manufacturers raise legal, national security, and ethical concerns, and elicited outrage from lawmakers responding to this investigation.

IPVM Image

This report is the product of a joint investigation with Jimmy Quinn of the National Review, who have published their own report.

Amazon Tech Powers Dahua/Hikvision USA Cloud Remote Surveillance

Amazon Web Services (AWS) operates several Dahua and Hikvision cloud surveillance services in the US, including Hik-Connect, HikCentral, and COS, according to company documents and legal filings. This means Amazon's infrastructure powers a significant proportion of internet-connected Dahua and Hikvision systems, deemed a national security threat by several Federal agencies and twice by Congress (1, 2).

In a partially-redacted cybersecurity audit submitted to the FCC, which notably also disclosed that Hikvision's iVMS-4200 connected automatically to servers in China after an investigation by Italy's RAI first reported the phenomenon, Hikvision's auditor identifies AWS as the cloud services provider for Hik-Connect. Hikvision also confirms this in Hik-Connect's Terms of Service and Privacy Policy.

IPVM Image

Dahua touts AWS as its "cloud computing vendor" for COS in marketing on its site under a banner of "Guaranteed Security and Reliability." Hikvision also touts AWS in marketing for HikCentral, claiming "Top-level guaranteed security." (Related: Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits)

IPVM Image

Custom Amazon Storefronts for Relabeled Dahua, Hikvision

Those buying surveillance products on Amazon's online marketplace can easily land on pages for Dahua or Hikvision-made products. This includes custom storefronts for at least three separate relabeler brands, including two owned directly by the manufacturers:

Each storefront lists dozens of products, most with hundreds or thousands of reviews, many of which are verified. The pages are well-developed and highly customized, indicating a significant investment of time for the companies.

IPVM Image

IPVM Image

Dahua To Amazon, With Amcrest Labels

Dahua even sends products directly to Amazon distribution centers, though with the Amcrest label, as the import record extract below shows:

IPVM Image

Neither the storefronts nor individual product pages disclose the true manufacturers, nor are disclosures provided on the packaging or the products themselves. Relabelled cameras are identical except for cosmetic changes, both hardware and software, but difficult for most end-users to detect without specialized knowledge.

As a result, relabeled Dahua and Hikvision devices have posed a significant challenge for NDAA compliance, including multiple past instances of accidental purchases by US Federal and military agencies (e.g. 1, 2, 3).

Government Procurement Records Show Multiple Purchases

Amazon regularly sells EZVIZ, Lorex, and Amcrest to government agencies, mostly at the state/local level. Since the passage of the NDAA ban, government procurement records show 1,088 purchases of a total of 14,920 devices. This tally does not include the dozens of other relabeled Dahua and Hikvision brands.

Although purchases with state/local funds are legal, the NDAA ban prohibits any recipient of Federal funds from expending those funds on Dahua or Hikvision equipment (irrespective of the logo).

With no disclosures, Amazon is putting state/local buyers at risk of breaking Federal law. The use of Federal funds for security purchases by state/local agencies is commonplace, particularly since 2020 with the influx of Federal Covid relief money. IPVM has reported on several examples of such violations.

State/Local Agencies Regret Purchases

One of the buyers, Oak Creek-Franklin Joint School District (OCFSD), told IPVM "We would not have purchased the devices if we knew the true manufacturer," adding that "Our IT director is aware of the company Dahua and its reputation and would not have purchased any devices or products from them." OCFSD confirms Amazon provided no disclosure, though the district did not use Federal funds.

OCFSD was not aware of the true manufacturer of these devices. Nowhere on the order or product description does it say anything regarding anyone other than Amcrest being the manufacturer.

No federal funds were used. The money for these devices came from our IT budget.

We would not have purchased the devices if we knew the true manufacturer. Our technology team is diligent in staying on top of local and national cybersecurity threats. Our IT director is aware of the company Dahua and its reputation and would not have purchased any devices or products from them. [emphasis added]

IPVM also contacted the City of Seabrook, TX, which bought Amcrest from Amazon. The city's IT Director, who noted he was speaking on his own behalf, initially dismissed IPVM as "trying to save us from something we don’t need to be saved from," and asked for evidence of risks:

Please provide verifiable proof that specific Amcrest camera models are made by Dahua, and how exactly those specific models present a risk....

I would unplug them in a heartbeat if I felt they were a meaningful security risk. Having escaped communism over three decades ago, I am not a fan of any surveillance....

As for the specific risk... what is it? Is there evidence that a foreign government is using these cameras for remote surveillance? Or are they banned because of how they are used in China? If you have any proof that there can be unauthorized access to these cameras, I will be happy to unplug them.

IPVM replied by sharing our reporting on Dahua's two critical vulnerabilities in 2021. After reading the article, the IT Director changed position:

I am always skeptical of unfounded allegations about anything (especially from sales people), but you have raised enough awareness about potential problems with these cameras, that I will no longer buy these...As a freedom and privacy loving American, I appreciate your work....

I will just stick with Axis as they have outlasted anything else I have except the Pelco analog cameras that just refuse to die.

He added that City staff are not well-positioned to determine which brands are relabeled Dahua or Hikvision:

Our Mayor is an unpaid volunteer and Ms. [redacted] is our Community Relations person. Neither can tell the difference between Amcrest and an armrest.

Amazon's Dahua Fever Cameras

This is not Amazon's first controversy over its dealings with covered entities. In February 2021, after Amazon purchased $10 million in Dahua thermal cameras for its facilities, Senators Menendez and Rubio sent a public letter to then-CEO Jeff Bezos lambasting the company's decision, saying "Amazon willfully ignored guidance from the United States government and purchased equipment from an entity-listed company that is complicit in China's atrocities against the Uyghurs."

Amazon NDAA Compliance Examined

This all raises the question of whether Amazon/AWS is violating the NDAA ban. The short answer, with no publicly-known examples of Section 889 enforcement or case law, is: nobody knows. While its use of Dahua thermal cameras clearly violates Section 889, Amazon's roles as a seller and cloud services provider for Dahua and Hikvision are more challenging to assess. (Amazon told us it no longer uses the Dahua thermal cameras.)

Under the NDAA ban, the Federal government cannot do business with any entity "that uses any equipment, system, or service that uses covered telecommunications equipment or services." Since contractors that violate this restriction can be subject to a lifetime ban on Federal business, it is commonly-known as the "Blacklist Clause."

Amazon is a Federal contractor, most notably as the National Security Agency's (NSA) cloud services provider under a contract that was recently renewed for $10 billion USD.

Amazon's NSA business is precisely the kind of contractor-facilitated critical infrastructure that the Blacklist Clause aimed to prevent from digitally intermingling with Dahua or Hikvision devices; here, there is no question that Amazon is violating the spirit of Section 889. Similarly, by facilitating sales of relabeled products across the US, Amazon is actively undermining Section 889's goal of reducing America's exposure to these devices.

Whether Amazon is violating the letter of the law depends on how the government interprets what it means to "use" any Dahua or Hikvision "equipment, system, or service," and may come down to the minutiae of Amazon's interactions with the manufacturers' hardware and software.

By facilitating nationwide cloud services for remote surveillance software designed by Dahua or Hikvision, is Amazon 'using' their technology as part of its systems? If AWS, in the process of troubleshooting a system issue, uses Dahua or Hikvision devices for a test, is this an example of "use"? If a customer returns a DOA camera, and an Amazon employee plugs it in to verify its function, have they "used" it?

NDAA Ban Needs Clarification

These questions lack clear answers because the text of Section 889 is itself vague, failing to specify key aspects of how the ban would work in the real world.

To be sure, new statutes must often go through a process of interpretation by Federal agencies, law enforcement authorities, and courts, which clarifies questions left unanswered by Congress. But this requires real-world instances of enforcement, of which there are none, despite numerous past examples of NDAA ban violations.

The reason there are no examples of enforcement may be that nobody knows which Federal agency is responsible for enforcing the NDAA ban. Even Senator Rubio, in a statement (discussed further below) that called for an investigation of Amazon's activities, could only guess which agencies might investigate: DoD and GSA, which developed rules for Section 889 compliance with respect to themselves (along with NASA), but neither of which are statutorily charged with enforcing the law.

Amazon Tech Powers Both US Military and PRC Military Entities

Aside from the NDAA ban, it is highly irregular for a company to do business with military entities in both its home country and an adversarial foreign country, particularly given the real possibility of US military engagement with China over Taiwan.

The NSA is administered by the Department of Defense, while Hikvision is on the US government's Chinese Military Industrial Complex (CMIC) list, has significant ties to the People's Liberation Army, and was created and is owned by the China Electronics Technology Group Corporation (CETC). According to the New York Times, the "C.E.T.C. traces its roots to the military research labs that helped build China’s first nuclear bomb, satellite and guided missile."

This raises further questions for Amazon about whether its role in providing cloud infrastructure for the NSA and providing the same infrastructure to Hikvision is permissible.

Amazon Statement

Responding to this investigation, Amazon asserted it complies with the NDAA ban, but did not directly address questions on conflicts or legal issues raised by its concurrent NSA and Hikvision contracts, or whether Amazon would consider disclosing the true manufacturers of relabeled Dahua and Hikvision products to buyers:

Amazon complies with applicable laws in the jurisdictions where we do business, including Section 889 of the 2019 NDAA, and has policies and procedures designed to support such compliance. We expect all products sold in the Amazon Stores to be manufactured and produced in accordance with our Supply Chain Standards.

Senator Rubio: Amazon "no problem seemingly breaking U.S. law"

Senator Marco Rubio, a prominent voice on China in Congress, and ranking member of the Senate Select Intelligence Committee, said Amazon "prioritizes short-term profit above all else" and "Amazon loves to preach woke values, but it appears to have no problem seemingly breaking U.S. law - and putting federal, state, and local agencies in the position of doing the same."

No one should be surprised. This type of behavior is par for the course for a company that prioritizes short-term profit above all else, including the health and wellbeing of its employees. Amazon loves to preach woke values, but it appears to have no problem seemingly breaking U.S. law -- and putting federal, state, and local agencies in the position of doing the same – while doing business with a genocidal, oppressive regime. The General Services Administration and Department of Defense needs to investigate this immediately and put a stop to this massive national security threat.

Congressman McCaul Comment

Congressman Michael McCaul, the ranking member of the House Foreign Affairs Committee, expressed concern over the ethics of doing business with companies "fueling [the PRC's] Orwellian surveillance state":

It’s unacceptable that American businesses continue to turn a blind eye to CCP-controlled companies that are fueling its Orwellian surveillance state and its horrific human rights abuses.

NSA Statement:

The NSA provided a statement, but did not address any questions about Amazon's business with Dahua or Hikvision:

NSA recently awarded a contract to Amazon Web Services that delivers cloud computing services to support the Agency’s mission. This contract is a continuation of NSA’s Hybrid Compute Initiative to modernize and address the robust processing and analytical requirements of the Agency. NSA’s business practices comport with the 2019 NDAA and its implementing requirements, including the relevant FAR clauses.

Dahua and Hikvision, No Response

Dahua and Hikvision did not respond to IPVM nor the National Review.

Comments are shown for subscribers only. Login or Join