BBC Investigates PRC China Surveillance, Hikvision Protests

Avatar
Charles Rollet
Published Jun 27, 2023 13:54 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

The BBC has released a half-hour documentary, visiting IPVM's USA testing facility, investigating PRC surveillance and Hikvision and Dahua's cybersecurity issues, with Hikvision strongly protesting.

IPVM Image

The documentary shows IPVM remotely controlling a Hikvision camera in a live demo of its 2017 backdoor vulnerability and demonstrates how a vulnerable Dahua DSS server enabled a camera to wiretap people.

This was filmed before IPVM revealed Hikvision's Hik-Connect vulnerability in May 2023, a more recent critical vulnerability that Hikvision refused to disclose. The documentary did not discuss Hikvision's 2021 9.8 Critical Vulnerability, which is being actively exploited still.

11 Seconds To Hack Hikvision Camera In BBC Building

The documentary, produced by BBC's investigative Panorama division, is titled "Is China Watching You?" and focuses about half its runtime on Hikvision and Dahua.

In one demo, the BBC installed a Hikvision camera supplied by IPVM in its London headquarters, which IPVM was able to access and fully control in only 11 seconds:

IPVM accessed the camera using the 2017 Hikvision backdoor vulnerability. The BBC said it installed the camera "on a test network with no firewall and little protection," stating this was "for security reasons."

IPVM was able to zoom in to reveal a BBC staffer typing a password into a laptop and a PIN code into a cellphone:

Industry insights delivered to your inbox weekly.

Sign up to get notified of new reports, investigations, research and more.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

IPVM Image

This is "akin to a locksmith giving you a key to your home," noted IPVM Research Engineer John Scanlan, as the vuln is based on simply adding a 'magic string' of code:

IPVM Image

I own that device now. I can do whatever I want with it. I can disable it. Or I can use it to watch what's going on at the BBC. The second thing is is that the BBC no longer has control of that device

[...] this is akin to a locksmith giving you a key to your home and then secretly making a master key for all of the locks in that community. That's effectively what Hikvision engineers did [emphasis added]

There are "more than 100,000 [Hikvision] cameras online that are still vulnerable" to this hack, IPVM's Government Research Director Conor Healy noted.

Dahua Wiretap Hack Demo

IPVM also demoed a Dahua DSS software vulnerability that allowed listening to people via a connected camera, effectively wiretapping them. The camera was installed at IPVM's Pennsylvania warehouse, with IPVM quickly gaining unauthorized root access:

Most people do not realize that many cameras today have microphones, giving hackers unprecedented access, Healy said:

IPVM Image

What a lot of people don't realize about these cameras is that a large majority of them have microphones.

Now, often, they're turned off by the user. But when we hack into the system like this, we can turn that microphone back on and listen in. [emphasis added]

Dahua suffered a wiretapping vulnerability in 2019, a camera firmware vulnerability, but this vulnerability was more recent - from late 2022 - the BBC reported. Dahua told the BBC it "quickly fixed the problem".

Hikvision Found At Multiple Government Buildings "In A Single Afternoon"

The BBC said it found Hikvision cameras in multiple police and government buildings across London "in a single afternoon," including an Army Reserve Center, the Department of Health, the Department of International Trade, and more:

IPVM's Healy added that he once noticed a Dahua camera during a meeting at the Home Office headquarters, which oversees UK law enforcement and border control:

Despite the November 2022 ban across UK 'sensitive sites', PRC cameras continue to be found across UK government buildings, with the government committing to a 'timeline for removal' in June 2023.

"Serious And Inherent Risks": Security Camera Commissioner

The BBC also interviewed Security Camera Commissioner Fraser Sampson, who said Hikvision and Dahua have "serious and inherent risks" and replied "not one bit" when asked, "Do you trust Hikvision and Dahua?":

Commissioner Sampson, who also said the firms "simply cannot be trusted", has consistently called for a government use ban after Hikvision refused to answer his questions about its Xinjiang police deals publicly.

Other Topics Covered: Balloons, Overseas Police Stations

While Hikvision and Dahua's cybersecurity issues were a major focus of the documentary, it also explored other PRC surveillance methods.

One such method was PRC surveillance balloons, which the BBC confirmed were also spotted over Japan and Taiwan (not just the US) based on satellite imagery:

The BBC also covered the spread of PRC overseas 'police stations' and their involvement in forcing over 7,000 Chinese people back to the PRC:

Finally, the documentary interviewed Simon Cheng - a Hong Kong democracy activist who was detained by the PRC in 2019 - stating he is constantly surveilled by PRC agents while living in the UK.

Hikvision Says "Farcical", "Stunt"

In response, Hikvision sent a letter to its UK partners that the BBC 'hack' was "farcical" and a "stunt" as this "was already fixed" in 2017 according to "best practice," while this hack was conducted on an unsecured network that is unrepresentative:

IPVM Image

At the time, Hikvision's only public communication on the 2017 backdoor significantly misled dealers, calling this a "privilege-escalating vulnerability" even though the exploit allows instant direct access to any affected camera without any authorization.

"Virtually Certain" Cameras Patched

Hikvision also says it is "virtually certain" that UK government bodies have patched their cameras since 2017:

IPVM Image

86,000 Hikvision cameras remain vulnerable to the 2017 backdoor and are publicly accessible, IPVM conservatively estimates based on a review of the Shodan database today, June 27th, 2023.

Blames IPVM "Vendetta", Followed "Best Practice"

Hikvision's letter blames IPVM, stating it is "an organisation with a vendetta against Hikvision":

IPVM Image

Hikvision has a long track record of criticizing IPVM, most notably:

  • Starting in 2017, after IPVM exposed the company's PRC government ownership, Hikvison called IPVM a "Roving Turret of Disparagement and Denigration" and the "Sole Source of Fake News and Distortion About Hikvision".
  • In 2021, when Hikvision quit the US Security Industry Association while being investigated for violating ethical rules over its human rights abuses, Hikvision called IPVM "bullies" and criticized what it called IPVM's "cynical, anti-competitive, unscrupulous, and disingenuous efforts".

IPVM's independent investigations have been criticized by various manufacturers, including, more recently, USA's Evolv and Verkada, with Evolv alleging our reporting on their problems harms the public.

IPVM Response: Biggest Risk Increasingly Direct Control

IPVM's founder John Honovich said the "biggest risk" is increasingly direct control over user video via the cloud, noting Hikvision recently refused to disclose a critical Hik-Connect vulnerability:

IPVM Image

While the BBC demonstrated something easy for the public to visualize, the biggest risk for Hikvision and other video surveillance vendors (including USA ones like Verkada) is that they increasingly have direct control over user's surveillance video. In 2017, a manufacturer might have needed a backdoor but, in 2023, with technologies such as Hikvision Hik-Connect, the manufacturer already has cloud access to on-site surveillance. Indeed, just this year, IPVM found a critical Hik-Connect vulnerability that Hikvision refused to disclose to the public.

Comments are shown for subscribers only. Login or Join