China Hacks Video Servers Causing Uproar

By: IPVM Team, Published on Oct 05, 2018

An incident causing an international uproar is hitting home in the video surveillance industry as a Bloomberg report, "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies", uncovers how hacks, attributed to the Chinese government's People’s Liberation Army, targeted numerous US companies. Bloomberg describes how the hacks were discovered from an impacted video streaming server:

Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.

investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. TThis ha

This reaction to this report, especially in the US, has been significant and severe with it further undermining trust with China and Chinese manufacturing.

Inside this note, we examine:

  • Video surveillance significance
  • Dahua and Hikvision impact
  • Chinese manufacturing impact - shift supply chain out of China
  • Huawei / Hisilicon impact
  • The risk for video surveillance users
  • US Government opposition to the PRC

Video Surveillance Significant

Within the industry, some dismiss hacking risks. The joke, often stated, "Hey, if the Chinese government wants to see me in my underwear, go for it!" This hack underscores that video is not that target but is a useful entry point. The video was irrelevant, they cared that the device would be put on-site and therefore be used as a means to access data from other devices (laptops, servers, etc.) inside those networks. And for those who respond with the airgap counter (which most customers do not want), even doing that, this emphasizes that any mistake or any future configuration change exposes them to such hacks.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Dahua and Hikvision Impact

On the positive side for Dahua and Hikvision, recently banned for US government usage, the hacks did not include their products. Indeed, it impacted an American / Taiwanese company, who was manufacturing their products inside of China. To that end, Dahua and Hikvision can argue that not only does the Chinese government not need to hack (or backdoor) their products, they can simply and better do that to US companies that manufacturer inside of China.

On the negative side for Dahua and Hikvision, there may very well be similar hardware or software hacks included inside their products that simply have not been either found or disclosed. For example, last year's backdoors found in both manufacturer's products were brushed aside by the companies as coding errors but, in the light of this new information, it is reasonable to imagine why they would be more than that. Indeed, even if Dahua and Hikvision somehow did not want to 'cooperate', they would have no feasible way to overrule the Chinese army inside an authoritarian government.

Chinese Manufacturing Impact - Shift Supply Chain Out of China

The impact of Western companies manufacturing in China will likely be severe, further incenting moving supply chains out of China. This hack hit various government and private companies, even when those organizations were not buying from Chinese manufacturers.

The combination of tariffs and now this issue makes manufacturing in China both more expensive and far more risky for US buyers. Given the attention this has drawn, we expect significantly greater attention paid to not only whether the manufacturer is from China but what, if anything, for those products have been made or assembled inside of China.

Huawei / Hisilcon Impact

Not implicated in this hack but likely to emerge as a major issue soon is that the core hardware / software in most of world's IP cameras are designed, controlled and supplied by a division of Huawei, Hisilicon. This chip is an ideal place to embed a backdoor as it is so widely used and so minimally examined. As users more carefully examine sourcing, this may become a key concern.

Risk For Video Surveillance Users

Specifically for this hack, it impacts products using SuperMicro motherboards. Unfortunately, for video surveillance, SuperMicro is widely used in video surveillance recorders, almost always undisclosed. While the company's overall brand recognition (until now) has been minimal, it has long specialized in being a key low-cost supplier for buyers wanting cheaper servers.

IPVM is looking to assemble a list of products that use SuperMicro and will update as we determine. Anyone with information, please share in the comments or email us at info@ipvm.com

US Government Opposition To The PRC

With this news comes increasing US government opposition to the PRC, with the US Vice President stating:

The American people deserve to know that, as we speak, Beijing is employing a whole-of-government approach, using political, economic, and military tools, as well as propaganda, to advance its influence and benefit its interests in the United States.

This is consistent with what the US FBI and Counterintelligence heads have said this year.

Similarly, the US head of the National Security Council stated:

The Chinese efforts to threaten us in cyberspace and across the information technology spectrum are a very high priority for us -- countering them, establishing structures of deterrence to prevent China from even thinking about doing it, touches on the offensive cyber operations that the president has authorized

Denials and Counters

A number of companies have denied or at least criticized Bloomberg's findings. The Chinese government did not deny this hack happened but emphasized that they too were victims, declaring:

Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.

Bloomber, however, explained its thorough sourcing:

The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

Update 1: US DHS Responds

The US Department of Homeland Security has posted a response:

at this time we have no reason to doubt the statements from the companies named in the story.

Though it qualifies with 'at this time', it is currently endorsing the denials from Amazon, Apple, and Supermicro. The DHS statement goes on to defend its own track record noting:

Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.

Update 2: Bloomberg Responds to US DHS

Now, Bloomberg has released an article about the US DHS statement, retorting:

DHS may not be involved in such inquiries, several people familiar with them said.

Bloomberg did not identify who those 'people familiar' with 'such inquiries' were.

1 report cite this report:

BCDVideo Expansion And Switch From HP To Dell Examined on Mar 11, 2019
BCDVideo says they have more than tripled revenue in the past 5 years and are continuing to grow, powered most recently by switching their lead...
Comments (134) : PRO Members only. Login. or Join.

Related Reports

US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Trump Signs 'Huawei Ban' - Executive Order Targeting Foreign Adversary Technology on May 16, 2019
US President Donald Trump has signed an executive order targeting technology provided by 'foreign adversaries', in what is widely being called a...
China PRC Government New National Video Surveillance Standards on May 14, 2019
The People's Republic of China (PRC) government has released a new set of overarching standards for authorities to follow when they install video...
Vivotek Talks About Taiwan, China, Bans, AI And Business Development on May 10, 2019
Vivotek, Taiwan's biggest manufacturer by revenue, did not have a booth at Taiwan's Secutech 2019 (which we are covering). However,...
10 Facial Recognition Providers Review (Secutech) on May 09, 2019
Adding to our 19 Facial Recognition Providers Profiled report from ISC West, IPVM focused on facial recognition technology for our Day 2 coverage...
Secutech Taipei 2019 Show Report, Impacted By Expected Hikua Ban on May 08, 2019
IPVM is in Taipei attending SecuTech 2019: The most significant new development at the show is Dahua and Hikvision pulling out after many years...
Dahua and Hikvision Products Illegally Sold To US Government GSA on May 06, 2019
Dahua and Hikvision products are being widely and illegally sold to the US government GSA. The sellers are falsely claiming these China products to...
Registration Closed - Spring 2019 IP Networking Course on May 02, 2019
Register now for the Spring 2019 IP Networking course here - Closed. Last chance now.   This is the only networking course designed specifically...

Most Recent Industry Reports

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019
Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
Verkada Video Quality Problems Tested on May 23, 2019
Verkada suffers from numerous video quality problems, not found in commercial IP cameras, new IPVM testing of Verkada vs Axis and Hikvision...
Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
ASCMA / Monitronics Declares Chapter 11 Bankruptcy Plan on May 22, 2019
Monitronics is entering into Chapter 11 bankruptcy. The company, also called Ascent Capital Group Inc., aka ASCMA, aka Brinks Home Security,...
US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact