Danish Capital Region Bans Hikvision Purchases, Calls "Critical Threat To Security"
The most populous region of Denmark, which includes the nation's capital of Copenhagen, has banned Hikvision camera purchases following an assessment that Hikvision constitutes a "critical threat to security".
Hikvision and Copenhagen-based Hikvision partner Milestone did not respond to IPVM's comment requests. In January, Denmark's intelligence agency warned against PRC-made cameras, calling out Hikvision's vulnerabilities and PRC data laws.
In this post, IPVM examines this news and its implications for Hikvision.
Hikvision Purchases "Must Be Discontinued"
On Monday, the Capital Region (Region Hovedstaden), one of Denmark's five regions (equivalent to US states) declassified a June 2022 briefing, obtained by IPVM, detailing that Hikvision camera purchases had been officially banned:
The briefing states that the Capital Region's Steering Group for IT and Information Security "has decided that the purchase of video cameras from the manufacturer Hikvision must be discontinued":
on 20 May 2022, a number of new measures were decided, which the Regional Council is hereby informed about. As before, the measures concern the video cameras that have been set up and operated within the framework of the region's central IT infrastructure. The Steering Group for IT and Information Security has decided that the purchase of video cameras from the manufacturer Hikvision must be discontinued. [emphasis added]
In Denmark, the main activity and expenditure of every Region is healthcare; other services, like education and policing, are typically done at the municipal level.
Reasoning Behind Ban: Hikvision "Critical Threat To Security"
The briefing details how the Capital Region came to this conclusion, with the main driver being in February, when Denmark's top intelligence agency and cyber authority issued a "security recommendation" stating that "video cameras from the manufacturer Hikvision constitutes a critical threat to security":
On 15 February 2022, the Danish Security and Intelligence Service [PET/ Politiets Efterretningstjeneste] and the Center for Cyber Security sent a "Security recommendation regarding the use of surveillance cameras". The security recommendation states that video cameras from the manufacturer Hikvision constitutes a critical threat to security. The threat consists of a backdoor that "makes it possible for an attacker to access the camera without the use of authentication". [emphasis added]
The recommendation, however, did not explicitly recommend bans but urged patches and that "the video cameras be connected to their own network". A month before this February assessment, Denmark's intelligence agency had already recommended "general reluctance to use Chinese surveillance equipment for Internet-connected systems", citing two 2017 Hikvision vulns (Hikvision Backdoor Exploit and Hikvision Backdoor Confirmed).
Status Of Existing Cameras
The memo notes that already installed Hikvision cameras "can remain in operation" if they are patched and "if they are not used in relation to clinical purposes", otherwise they must be "discontinued as soon as possible":
As far as video cameras of the Hikvision brand are concerned, it has thus been decided that they can remain in operation if they are not used in relation to clinical purposes and as long as they can be satisfactorily security patched. If they are used for clinical purposes or cannot be satisfactorily patched, the video cameras will be discontinued as soon as possible.
This means Hikvision cameras within hospitals that film clinical work have to be removed, but a street-facing camera can remain if it is patched and on its own network. 72 Hikvision cameras are in use by the Region, per Danish tabloid B.T. which first broke the ban news.
Politician: "I Think This Is Going To Spread"
IPVM interviewed Thomas Rohden, an elected politician in the Regional Council (roughly equivalent to a US state representative) who is the founder of the Danish China-Critical Society and has been pushing for the Hikvision ban since his January 2022 election. Rohden told IPVM that while the Hikvision purchasing ban now only applies to the Capital Region, he thinks it will spread:
I think this is going to spread out and be a part of policy in more municipalities and regions. And maybe also at one point, the government will say, 'this is how you do it', it won't be a local decision anymore [to ban Hikvision]. I'm running for parliament now myself and this should be a government decision: we should have no cameras or surveillance systems from Russia, China, or Iran. [emphasis added]
Rohden says he believes such bans should apply to Dahua and other PRC firms as well, "but right now it's just Hikvision".
Hikvision, Milestone No Response
Hikvision did not respond to IPVM's comment request. Neither did Milestone, which is headquartered in Copenhagen and remains a Hikvision partner, e.g.:
When IPVM covered the Danish intelligence agency's warning against online PRC surveillance systems, Milestone said it was "aware" and that it recommends customers "to test and install their camera devices in a secured and private network."
This is a significant blow to Hikvision in Europe, especially considering the ban is over security reasons rather than human rights, so Hikvision cannot blame this restriction on 'geopolitics' or the byproduct of a "financial war" between the US and China, as it did last month in an earnings call. The clear risk for Hikvision is such restrictions spreading beyond Denmark and across other major European capitals, leading to potential national-level bans in the long run.