Illegal Hidden Dahua and Hikvision Sales, Sellers and 'Manufacturers' Blame Each Other
Secretly-relabelled Hikvision and Dahua (Hikua) products are being sold to various Federal and military agencies, violating the NDAA ban. Sellers blame suppliers, including Anixter, and 'manufacturers' blame sellers, despite these relabelers hiding their activities.
This joint investigation with The Intercept - who published their own report [U.S. MILITARY BOUGHT CAMERAS IN VIOLATION OF AMERICA’S OWN CHINA SANCTIONS] - demonstrates the risks of allowing US companies to secretly relabel products that are outlawed for US federal use. The result is a breakdown of accountability in the supply chains that keep federal assets safe, while threatening the safety of US networks.
IPVM and The Intercept found illegal GSA listings and federal sales of Amcrest, Bosch, Honeywell, Interlogix, Lorex, LTS, and Speco.
"100% Innocent Victim" Says Seller
"These companies are defrauding everyone," said Global Data Center, a government contractor that sold Dahua-produced DVRs to the US Army and Department of Veterans Affairs; they were branded as Bosch and Amcrest devices, and the contractor blames manufacturers and distributors. "We are 100% innocent victims in this situation."
Anixter Blamed by Anixter Client
Anixter was blamed by Computech International (CTI), who listed relabeled Hikua products on GSA Advantage. CTI leans on companies like Anixter to certify origin information. "We do act in good faith, however, our actions can only be as good as the information we get."
Illegal Purchases of Relabelled Hikua
In 2018, Congress placed Hikvision and Dahua under a national security ban, making Federal purchases or use of their products illegal. This applies to anything they "produce", irrespective of how they are branded, as the NDAA's implementing rules clearly state.
But years of deception by well-known American companies selling relabelled Hikua under their own brands, like Honeywell, Carrier, and Speco, have made compliance difficult.
Even the General Services Administration (GSA), an agency specializing in procurement that had responsibility for implementing the NDAA ban, didn't stop relabelled Hikua gear from appearing in multiple listings on GSA Advantage.
The Amazon-like marketplace exclusively for Federal, State, and Local government buyers features products that are supposed to be vetted for compliance with government rules and trade regulations, such as the TAA and NDAA. In years past, straight-labeled Dahua or Hikvision were sold on GSA Advantage. IPVM exposed this - twice - though none are currently listed.
Public records show numerous Federal agencies bought NDAA-banned surveillance through the GSA while the ban was active, including the Army, Navy, and Air Force.
Amcrest - "Drop-Shipped" to Army
Amcrest's AMDV10814-1TB-C is equivalent to the Dahua XVR4104, a DVR purchased by the US Army through the GSA. An Army spokesperson told us "The team that purchased it observed that neither AMCREST nor GDC Inc. were listed as prohibited companies, and saw no indication that they may have been associated with any prohibited companies."
Amcrest would not confirm whether their products are manufactured by Dahua. Asked if their products comply with the NDAA ban, an Amcrest representative simply responded, "No."
The contractor behind this sale along with two Dahua products labeled as Bosch, Global Data Center, Inc., said "These items were sourced and purchased through authorized distributors and all the product information came from them. We had no way of knowing anything like this was going on."
"As with nearly 100% of all technology products in this day and age," Global Data Center said, "these were drop-shipped and/or direct ship products, meaning the distributors ship the products directly on our behalf...The onus for this issue and of information rests on the distributors."
They added, as an analogy, "we bought a pair of Nike shoes for our customer and some knockoff brand was shipped without our knowledge or consent. In simple terms - we were ripped off and deceived."
Global Data Center said the GSA had contacted them about the banned gear. They are "fully cooperating" and "will fully prove our complete innocence in this matter."
Amcrest did not respond to a follow-up inquiry regarding Global Data Center's claim of "fraud."
Bosch - Sold to VA, Listed on GSA
Bosch is dropping Dahua, but the company sold Dahua OEMs for years including DVRs from their DIVAR line. We tested the DIVAR 2000, a Dahua OEM, which notably was discoverable by Dahua's ConfigTool. It was listed on GSA Advantage.
The DIVAR 3000 is comparable to the DIVAR 2000; they are physically similar, and Bosch uses the same manual for both. It too was listed on GSA Advantage, and the Department of Veterans Affairs purchased DIVAR 3000s - twice. The VA did not respond to a request for comment.
Bosch commented on Global Data Center's claim of "fraud" by manufacturers, saying:
In response to your inquiry, Global Data Center purchased the video recording products through distributors, as Bosch does not have a direct purchase relationship with the company. We have been transparent with any customer inquiries related to NDAA compliance and have provided information to IPVM for publication on the IPVM website.
Honeywell - Listed on GSA
Honeywell is a longtime seller of relabelled Dahua equipment. Despite this, the company has made a market in recent years for NDAA compliant products, which they declare openly if and when it applies:
But when it comes to Honeywell's product page for relabelled Dahua cameras, there is no mention of the NDAA, or any disclosure of the original manufacturer at all:
Their Dahua products include the entire "Performance Series" line of cameras. Several of these models were found on GSA Advantage, such as the HD274HD4, which is equivalent to the Dahua A42AM2Z. A typical example of an OEM, both the hardware and software only differ cosmetically.
The products are a physical match other than having different casings:
The cameras' UIs match as well:
The Honeywell HD274HD4 was listed by Computech International (CTI), a contractor with "tens of thousands of products on GSA."
Anixter provided inaccurate country of origin (COO) data, says CTI, who sent us a spreadsheet of Anixter's COO information that marked numerous relabelled Hikua products as made in the USA. CTI did not receive NDAA compliance information from Anixter, but they assumed that a product originating in the USA - or another TAA-compliant country - would also be NDAA compliant.
Manufacturers were also to blame, with CTI saying "Your issue then should be with the manufacturer who is not upfront about its components," adding, "We have no way of knowing what components are used in each camera."
Anixter did not respond to a request for comment.
Many of CTI's hundreds of surveillance listings on GSA may be taken down in response to our inquiry. "We will remove all 2nd and 3rd tier cameras from our schedule as I can't be confident of the components they use."
"We moved to a new building 4 months ago," CTI added, "during the move we replaced 26 Hikvision cameras to Speco to make sure we are NDAA compliant. We take it seriously!"
Speco - Sold to DoD, Navy, Air Force, Listed on GSA
Speco relabels both Hikvision and Dahua. There were several GSA Advantage listings of NDAA non-compliant Speco equipment, including the ZIPL4D1, ZIPT4D1, and TVIKIT2.
The Office of the Secretary of Defense purchased the ZIPL4D1, a bundle of cameras that is physically identical to the Dahua HDBW42A1EN-AS. The delivery location is noted as AE, standing for Armed Forces Europe.
The US Navy bought the ZIPT4D1, a camera/DVR bundle. The Navy did not respond to a request for comment.
Also a bundle, the TVIKIT2 was purchased by the US Space Command, and twice by the US Air Force.
We were unable to match the ZIPT4D1 or TVIKIT2 cameras/DVRs to specific corresponding Hikvision models. However, TVI is a video transmission standard typically used by Hikvision. Speco maintains a list of NDAA compliant products, which does not include the ZIPT4D1, TVIKIT2, or ZIPL4D1.
The contractor behind the USAF purchases was SPS Industrial. They said the equipment would be destroyed, and the government refunded:
Thank you for your inquiry. SPS Industrial Inc goes above and beyond the minimum FAR guidelines, TAA requirements, and follows all requirements of 48 CFR s.52.204-24. The equipment you have referred to is being destroyed and a full refund has been offered to the Government. [emphasis added]
A US Air Force spokesperson said they vet purchases for compliance with the NDAA, but that, "At the time of purchase(s), the procedures requiring sanctions against Dahua Technology Company and Hikvision Digital Technology Company, as prescribed in the [Federal Acquisition Regulations], were not yet published."
In fact, the purchases occurred after the publication and effective date of the NDAA ban's implementation. We pointed this out to the Air Force, but they have not responded.
Lorex - Sold to Air Force, Listed on GSA
Even Lorex, a brand 100% owned by Dahua, can be found on GSA Advantage. 14 Lorex cameras were listed on the site and marked as being Made in the USA, such as the two below.
The US Air Force bought Lorex/Dahua products via the GSA 3 times. This includes the LNE8950ABW, which matches the Dahua IPC-HDW4831EM-ASE:
Although the USAF was listed as the buyer a USAF spokesperson told us, "We determined the three purchases from Ekoam Systems Inc. were made by the Air National Guard (ANG). The US Army would have purview over these purchases so please reach out to them for details." The Army did not comment on the purchases.
Lorex provided a statement to the Intercept, excerpted below:
Lorex does not sell directly to any federal government entities. It is theoretically possible that a federal government entity could purchase our products online or at a retailer, but if that has happened it has not been as the result of any proactive effort on our part.
To be clear, Lorex and its parent company Dahua are committed to full compliance with all applicable U.S. laws and regulations, including those associated with the Entity List and adjacent policies such as the NDAA.
Dahua also reached out to the Intercept, noting they bought Lorex "a full year before Dahua was put on the U.S. government’s Entity List." They said purchasing Lorex was a business decision, "not based on any consideration of U.S. foreign or trade policy."
Interlogix - Sold to State Department, Listed on GSA
Interlogix, a brand owned by American company Carrier, has used Hikvision OEMs for years. This includes their entire TruVision line of cameras. A TruVision camera, the TVCBIR6SR_39M949, was found on GSA Advantage with the origin falsely listed as Taiwan.
In May, the US Department of State bought $30,000+ of Interlogix TruVision cameras for an embassy project, as we recently reported.
LTS - Listed on GSA
LTS is known to be a Hikvision OEM. Two of their cameras were found on GSA Advantage, the LTCIP31020M, equivalent to Hikvision's DS-2CD21, and the LTCIP30020M, equivalent to Hikvision's DS-2CD2T55FWD-I5.
"Federal Government Bears Culpability" Says Retired Brig. General
Retired USAF Brigadier General Robert Spalding spoke to us about these findings saying, "The Chinese Communist Party's ultimate goal is to monitor, surveil, and collect data...This is the main reason why you would not want these cameras." Gen. Spalding was the Sr. Director for Strategic Planning at the White House National Security Council, and the Defense Attaché in China.
He was alarmed that the Federal government is still buying Hikvision and Dahua:
The federal government bears some culpability here because it's allowed this process to happen. There is this belief, at least when I was in government, that the government doesn't have responsibility or role when it comes to where things are sourced.
Gen. Spalding said Hikua OEMs "should be labeled as such," and called for stricter penalties when sellers deceive the government:
It is very easy to relabel and otherwise trick the GSA and others. And for that, we need to have much more strict, stringent penalties.
(Read Gen. Spalding's Full Interview Here)
A GSA spokesperson told us they have "multiple means" to ensure NDAA compliance, but noted they are "in the process of making further improvements":
GSA has multiple means to vet vendors and products sold on GSAAdvantage! in accordance with the Federal Acquisition Regulation (FAR). Moreover, contractors must comply with the clauses and provisions found in the FAR requiring them to state whether they sell covered technology. Products found not in compliance are removed from GSAAdvantage!.
GSA is in the process of making further improvements. In May 2021, GSA launched the Verified Products Portal (VPP). The VPP is a new manufacturer and wholesaler-facing portal for authoritative product content. One of the VPP’s primary goals is to mitigate supply chain risk by ensuring commercial-off-the-shelf products are compliant with Section 889.
Customers that have problems with a GSA order, including receipt of non-compliant products, should immediately contact the GSA National Customer Service Center (NCSC). The NCSC will bring the alleged violation to the attention of the GSA Contracting Officer (CO) assigned to the contract at issue. The CO can then investigate and take appropriate action.
NDAA Fails Without Supply Chain Transparency
With no markings or transparent disclosures, and little way for buyers to tell the true manufacturer, it is not surprising that secretly relabelled Hikua products continue to be sold to unaware government buyers and installed on Federal networks.
The problem is likely much greater than we have reported here. Government surveillance purchasing records usually redact information necessary to identifying relabelled Hikua. When available, it is only for smaller purchases (such as those made through the GSA). The largest in this report, by the US State Department for $30,000, would have gone unnoticed had the vendor not emailed IPVM asking if we had Interlogix stock to sell to the US Embassy (IPVM does not sell any surveillance products).
Still, that the government is buying Hikvision and Dahua through its own website illustrates just how easily relabelled products will go unnoticed in Federal supply chains.
The response of contractors, manufacturers and Federal agencies has been to shift blame onto each other. The GSA told us they rely on contractors to certify the NDAA compliance of their products. Contractors told us they rely on manufacturers or distributors for this information. And manufacturers said NDAA compliance issues are up to the GSA and contractors; after all, they do not directly sell this equipment to the government.
It is difficult to point to a single responsible party, but none are incentivized to fix things except for the government since the NDAA ban is undermined by this problem. Federal officials can help solve the problem by demanding transparent information on original manufacturers, and as the buyers, they are well-positioned to do so.