Seeing Red: What, exactly, is the problem with Chinese CCTV cameras?

The realities of a changing geopolitical landscape have recently hit New Zealand’s security industry with all the force of a ram-raiding Mazda Demio. As great power rivalry between US superpower incumbency and an ascendant China becomes a growing source of international insecurity, Five-Eyes governments are curbing their use of Chinese-branded CCTV cameras citing national security concerns.

Australia’s Department of Defence and Department of Foreign Affairs and Trade are ripping out Hikvision and Dahua CCTV cameras over spyware fears after an audit found more than 900 of them at government sites. This follows earlier bans on Chinese-branded cameras by Australia’s AUKUS partners the US and UK.

Last year, the US government banned the import of Hikvision and Dahua cameras through its borders, having already for several years prohibited their purchase by government agencies. Several months ago, the UK government also banned its departments from purchasing new Chinese-made cameras but left open the question of what to do with existing installs.

As for the remainder of the Five Eyes grouping, Canada has not yet banned cameras of Chinese manufacture despite heavy lobbying from pro-ban interests, including the US-based IPVM, an influential security tech news portal and selfstyled “world’s leading authority on physical security technology”.

Radio NZ reported last month that our own government’s main procurement unit said it had “not taken any decisions regarding specific companies”, leaving individual agencies responsible for vetting products and suppliers on security grounds.

In other parts of the Western world, Chinese branded cameras have been the subject of intense debate. In 2021 the EU Parliament voted to remove its Hikvision thermal cameras due to concerns over human rights abuses in China against the Uyghur ethnic minority, and in 2022 the Danish Capital Region banned Hikvision purchases over security concerns.

Outside of the Five Eyes and the EU, apart from an Indian government ban of Hikvision cameras from military and highsecurity areas, most of the rest of the world have not joined the prohibition push.

This has all been occuring within the context of the broader deterioration in relations between Xi Jinping’s China and the US. China is now viewed as a strategic competitor of the US and its allies, a rising and increasingly aggressive power, a threat to the rules-based international order, a potential adversary.

As a consequence, US supply chains in ‘strategic’ goods and services are decoupling from China. “Ecosystems involving semiconductors, AI, supercomputing, biotech, and quantum science, among others, will continue to decouple as Washington and Beijing engage in technonationalist competition and hybrid warfare,” wrote academic Alex Capri in a recent Forbes article.

The result, writes Capri, is a “bifurcation of the global tech sector” as both camps look to channel their strategic supply chains towards domestic production and ‘friendshoring’.

As trade in strategic goods becomes balkanised and we edge seemingly closer to a new Cold War, we are confronted with the inevitable shrill of hawkish political and media commentary on both sides. Tabloids talk of “Chinese spy cameras”, “Beijing’s bird’s eye”; the aforementioned IPVM posts that it is proud to impose upon itself a “not made in PRC China” policy.

The poor quality of media commentary has created no shortage of questions and confusion within the New Zealand CCTV market –for manufacturers to distributors, integrators, and end users alike. Can Chinese cameras be controlled by the Chinese government? Are they really able to “phone home”? Are they more cyber vulnerable than other camera brands? Are they complicit in human rights abuses in China?

Before offering perspectives on these questions, it would be prudent to clarify NZSM’s – and my own –position in terms of our objectivity. NZSM’s revenue is generated through advertising, and it is usually the case that Chinese brands advertise in the magazine. We are grateful for their business, but we are not financially dependent on it, and nor are we editorially beholden to it.

As for my position, I trained as a sinologist at university, and lived in the cities of Shanghai and Beijing for a total of five years, most of which as an Australian diplomat. As an academic, my research on the Chinese state’s systems of internal propaganda and social control has been published in several international peer-reviewed journals, which in more sober times might be considered a fair indicator of objectivity.

Our claims to objectivity, however, are unlikely to fly with the likes of IPVM’s founder and publisher John Honovich, who, according to a fawning September 2022 feature in The Atlantic, holds trade publications in low regard. We have been “bought”, he believes, “by advertisers who hold sway over reviews and content.”

Hikvision has been infamously linked in recent years to several cyber vulnerabilities. Perhaps the most infamous of all, found by security researcher ‘Monte Crypto’ in 2017, is the ‘backdoor’ exploit that made it possible for a remote attacker to gain full admin access to an affected device.

Almost as infamous is the vulnerability found by ‘Watchfull_ IP’ in 2021 and listed as CVE2021-36260 in the Common Vulnerabilities and Exposures (CVE) database. It could allow an unauthenticated attacker to gain full access to a device and potentially perform lateral movement into internal networks.

It’s vulnerabilities such as these – combined with Hikvision’s part ownership by the Chinese government – that have fuelled claims that its cameras can be remotely controlled by authorities in Beijing or, in tabloid parlance, “phone home”.

In the meantime, firmware updates have been released, vulnerabilities resolved, and to date, writes SEN’s John Adams, “no Chinese-made video surveillance camera in Australia (or anywhere else in the world) has been found transmitting video streams to the Chinese Government.”

“It goes without saying that no pro-grade network intrusion detection system could fail to alert network engineers to the transmission of big band video signals from secure network ports to an external network location,” Adams states, rubbishing the pseudoscience behind the ‘phone home’ claim. “It would generate an immediate alert, remedial action and public condemnation.”

Vlado Damjanovski, one of the world’s foremost experts and authorities on CCTV, and author of the Australian Security Industry Association (ASIAL) published From Light to Intelligent Pixels, puts it plainly. Just because a camera happens to be of Chinese manufacture, he says, “it doesn’t automatically mean the Chinese can get into it.”

“The same could be feared for any other network product connected to the internet,” he continues. “MS Windows for example. Despite being US made, it can be interrogated by any spy agency if you don’t have policies in place. Would you ban Windows then?”

Despite tabloid news reports crying “Chinese backdoor”, and well-meaning (albeit hawkish) think tank publications doing the same with bigger words, there remains no evidence that Chinese-made CCTV cameras are technically any more vulnerable to intrusion by the Chinese state than any other camera.

The irony around some governments banning Hikvision from their premises is that government agencies are most unlikely to be hosting their CCTV cameras on networks that are open to the internet. They just don’t do that. Cameras not connected to the internet are immune – by virtue of their separation from the internet –to internet-borne exploits.

But perhaps the greatest irony of all is that Hikvision’s critical vulnerability track record is actually pretty good. In the aforementioned CVE database, which catalogues publicly disclosed cybersecurity vulnerabilities, many big-name non-Chinese security system manufacturers possess comparatively longer lists of vulnerabilities. Despite this, their cameras, video management systems and access control systems are keeping government sites secure from Wellington to Washington.

Perhaps that would be the greatest irony if it was’t for the fact that the maintenance of the CVE database is funded by the National Cyber Security Division of the US Department of Homeland Security, and that Hikvision is a CVE Numbering Authority (CNA) – which means that it is one of a limited number of CERTS, bug bounty providers, researchers and vendors authorised by the CVE Program to publish CVE Records.

So, on the one hand, the US Federal Communications Commission (FCC) has banned the sale of Hikvision equipment due to it posing “unacceptable risks to national security”, yet on the other hand, the US Department of Homeland Security considers Hikvision a trusted cyber security partner.

It’s no wonder that the likes of Adams, Damjanovski, and other internationally respected security systems specialists have publicly rubbished the latest Australian government removal of Chinesemade cameras on “spyware fears”. In the rush to decouple from Chinese security tech, it’s become an area of policy in which politics, they fear, has overtaken logic.

Apart from cybersecurity concerns, the most used justification for Western governments ghosting Chinese camera brands is human rights.

According to the MIT Technology Review, Hikvision was found to have received at least $275 million in Chinese government contracts to build surveillance in the Xinjiang Uyghur autonomous region in China’s west, and that it had developed AI cameras capable of detecting Uyghur physical features.

In 2022, the US Treasury reportedly considered adding Hikvision to the Specially Designated Nationals (SDN) List due to its alleged role in enabling human rights violations against the Uyghurs. This unprecedented move would have outlawed the use of Hikvision by anyone anywhere, effectively confining the company to China’s domestic market.

The Carnegie Endowment for International Peace describes placement on the SDN list as “the harshest financial penalty in Washington’s tool kit, often used against terrorists, drug lords, and the worst human rights abusers.” It would, states the Washington-based think tank, “grievously (perhaps fatally) wound the company, depending on how sanctions are implemented,” and represent a major escalation in economic tensions between the US and China.

The US government is yet to push the SDN button on Hikvision – or any other Chinese tech company – although Hikvision and many of its compatriots remain on lesser sanctions lists.

In March last year, New Zealand foreign minister Nanaia Mahuta released a statement voicing “grave concerns about the growing number of credible reports of severe human rights abuses against ethnic Uyghurs and other Muslim minorities in Xinjiang”. But in May, the New Zealand Parliament retreated from debating a motion that would have labelled human rights violations against the Uyghurs as acts of genocide.

This put Wellington out of step with the US government and UK parliament, which have both branded Beijing’s actions in Xinjiang as genocide, and the EU parliament, which has referred to Beijing’s actions as a “serious risk of genocide”.

However, in August, the Ministry of Business, Innovation and Employment (MBIE) announced that it would no longer accept Hikvision equipment. “MBIE takes matters of human rights very seriously,” stated its workplace general manger Adrian Regnault, “and under Rule 44 of the Government Procurement Rules, will exclude any suppliers that may be in violation of these rights.”

By citing the Government Procurement Rules, MBIE has effectively placed procurement teams across government agencies on notice.

It’s a prickly issue. There appears to be consensus among Western governments that Beijing has perpetrated significant human rights violations against its ethnically Uyghur citizens. On the flipside, Beijing points to its long-running struggle against what it calls the ‘three evils’ (terrorism, separatism, and religious extremism) to justify the range of actions it has taken to thwart the influence of Islamist and East Turkestan independence groups.

Interestingly, allegations over human rights abuses in Xinjiang have been levelled at Beijing by human rights and Uyghur lobby groups for several decades, but it’s only in the last few years that Western governments have started listening… and acting on it.

Rewind 20 years to the aftermath of 9/11 and the early days of the Global War on Terrorism (GWOT) and Beijing had by 2002 successfully lobbied Washington – and then the UN – to have the secessionist Uyghur East Turkestan Islamic Movement (ETIM) listed as terrorist group. This was supported by claims by the US Embassy in Beijing that there was evidence the barely known ETIM was working with al Qaeda and planning a terrorist strike against the US Embassy in Kyrgyzstan.

Washington’s and Beijing’s security interests at that historical moment aligned. Henceforth, the crushing of restive elements within its own Uyghur population effectively became China’s keystone contribution to the US-led GWOT.

Fast-forward to November 2020, and the world had changed. Against the backdrop of a deteriorating US-China relationship, the Trump administration removed ETIM from its terrorist organisations list. Within the space of two decades, Washington’s rampant post-9/11 Islamophobia had been replaced by an emergent Sinophobia.

From GWOT partner to strategic competitor, one can’t help but ponder the possibility that the US’ view of China’s treatment of the Uyghurs may be tied – at least in some measure – to Washington’s prevailing strategic view of China.

Along with the shifting geopolitical sands, political and media focus has clearly shifted to Hikvision’s role as a provider of surveillance technology complicit in the mistreatment of China’s Uyghurs. Unsurprisingly, it’s an accusation that Hikvision denies.

Commissioned by Hikvision in 2019 to investigate its Xinjiang human rights compliance, former US Ambassador-at-Large for War Crimes Issues Pierre-Richard Prosper found that Hikvision had not entered into projects in Xinjiang with the intent to knowingly engage in human rights abuses, or that it had knowingly or intentionally committed human rights abuses or acted in wilful disregard. So far, Western governments aren’t placing much weight on the former ambassador’s report.

With the spotlight pointed at Hikvision with such precision, it would appear prudent to ask: are Hikvision and its compatriot CCTV brands being disproportionately targeted?

Video surveillance – by its very nature – constitutes a range of technologies that are potentially vulnerable to being deployed in ways that may breach individuals’ rights. Are Chinese brands uniquely vulnerable in this regard? What are the potential associations of video surveillance vendors internationally with public surveillance programs known to have enabled human rights abuses?

A quick, non-exhaustive, google search provides some indication that Chinese brands are by no means the only brands alleged to have enabled human rights abuses:

• In 2014, the Business & Human Rights Resource Centre reported that Sony had provided the Israeli government with cameras that were mounted on missiles that were being fired into the Gaza Strip. At that time, at least 1,942 Palestinians, including 470 children, had been killed and nearly 10,000 injured in the offensive.

• In 2016, a report by Londonbased NGO Bahrain Watch found that Pelco was part of a consortium providing the Bahrain Interior Ministry with enhanced surveillance equipment that could be used to target prodemocracy campaigners.

• In 2019, it was reported by The Intercept that an IBM video surveillance project Davao City in the Philippines enabled police to carry out a campaign involving hundreds of extrajudicial killings a decade previously.

• In 2020, Axis Communications has come under criticism from human rights group Amnesty International for the alleged use of its CCTV technologies in large scale police-led surveillance projects in Chinese cities.

• In 2022, following reports of CCTV cameras being used by Iranian authorities to help identify women not adhering to the country’s mandatory hijab rule, Iran Wire reported that Axis CCTV cameras were being supplied to the Iranian government by a local distributor and “official representative”.

• In January, Reuters reported rights experts as saying that that a Honeywell smart city surveillance system in Egypt’s New Administrative Capital posed a potential threat to basic rights amid a broader crackdown on dissent and free speech.

But reports of the type listed above don’t appear to find audiences too far beyond the memberships of rights groups. Unlike reports targeting the Chinese brands, they’re not tabloid fare, and they certainly don’t make for non-paywalled IPVM exposés.

With this article, I have not attempted to provide a comprehensive analysis of the issue of Chinese security tech and its discontents. Neither have I attempted to provide a view that is necessarily balanced. What I have attempted to do is play devil’s advocate, to call into question the narratives that have so far dominated discourse on this issue.

To this end, it appears to me that politics has indeed overtaken public discourse on Chinese branded video surveillance systems, and I fear that this does a potential disservice to us all.

In pursuing a decoupling from China and promoting the balkanisation of international CCTV supply chains, our governments not only cause the markets we are left with to become less efficient, more vulnerable to disruption, and more expensive, but ultimately, they hitch us to a bandwagon that edges us closer and lemming-like to a new and dangerous Cold War.