The National Defense Authorization Act for Fiscal Year 2019 recently went into effect, after being passed by the US Senate on August 1st, 2019. What’s unique about this year’s NDAA is that it includes a usage & purchase ban for Dahua and Hikvision IP surveillance cameras by the United States government and Federally-funded projects, with a focus on ‘critical infrastructure’ and ‘national security purposes’.
Citing this very severe security risk, the 2019 NDAA goes so far as to disallow any company that provides these cameras, even to private enterprise, from doing any business with the federal government. Penalties for violation of this Act include contract and/or procurement cancellation, disqualifying the contractor from future federal business, and serious violations can be referred to “appropriate criminal investigative agencies”.
The concern with these cameras is that both Dahua and Hikvision are majority-owned by the government of the People’s Republic of China, and these devices have long been suspected of containing hidden ‘backdoors’, allowing unauthorized access to any network they reside on, from anywhere on the Internet. Hikvision alone is 42% owned by the Chinese government. The US Department of Homeland Security previously issued a security advisory notice on Dahua cameras back in 2017, when a credential exploit had been found in the source code for Dahua digital video recorders and IP cameras. In line with the vulnerability of these devices on a network, it was reported that another exploit in Dahua cameras allowed unauthenticated access to their audio stream, effectively allowing a ‘wiretap’-type feature.
Many authorities are now under pressure to switch to alternative systems. One unnamed security company said that more than a dozen federal agencies had approached it for advice, although about half a dozen of which were working to replace the cameras. Hospitals, local governments and sensitive businesses, such as banks and critical infrastructure companies, had sought similar help, the company said. In 2018, Hikvision’s U.S. sales fell for the first time. Its share price has slumped 20 percent since the NDAA was announced.
Removing these cameras from US Government infrastructure may not be as easy as it seems. Hikvision and Dahua cameras control roughly 33% of the global video surveillance market alone, and are often at low price points, allowing for easy adoption in places like military bases & government offices that require a large camera footprint. What’s worse, many federal agencies likely do not know which manufacturers’ cameras they’ve even purchased, in part due to ‘whitelabelling’, a practice where an installer or reseller can put their own brand on Chinese-made equipment. Effectively, two cameras running identical Hikvision firmware could carry totally different labels and packaging, making it nearly impossible to identify all these cameras, let alone remove them.
While the NDAA only applies to Government purchases of these cameras, private enterprise should be just as vigilant, as these devices on a network greatly increase the attack surface for all types of malware, ransomware, and viruses. It is important to replace these cameras immediately, once identified. SOS can help, contact us today.