Chinese surveillance cameras are still watching over U.S. military bases, just weeks before a federal ban on such equipment comes into force, according to a review of defense contracts. Cameras made by Hikvision, which is 42 percent owned by the Chinese government, remain in place at the Peterson Air Force Base in Colorado, the home of North American Aerospace Defense Command (NORAD) and the headquarters of Air Force Space Command.
The Peterson base spent $112,000 on Hikvision cameras in 2016 but is now planning to “evaluate these systems and replace them,” according to a base spokesperson.
Meanwhile, a U.S. Navy research base in Orlando, Florida, spent $4,000 on Hikvision cameras even after the passage last year of the National Defense Authorization Act (NDAA), which bans federal agencies from buying cameras and telecoms equipment from Hikvision and two other Chinese suppliers, Dahua Technology and Hytera.
Any device creates an attack surface — a way into anything it’s connected to.
Steven Humphreys, chief executive, Identiv
Officials say the contract is unrelated to base security and that the cameras, which were being used as part of a training system, are not connected to the internet. Police departments in states including Massachusetts, Colorado and Tennessee are also still relying on Hikvision cameras. The Memphis Police Department alone has at least 1,500. Meanwhile, the U.S. State Department has bought more than $20,000 worth of replacement Hytera radio parts for the U.S. embassy in Guatemala, again after the NDAA was passed — as part of its work with the Policía Nacional Civil. Future restrictions would be reviewed as they come into effect, says a State Department official.
In 2017, an Army memo said Hytera radios were being used for special-forces training since the brand was “extensively used by the Islamic State.” Concerns about the safety of China-made technology have escalated during the past 18 months, as relations between the U.S. and China have worsened. The NDAA also bars federal agencies from buying from China’s Huawei, which supplies microchips to U.S. surveillance camera makers, and will extend to include how federal loans and grants are spent from July 2020. Hikvision says it is “disappointed” with the legislation, which was “quickly drafted without sufficient evidence, review or investigation.”
In the years leading up to the ban, Hikvision cameras were purchased by several arms of the military, although officials were reluctant to disclose whether they remain in use. The Fort Drum Army base, which acquired $30,000 worth of Hikvision cameras in June 2018, declined to comment. A tender for security cameras by Marine Corps Base Camp Lejeune last January noted that only Hikvision equipment would “work in network with other cameras.” The base declined to say whether the network still relied on the China-made cameras. Since 2015, the Defense Logistics Agency has spent almost $180,000 on Hikvision cameras for U.S. forces in Korea and a naval base in Florida.
The DLA says it “plans to inform the military customers who ordered the material that they should review the applicable section of the NDAA and determine whether or not it is appropriate for them to continue to use the equipment.” Authorities in Korea and Florida were unable to confirm whether the cameras remained in use.
Hikvision’s rapid expansion into the U.S. surveillance market began in the 2010s, when it started selling cheap alternatives to devices made by brands such as Axis and Bosch. By 2016 it had become the second-largest supplier of video surveillance products in the Americas, with 8.5 percent of the surveillance camera market, up from nothing at the turn of the century, and second only to Axis’ 11 percent, according to IHS Markit. Low prices attracted small businesses and local law enforcement in particular. Former Memphis PD surveillance manager Joseph Patty, who now runs a security consulting business, says the brand became so popular because price was often the “bottom-line factor.”
But cybersecurity experts say all internet-connected devices, including cameras, can pose a threat to the networks they are connected to if they have security vulnerabilities. They could be used by rogue actors as backdoors to sensitive networks: Once in, such actors could steal information or shut down entire systems.
“Any device creates an attack surface — a way into anything it’s connected to,” says Steven Humphreys, chief executive of security company Identiv. For example, a local police department’s network might be connected to larger organizations: “All you need is one [way in.] … That is why the American government is worrying.”
This year, U.S. lawmakers have been increasingly vocal in warning that Beijing could use certain China-made technologies for hacking. Hikvision has also been strongly rebuked for selling surveillance tools to authorities in Xinjiang, where Beijing is accused of human-rights abuses.
Many authorities are now under pressure to switch to alternative systems. One security company said that more than a dozen federal agencies had approached it for advice, about half a dozen of which were working to replace the cameras. Hospitals, local governments and sensitive businesses, such as banks and critical infrastructure companies, had sought similar help, the company said. In 2018, Hikvision’s U.S. sales fell for the first time. Its share price has slumped 20 percent since the NDAA was announced.
Some are unconvinced that the Chinese government would want to access their camera footage. But what matters for hackers isn’t “what it’s pointed at, but that there’s a central processing unit attached to your network,” says a spokesperson for security company Genetec.
Muddying the water, and making it difficult to track the spread of Hikvision cameras, many U.S. brands have “white-label” agreements with the company, under which they buy Hikvision’s hardware, repackage it and sell it under their own names. This is a “real concern” for government security managers, says John Honovich, founder of video surveillance research site IPVM.
The NDAA does not explicitly ban the purchase of these products. But the software on devices made by Hikvision can be altered by the Chinese company, which sends updates to resellers, such as United Technologies-owned Interlogix. Large-scale Hikvision resellers, including United Technologies and TRENDnet, declined to comment. Panasonic-owned Advidia, which also sells Hikvision-made hardware, said it was monitoring the situation but did “not anticipate any changes at this point in time.”
Similarly, many U.S. camera manufacturers use chips made by Huawei’s HiSilicon. They are “fairly pervasive” in “nominally American” brands, says Identiv’s Humphreys. Smaller agencies are not always aware of the risks and do not always have the cash to replace systems, although comparably cheap alternatives to Hikvision have begun to emerge.
“This is a broad problem … about how we as consumers and organizations use and trust technology,” says Cesar Cerrudo, a fellow at the Institute for Critical Infrastructure Technology. If you don’t test it, “the reality is you don’t really know if it has backdoors.”