Since their establishment in 2001, Hikvision and Dahua have grown to become two of the world’s leading manufacturers of surveillance cameras. However, as part of a series of experiments run by Panorama to test the security of some Chinese-made surveillance cameras, Panorama collaborated with IPVM, a notable global authority on surveillance technology, to conduct an assessment on determining the vulnerability of Hikvision cameras to hacking.
According to a Freedom of Information request, around 35 UK local authorities use Dahua cameras, while 227 councils and 15 police forces use Hikvision. UK’s surveillance camera commissioner, Prof Fraser Sampson, warned that the country’s critical infrastructure; its power supplies, transport networks, and access to fresh food and water – could be vulnerable. He added that “all those things rely very heavily on remote surveillance,” and mayhem could occur cheaply and remotely if one could interfere with it.
However, Hikvision told Panorama that it was an independent company and was not a threat to UK national security. They added that Hikvision had never conducted, nor will it conduct, any espionage-related activities for any government in the world, as their products were subject to strict security requirements and compliant with the applicable laws and regulations in the UK, as well as any other country and region they operated in.
IPVM’s director Conor Healy described the vulnerability found in Panorama in 2017 as “a back door that Hikvision built into its products.” In response, Hikvision said its devices were not intentionally programmed with this flaw and stated that it released a firmware update to address the issue immediately after its discovery.
They added that Panorama’s test was not representative of devices that are operating today. However, Conor Healy said more than 100,000 cameras online worldwide were still prone to this issue.
Notwithstanding, 11 seconds after Healy and Scanlan started attacking the security of the camera inside Broadcasting House, they gained access to the studio.
Next, the hackers accessed Dahua’s cameras by infiltrating the software that controlled them.
Soon they found the software vulnerability. They gained access to the system and could use it to eavesdrop.