Hikvision and Dahua lead the world in the production of surveillance cameras, but deficiencies have recently been discovered in their security systems.

With the help of a hacker, BBC Panorama conducted an investigation to test the security of these Chinese-made surveillance cameras, with the results being even more grim than we thought.

These two Chinese brands compose the majority of security cameras used in the UK - from houses and privately-owned properties to local councils and government-related establishments. 

(Photo : PIERRE-PHILIPPE MARCOU/AFP via Getty Images)
An employee of the European multinational information technology service and consulting company, Atos, is pictured at the company's cybersecurity centre for the 2024 Olympic Games in Madrid, on April 24, 2023.

Demonstrating the Infiltration

BBC Panorama recently ran an investigation regarding the reliability of these Chinese-made surveillance cameras. Through a joint effort with a hacker, BBC set up a darkened studio inside its Broadcasting House in London and acted swiftly. 

Starting with a demonstration of how these hackers can hack them, an oblivious BBC employee was the unlucky target. Even in the darkened studio, the hacker can see everything he does through the lens of a hijacked security camera. 

Personal things, such as entering his phone's passcode, the interior of his surroundings, and everything he's typing on the laptop. Every single action the employee takes is seen and monitored by the hacker. 

Read Also: What Is Ethical Hacking? Here's How It Helps Make Blockchain More Secured

Risks and Caution

UK's Biometrics and Surveillance Camera Commissioner, Professor Fraser Sampson, warned that the crucial infrastructure in the country, including access to clean food and water, transport networks, and power supplies, is vulnerable.

"All those things rely very heavily on remote surveillance - so if you have an ability to interfere with that, you can create mayhem, cheaply and remotely," Sampson said.

Charles Parton, a fellow at Royal United Services Institute (RUSI) and a former diplomat who worked in Beijing, seemed to agree and said: "We've all seen the Italian Job in our youth, where you bring the whole of Turin to a halt through the traffic light system. Well, that might have been fiction then, it wouldn't be now."

Having all this heat on their backs, Hikvision refuted the claims and told BBC Panorama that their products and services contain no malware that makes it possible to infiltrate the privacy of any customer, regardless if they may be the public or the government. 

"Hikvision has never conducted, nor will it conduct, any espionage-related activities for any government in the world," the company said, adding that its "products are subject to strict security requirements and are compliant with the applicable laws and regulations in the UK, as well as any other country and region we operate in."  

Following the statement, BBC Panorama formed and operated a collaboration with US-based IPVM, one of the world's leading surveillance technology authorities, to know whether or not Hikvision's camera security system can be remotely exploited and invaded from a studio. 

For safety reasons, Panorama managed the experiment in a separate place, working with a computer with little to no software protection. Shockingly, the team found a weakness and is deemed a "backdoor" vulnerability that hackers can exploit.

Director Conor Healy of IPVM portrayed this as something Hikvision deliberately ingrained in their products for espionage reasons. However, Hikvision said its products do not have a "backdoor" and did not program this flaw deliberately, and believed that almost all local authorities using their gadgets would have updated their cameras long before now.

Panorama then ended their experiment on Hikvision here. For Dahua, the cooperating hackers got into the system fairly quickly, lasting about 11 seconds before the cameras were invaded. 

Upon being notified of the vulnerability, Dahua asserted that it took immediate action by conducting a thorough investigation and promptly resolving the issue through firmware updates.

According to the company, it was not affiliated with any state entity and emphasized that its equipment was incapable of interfering with the critical infrastructure of the UK. 

Dahua strongly refuted the allegations, deeming them false and asserting that they present a distorted and misleading portrayal of Dahua Technology and its product line.

Despite these claims, experts argue that the UK must take further measures to safeguard itself against the use of Chinese technology, which Sampson described as "digital asbestos."

With the installation of previous-generation equipment primarily driven by affordability and functionality, realizing its inherent risks has raised concerns. In light of this, the question arises: what steps should be taken to address this situation?

When asked about his trust in Hikvision and Dahua, Sampson expressed his lack of confidence, stating that he trusts them "not one bit." That highlights the need for increased scrutiny and precautions in dealing with these Chinese companies and their products.

Related Article: Suspecting Over Your Webcam Security? Here's How to Tell If It Has Been Hacked