About million Chinese video surveillance cameras in Ukraine transmit information to servers of Chinese companies. In USA, they are prohibited due to threat to national security - Schemes
In Ukraine, about a million Chinese cameras record everything that happens on Ukrainian streets and yards, in businesses and factories. However, the information from them goes to Chinese servers. However, Chinese companies are obliged to provide the state with all the information it deems necessary for "counterintelligence activities". In addition, these cameras themselves have a lot of vulnerabilities - in other words, they are very easy to hack.
From Russian cameras to Chinese ones. Recently, Schemes (a project of Radio Liberty) reported that thousands of video surveillance systems with Russian Trassir software across Ukraine, installed on city streets, at public and private facilities, could have been transmitting data to servers in Moscow for years, Censor.NET reports.
However, in addition to the dangerous Russian technology, Chinese-made cameras are used even more widely in Ukraine. The first place in terms of prevalence is occupied by the products of the Chinese company Hikvision. Dahua, also from China, is in second place. Imports of both companies' products to the US are banned because they "threaten national security".
In Ukraine, they are listed as "international sponsors of war". However, Chinese video surveillance systems are not banned from sale and continue to operate throughout Ukraine. Due to their comparative cheapness, they are widely preferred by Ukrainians for domestic use. In addition, they are also widespread at the level of state security systems, in particular in the Safe City.
Why could this be dangerous, especially in the context of a major war with Russia? Together with IT specialists, Schemes experimented: cameras connected to the Internet transmit information from them to servers controlled by a Chinese manufacturer.
Can official Beijing really have access to a video stream from Ukrainian cities, strategic enterprises, and frontline settlements? Can it transmit it to Moscow? The Schemes experiment also demonstrated how vulnerable these cameras are to external hacker attacks aimed at accessing personal data and classified information.
The Chinese tech giant Hikvision produces approximately 20% of all video surveillance cameras in the world, while Dahua produces 10% of all products. Devices from these manufacturers are used all over the world, primarily because of their relatively low cost: in China, Russia, the US, the EU, and other countries. There are hundreds of thousands of them in Ukraine.
Mentions of purchases of Chinese cameras and software on the Ukrainian market can be found at least since 2006. They are installed by both state-owned enterprises and private companies, as well as by ordinary Ukrainians who install video surveillance at home to remotely monitor the security of their homes.
"Skhemy decided to conduct an experiment together with experts from specialized organizations - the Computer Forensics Laboratory and the Digital Security Laboratory. For this purpose, they took Chinese Hikvision and Dahua cameras of different types and production periods - 2015, 2019, and 2023. This is because manufacturers are constantly changing their technical equipment. Models produced a few years earlier, as the experiment showed, are more vulnerable. That is, those who send information to the Chinese manufacturer's servers can be more easily subjected to hacker attacks.
Hikvision, 2015
When this camera was connected to the internet, it immediately began to connect to its servers. A service that de-anonymizes IP addresses - that is, links them to a physical address - revealed that the servers are located in Ireland and owned by Amazon, a US company. The Chinese company Hikvision leases these servers to allow users to stream and store video. Hikvision has full control over these servers as a camera and software manufacturer.
"In principle, it is standard practice for cameras to connect to their servers to register and transmit data. However, the user must understand that the security of such a connection rests with the manufacturer and how secure this connection is, as well as who can use this information and how. And here it is a question of whether you trust the Chinese developer or not," explains Ivan Antoniuk, an expert at the Digital Security Lab.
Dahua
"When this camera is connected to the phone via the Internet, we see that it automatically starts sending encrypted information, namely its registration data, as well as the user's login and password, to the servers controlled by Dahua in encrypted form," commentsSergiy Denisenko, Executive Director of the Computer Forensics Laboratory. The video stream also goes through the servers."
As the experiment revealed, these are Easy4ipcloud servers owned by the American Zenlayer and the Chinese uCloud and located in Germany. Accordingly, these servers are leased by the Chinese manufacturer Dahua.
It is noteworthy that when the device was disconnected from the network, it still continued to try to transfer data.
"We see that even when the user wants to disconnect the connection to the Dahua cloud service (where the video can be stored - ed.), the connection still continues and the information continues to be transmitted via the Internet to the servers leased by Dahua. And although the information is encrypted, I believe that for the manufacturer and developer of these cameras, decrypting such information will not be a problem. And this is precisely the security risk for the user, which the manufacturer did not inform them about," emphasizes Sergii Denysenko.
Hikvision, 2023
The camera, manufactured in September 2023, is more secure than older devices, according to experts who have tested it. For example, it does not allow you to set a simple password, which is more difficult to crack.
"The software of an older Hikvision camera does not require the user to create a complex and more secure password - the conditional "1234567890" will do and will be accepted by the system. Instead, the 2023 software already requires you to come up with something more complex using different characters," emphasizes Ivan Antoniuk, an expert at Digital Security Lab.
During the experiment, the 2023 camera did not immediately transmit device or user information or other registration data when connected to the network, as was the case with older models. But when the user connects to the cloud storage via the Internet, the video stream still goes to the manufacturer's servers.
"This new device is already much more secure. But we can see that when it connects to the network and connects to the cloud service, it also sends information to servers leased by Hikvision, in particular, to Amazon servers. They are signed as Nik-connect," says Serhii Denysenko, Executive Director of the Computer Forensics Laboratory.
Amazon's servers are owned by the eponymous large company headquartered in the United States. The US firm provides services to Chinese companies, citing the fact that it "complies with the laws in the countries where it does business".
As the experiment with the camera continues, Denysenko continues to analyze what he sees on the computer screen: "In addition, part of the encrypted information from the camera goes to the Chinanet server in China using the IP address we see on the screen."
Chinanet is the server of the state-owned Chinese company China Telecom, which is one of the leaders in the Chinese Internet services market.
"Our experts are convinced that using such a service, access to cameras can be easily gained by the manufacturer's representatives if necessary. Also, given the current relations between China and Russia, this may pose certain security risks," says Sergey Denisenko, Executive Director of Computer Forensics Laboratory.
"Safe City"
The fact that the software manufacturer still retains the ability to access any device connected to the Internet is the main risk, according to the Computer Forensics Laboratory.
The key safeguard is to use devices without the Internet, in an isolated local area network, but this is mostly available to private businesses or government agencies, not to household users. According to the Ministry of Internal Affairs, the Safe City system is such a network. Safe City is based on Hikvision and Dahua cameras and software, but the closed network prevents information from being sent from the devices to the manufacturer's servers.
"There are about 24,000 Dahua and Hikvision cameras in video surveillance systems like the Safe City system, which are managed and owned by local authorities. This is the number of cameras that the central executive authorities of the Ministry of Internal Affairs have access to. This is 74% of all cameras in this category. The existing products of Dahua and Hikvision were purchased by the units of the Ministry of Internal Affairs before the full-scale invasion," the Ministry of Internal Affairs said in response to a request from Radio Liberty.
The agency added that "to eliminate the risk of information leakage to China, video surveillance systems are located in a closed local area network without the ability to access the public Internet, and in some cases, access is configured only to specific addresses (ACL) with encryption."
Hacker attacks
At the request of Skhemy, cybersecurity experts also tested the devices for vulnerability to hacker attacks. A specialist from the Computer Forensics Laboratory simulated the process of "hacking" one of the Hikvision cameras. It took him about 15 minutes.
"With the help of special software, we can see that a hacker can quickly access CCTV cameras. If the camera has inadequate security settings (for example, no complex passwords, open Internet connection, unsecured routers), the attacker can both monitor what the camera is recording and store this information for further action, " explains IT specialist Sergiy Denisenko.
This, experts say, happened on 2 January 2024, the day of the massive Russian attack on Ukrainian cities.
At the time, the SBU reported that it had found cameras in the capital installed on private houses that broadcast the work of Ukrainian air defense and the location of critical infrastructure. These are surveillance cameras that, according to the security services, were hacked by Russian special services.
As Schemes has learned from sources in law enforcement, one of the cameras was a 2016 Hikvision, which ran entirely on native Chinese software. The special service seized the devices.
"Such cameras are usually simply connected to the Internet and are already relatively outdated, i.e. with software that has not been updated for a long time and has many known vulnerabilities. This includes the use of basic access software provided by the manufacturers of the cameras themselves. And hackers or, in this case, Russian special services, scanning the Internet, find this camera and gain access to it," explains Denysenko.
During the full-scale invasion, according to the SBU, they managed to block more than 10,000 CCTV cameras that could have been used by Russian special services for espionage.
However, there are still hundreds of thousands of such cameras in Ukraine. The world, meanwhile, is aware of all these risks and is already banning the use of these Chinese products.
How the West is gradually banning Chinese cameras
In 2021, the Federal Communications Commission (FCC), the US telecoms regulator, designated five Chinese companies as threats to US national security. Hikvision (full name Hangzhou Hikvision Digital Technology) and Dahua (full name Zhejiang Dahua Technology) are on the list.
Two years earlier, in 2019, the administration of then-US President Donald Trump put Hikvision on the sanctions list and subsequently banned the installation of the company's products at government facilities. Similar restrictions were later imposed in other countries.
"The first rejection of Chinese video surveillance systems in the US began in 2018 when Dahua and Hikvision cameras were banned from federal procurement and use by federal contractors," says Conor Healy, director of the US-based Internet Protocol Video Market (IPVM), which researches security issues and examines video surveillance technologies, including those made in China. "The only other country I know of that has completely banned their use for government purposes is Taiwan. There are various examples in the UK and Australia where Dahua or Hikvision cameras have been withdrawn from circulation for security reasons. Some regional authorities in the UK have banned them, and the country itself has banned them from 'sensitive sites' run by the government, but they have not yet implemented a full national ban."
In 2022, the FCC banned all imports or sales of Dahua and Hikvision products - even to private users - but this only applies to new products, not those already on sale in the US. The US National Institute of Standards and Technology regularly reports on new vulnerabilities it has found that allow access to devices, including Hikvision and Dahua products, from cameras and DVRs to intercoms. The latest report is from December 2023.
One of the main reasons is that the Chinese authorities, by their legislation, have obliged companies to provide the state with all information that it considers necessary for counterintelligence activities.
"China's current legislation, especially the one that was updated in 2023, obliges absolutely all citizens of the country to collect intelligence and pass it on to the state. We have seen that the so-called counter-espionage law has been strengthened, according to which the entire Chinese nation must be mobilized to serve China's national security interests. And as for tech companies, they are the central organizations that transmit information," says Artur Kharytonov, head of the Liberal Democratic League of Ukraine, an NGO that monitors Chinese policy. He is also the main coordinator of the Free Hong Kong Centre project, which monitors China's influence.
However, an analysis of the structure of these companies shows that the state is a co-owner in both.
The largest share in Hikvision - almost 37% - according to Bloomberg as of 2023, belongs to CET Hik Group, which in turn is 100% owned by the state-owned China Electronic Technology Corporation Group (CETC). CETC is also known for its involvement in China's defense industry, including the development of radars, electronic warfare systems, and UAVs.
The head of Hikvision, Zong Nian Chen, has also worked for the state-owned CETC since 1986 and was a member of the Communist Party of China and served as party secretary until at least 2022. Previously, the company's chairman's affiliation with the Communist Party of China was also mentioned in Hikvision's reports, but, for example, journalists did not find any mention of it in the documents for 2022.
The situation is similar with Dahua, where the state-owned China Mobile has a significant share of almost 9%, although the largest co-owner and director of the company is Chinese billionaire Fu Likuan.
"You need to understand that companies in the People's Republic of China are companies that are closely linked to the Communist Party of China. That is, there is no large, completely independent business in China - and this is not my subjective assessment - but the requirements of their legislation. In other words, their legislation directly provides for the active involvement of the Communist Party, ranging from the so-called "golden shares" to other forms of government influence directly on private business. That is, this is not even a policy of private business, it is, in fact, the policy of the state," explains Agiya Zagrebelska, head of the NACP's Corruption Risk Mitigation Department.
Moreover, in 2022, the United States recognized both Dahua and Hikvision, as well as their state-owned co-owners China Mobile and CETC, as Chinese military companies.
Another important factor in the ban of Chinese manufacturers of video surveillance systems for Western countries was the fact that Hikvision was called tangentially involved in the genocide of the Uyghurs in China (a Turkic-speaking people who mostly live in western China - ed.) The BBC investigation stated that it was the devices and software of these manufacturers that helped the Chinese communist authorities identify and track people on religious grounds, which subsequently led to imprisonment in concentration camps.
China-Russia
Due to the long-standing and close cooperation between China and Russia, there is a risk that information from Chinese devices, which are widely used both in Ukraine and other countries, could be transferred to Russia. This has also been repeatedly reported by foreign media.
"Of course, they exchange information, we understand that. Because there is a huge system of Russian-Chinese security agreements. They are signed several times a year at least. The latest, most ambitious agreements were signed during Xi Jinping's visit to Moscow, and in October 2023, Putin visited Beijing, where agreements were also signed on certain obligations on both sides. But now China understands the risks of open cooperation with Russia and, as we can see, partially conceals its actions so that it does not interfere with their "expansion campaign" to promote their products on the global market," Artur Kharytonov emphasizes.
Although China publicly declares its neutrality in relation to the Russian-Ukrainian war, the two countries' military cooperation is evidenced by joint military exercises and statements about "deepening cooperation", as well as regular visits by the Secretary of the National Security Council Nikolai Patrushev to China, where he met with the then Chinese Minister of Security.
In addition, China remains the largest supplier of sanctioned products to Russia, including electronics, which are subsequently used in Russian military equipment, radios, and missiles. According to Reuters' Beijing bureau, in 2023, the total value of imports and exports between Russia and China reached a record $240 billion, up almost a quarter from the previous year.
"China supports Russia and does not want Russia to lose in any meaningful way. I certainly don't see them as being neutral. They are trying to take advantage of the war in Ukraine," says Reinhard Bütikofer, a leading MEP who heads the delegation on China.
A 2023 US intelligence report states that "Beijing has employed a variety of economic support mechanisms for Russia that mitigate both the impact of Western sanctions and export controls by increasing imports of Russian energy exports, including oil and gas supplies diverted from Europe. China has also significantly increased the use of its currency, the renminbi, and its financial infrastructure in commercial relations with Russia, allowing Russian companies to conduct financial transactions unrestricted by Western bans. China is also becoming an increasingly important pillar for Russia in its military efforts, likely supplying Moscow with key dual-use technologies and equipment used in Ukraine."
Given this alliance, could China share information from Ukrainian cameras with Russia?
"I think China is capable of using its technology to transfer information to Russia. The technical side of the issue is the expertise of specialists. But, according to the concerns of specialized organizations in Italy, Britain, the United States, etc., the Chinese have this capability. There is also a contractual basis for this - the establishment of a "military fraternity" between China and Russia and the relevant infrastructure - the presence of the Chinese Ministry of State Security in Moscow," says Kharytonov of the Liberal Democratic League of Ukraine.
International sponsors of the war
Hikvision and Dahua, according to the Schemes' analysis, are actively filling the Russian state budget with taxes, some of which come from the aggressor country's budget to finance the war against Ukraine. In particular, according to Russian registers, in 2022, the net profit of the official representative office of Hikvision in Russia increased more than 15 times compared to the previous year. Of this money, almost 400 million rubles were paid in taxes.
The official representative office of Dahua in Russia paid more than 70 million rubles in taxes in 2022.
It is because of this trade and the supply of dual-use products that the Ukrainian National Agency for the Prevention of Corruption added Hikvision and Dahua to the list of "international sponsors of war" in 2023.
"The most understandable criterion for including companies in this list is the payment of significant taxes to the Russian state budget, everything is obvious and clear here, every penny paid to the Russian budget is a penny that goes to war. Also, these are companies that supply some important components or products to Russia, " explains Agiya Zagrebelska.
In the same year, 2023, the Antimonopoly Committee clarified that Ukrainian state customers of video surveillance systems can refuse suppliers offering products from manufacturers on the list of "International Sponsors of War", but this is at their own discretion.
"At the moment, this is only possible if the customer has specified in the tender documentation that he does not want to buy products from companies on the list of International Sponsors of War. If a company that offers it comes to the tender, it will be able to reject it, but if these rules were not written down, there will be no right to reject it," Zagrebelska explains the mechanism of influence of the list of "International Sponsors of War" on public procurement.
Distributors
Three companies are considered the largest distributors of Hikvision products in Ukraine. These are Viatek, NPO Infotech - they are listed on the Chinese manufacturer's official website - and World of Cameras. All three companies are connected through their owners.
According to Importgenius, these firms work directly with the Chinese manufacturer Hikvision. Between 2014 and 2022, they imported about a million cameras from this manufacturer into the country.
Back in 2018, Nashi Hroshi published an investigation into how Ukrainian suppliers are helping to "build an artificial monopoly" on street video surveillance in Kyiv for a specific manufacturer, Hikvision, through public procurement. Among them are Viatek and NPO Infotech.
In 2023, Svit Kamer was already included in the list of companies that the Bureau of Economic Security considers to be involved in the embezzlement of budget funds during the construction of a video surveillance system in Kyiv. The investigation into this case is ongoing. The company did not comment on these allegations.
Another firm, Engineering-Analytics, mainly promotes Chinese products in Ukraine for large state customers. For example, this company has installed and maintained large state-owned video surveillance systems in Kyiv, Odesa, Lviv, Cherkasy, Rivne, Lutsk, Kropyvnytskyi, Dnipro, and other cities of Ukraine, and cooperates with various units under the Ministry of Internal Affairs, from police to border services.
The largest distributor of Dahua cameras in Ukraine is the company "Trading House of Video Surveillance Systems", which, according to Importgenius, supplied more than 1 million video surveillance devices from 2016 to 2023. This company is also linked to the aforementioned Viatek and Svit Cameras firms through its management and owners, but in April 2023, the company ceased operations.
"Skhemy asked the companies in question for comment to clarify whether they were aware of the ban on these devices in other countries and the risks of transferring user data to China and, possibly, to Russia.
There are already several Ukrainian customers who are canceling contracts and refusing to buy Dahua and Hikvision products because of their status as "international sponsors of war". One of the first was the Zolochiv village council in the Kyiv region, which, in particular, cited the recommendations of the Ministry of Digital Transformation of Ukraine regarding Hikvision devices:
"The use of Hikvision equipment in integrated video surveillance systems poses threats of critical vulnerabilities and shortcomings in the organization of system use, as such equipment has several technical shortcomings (problems with the IP camera firmware, vulnerabilities of DVRs for unauthorized access, critical vulnerabilities of global cloud services, etc.
The Ministry of Internal Affairs also assures that "after these companies are included in the list of 'International Sponsors of War', the Ministry of Internal Affairs does not recommend or approve the relevant procurement". And they say they are already working to replace the devices.
"To centralize all existing video surveillance systems, the Ministry of Internal Affairs has developed a relevant draft law of Ukraine "On a Unified System of Video Monitoring of Public Security", which is currently before the Verkhovna Rada of Ukraine. The system is expected to be built on software purchased for the MIA in 2021 as part of the Safe Country project. The manufacturer of the software solution is Ukraine and Israel," the Ministry said in a response to Radio Liberty's request.
In Ukraine, the State Special Communications Service has a structure called the Computer Emergency Response Team of Ukraine, or the Computer Emergency Response Team of Ukraine. They publicly write on their official website about technical vulnerabilities found in various devices from foreign companies, such as Cisco, Microsoft, Apple, and others. But there is no mention of Hikvision or Dahua. "Skhemy sent a request to the agency asking whether such checks had been conducted on devices from these two Chinese manufacturers.
The journalists also sent inquiries to Hikvision and Dahua with questions about security for users who have such devices, as well as about cooperation with Russia. The editors are waiting for a response.
Given the steps taken by some government agencies in Ukraine to either replace Chinese devices or make them more secure, for example, by creating a local closed network, cybersecurity experts advise ordinary consumers who have such a camera at home to at least change the factory security settings and use complex and additional passwords. They also remind that the Chinese manufacturer reserves direct access to information from the devices as soon as the camera is connected to the Internet. This was shown by an experiment conducted by Schemes together with IT specialists.
Separately, journalists sent inquiries to the Office of the President, the Cabinet of Ministers, the Security Service of Ukraine, and the National Security and Defence Council to find out what the state's vision is regarding the circulation of hundreds of thousands of Chinese cameras in the country, information from which could be transmitted to the Chinese authorities, and from there, possibly, to Russia. Is there a plan to gradually phase out and remove Chinese technology from Ukraine? The editors are waiting for an answer.
