21-03-2023 | By Paul Whytock
Chinese surveillance companies Hikvision and Dahua have the lion’s share of the UK CCTV market, with over 66% of public buildings using their cameras, and that includes security-sensitive government offices. In addition to that, a majority of higher education bodies in the UK also use Chinese-made CCTV.
So are millions of Chinese CCTV cameras viewing our daily lives? And bear in mind that many are manufactured by Chinese state-owned companies and therefore come under the control of the Chinese government.
But is it fair to say it’s only Chinese-made CCTV equipment that is a security risk to all of us? I don’t think so. CCTV cameras are not difficult to hack into, and I’ll explain that later on.
However, The US and UK governments are concerned about possible security leaks, and our government has decided that Chinese cameras should not be used in Government run establishments.
In response to this thinking, the UK government has, in a somewhat wishy-washy way, only advised departments not to use Chinese CCTV equipment and to consider removing them from sites dealing with information of national security importance.
Surely a better advisory would be to make the removal of CCTV cameras deemed a national security risk a mandatory requirement?
Back to my point that it is not only Chinese-manufactured CCTV equipment that could be a security risk; although, let’s face it, Chinese-made equipment could possibly supply that country’s security service with a direct listening post into the sensitive information of any country using such cameras.
How hackable are they? The answer, simply put, is that anything connected to the Internet can be vulnerable to hacking, but there are fundamental ways this can easily be avoided.
One of the most common lines of attack is via an IP address. Anyone wanting to break into CCTV cameras can start by simply looking for its IP address online and start logging in. But they’ll need a password. Easy. There is plenty of search engine software out there that can be used to obtain data that will allow the experimentation of possible passwords to gain system entry to the CCTV equipment itself or via the router system.
Ok, you’ll be thinking that experimenting with hundreds of different passwords is not the most efficient way of hacking into a camera. Still, the sad fact is that many CCTV systems are installed with the original default password settings, such as Admin123 are not amended to a more secure password known only to the organisation using the camera system. This half-hearted approach by operators makes life easy for hackers.
So that’s a simple method of system entry. Others are more challenging but exist. There is a coded system that allows admin-level access. What happens here is a system code weakness is identified and exploited by hackers, but fortunately, it is very often the case that manufacturers of CCTV equipment will become aware of this and issue a software update to solve this code weakness.
However, just like the lackadaisical approach of some organisations in not changing the manufacturers’ default password code, there are plenty of camera operators that either cannot be bothered to make sure system software updates are implemented or do not have a member of staff designated to do so.
It is fair to say this command code hacking approach was exploited in certain Chinese-manufactured CCTV equipment, but it’s also fair to say the companies involved quickly issued a software patch to resolve that system vulnerability.
Another method hackers used is the “who is the operator of this equipment”. Malicious actors will search and find user IDs. They can then re-configure the user ID to suit themselves and have full control of the system. Hackers often find user ID information by searching the emails and phone numbers used by the system operator when registering new equipment installations.
Those are just three fairly simple ways of hacking into any internet-enabled CCTV equipment. As already mentioned, there is no doubt that operators of cameras that have either an apathetic or ignorant approach to protecting the security of their organisation’s cameras are meat and drink to hackers.
So if a country wants to gain access to another country’s secret security information, any CCTV can be compromised, although it’s fair to say that Chinese intelligence services will have a fuller understanding of how and what is protecting its state-manufactured systems.