Hikvision and Dahua have been blacklisted in the U.S. and UK, not only due to fears their products may contain spyware, but also concerns over their involvement with ongoing human rights abuses in Xinjiang. (Photo: VCG/VCG via Getty Images)
More than 900 units of surveillance equipment, built by companies linked to the Chinese Communist Party (CCP) and implicated in the mass surveillance of Uyghur minorities in Xinjiang, have been uncovered at government locations across Australia. An audit of surveillance equipment, conducted by Australian Shadow Minister for Cyber Security James Paterson discovered Chinese government-linked cameras and security gear installed at more than 250 Commonwealth buildings in Australia, including Defence and Foreign Affairs offices. Federal government officials acknowledged on Thursday that the cameras posed a potential security problem, and have committed to having them ripped out.Paterson said the Commonwealth was “riddled” with the units, many of them manufactured by controversial Chinese companies Hikvision and Dahua, two of the world’s largest manufacturers of video surveillance products. Both companies are part-owned by the CCP, who can compel them under Chinese state security laws passed in 2017 to hand over any data they store. The same laws have raised concerns around data security at TikTok, owned by Chinese parent company ByteDance.Hikvision and Dahua have also been blacklisted in the U.S. and UK, not only due to fears their products may contain spyware, but also concerns over their involvement with ongoing human rights abuses in Xinjiang.
The discovery of the cameras further adds to the wave of scrutiny currently placed on Chinese surveillance equipment in recent days, after an alleged spy balloon was found floating above the U.S. state of Montana, which is home to a number of sensitive military sites. A U.S. F-22 fighter jet shot the balloon down on Saturday afternoon.
U.S. government officials have previously described Hikvision as having “provided thousands of cameras that monitor mosques, schools, and concentration camps in Xinjiang,” and noted both Hikvision and Dahua are involved in “the implementation of China’s campaign of repression, mass arbitrary detention and high-technology surveillance.”Hikvision’s largest shareholder, the China Electronics Technology Group Corporation, has also supplied Xinjiang state authorities with military-style surveillance systems, facial-recognition ethnic profiling systems, and a program that flags people deemed potentially threatening to police.UK lawmakers have similarly called for a ban on the sale and use of security cameras made by Hikvision and Dahua. The British government instructed its departments in November to stop installing the companies’ surveillance equipment at sensitive buildings, citing security risks. A Hikvision spokesperson stated that it’s “categorically false” to represent them as a threat to national security.
“No respected technical institution or assessment has come to this conclusion,” a spokeswoman said, adding that the company can’t access end users' video data and therefore cannot transmit it to third parties.Beyond concerns around their links to the Chinese government, products made by both firms have also been flagged for their apparent security vulnerabilities. In 2020, the Lithuanian National Cyber Security Centre identified 61 points of vulnerability in Hikvision and Dahua cameras, and revealed that units in Lithuania had been sending data to Russian servers and were remotely accessible to their manufacturers. In 2021, researchers at Watchful_IP, a network of experts offering cyber equipment security assessments, further discovered that Hikvision cameras had a critical vulnerability that allowed attackers to gain full control of the device remotely.Hikvision has since released a patch to fix the vulnerability—but as of August 2022, tens of thousands of systems across 100 countries had still not applied the update.Matthew Warren, director of the Centre for Cyber Security Research and Innovation at Melbourne’s RMIT University, told VICE World News that the surveillance equipment poses a serious concern.
“It’s a major issue that these cameras have limited security and can be accessed remotely,” he said. “These low-cost cameras would have been chosen with cost being a major factor in [the] decision-making process. This just highlights that security considerations were not a key factor.”The cameras were found in almost every Australian government department. At least one surveillance system is in operation at a Department of Defence site, and is in the process of being removed, while the Department of Foreign Affairs and Trade identified at least 28 potentially affected sites. Paterson further raised concerns that Hikvision and Dahua units may be inside Parliament House. The Australian War Memorial in Canberra announced on Wednesday that it too would remove almost a dozen Hikvision surveillance cameras over concerns they could be used for spying. Australia’s National Disability Insurance Agency has similarly pledged to replace more than 130 cameras in the first quarter of this year, since discovering Chinese government-linked equipment operating at their offices in Melbourne.
“Given the deployment of these cameras at sensitive sites,” researchers at Watchful_IP said in 2021, “potentially even critical infrastructure is at risk.” Follow Gavin Butler on Twitter.
Advertisement
The discovery of the cameras further adds to the wave of scrutiny currently placed on Chinese surveillance equipment in recent days, after an alleged spy balloon was found floating above the U.S. state of Montana, which is home to a number of sensitive military sites. A U.S. F-22 fighter jet shot the balloon down on Saturday afternoon.
U.S. government officials have previously described Hikvision as having “provided thousands of cameras that monitor mosques, schools, and concentration camps in Xinjiang,” and noted both Hikvision and Dahua are involved in “the implementation of China’s campaign of repression, mass arbitrary detention and high-technology surveillance.”
Advertisement
“No respected technical institution or assessment has come to this conclusion,” a spokeswoman said, adding that the company can’t access end users' video data and therefore cannot transmit it to third parties.Beyond concerns around their links to the Chinese government, products made by both firms have also been flagged for their apparent security vulnerabilities. In 2020, the Lithuanian National Cyber Security Centre identified 61 points of vulnerability in Hikvision and Dahua cameras, and revealed that units in Lithuania had been sending data to Russian servers and were remotely accessible to their manufacturers. In 2021, researchers at Watchful_IP, a network of experts offering cyber equipment security assessments, further discovered that Hikvision cameras had a critical vulnerability that allowed attackers to gain full control of the device remotely.
Advertisement
“It’s a major issue that these cameras have limited security and can be accessed remotely,” he said. “These low-cost cameras would have been chosen with cost being a major factor in [the] decision-making process. This just highlights that security considerations were not a key factor.”The cameras were found in almost every Australian government department. At least one surveillance system is in operation at a Department of Defence site, and is in the process of being removed, while the Department of Foreign Affairs and Trade identified at least 28 potentially affected sites. Paterson further raised concerns that Hikvision and Dahua units may be inside Parliament House. The Australian War Memorial in Canberra announced on Wednesday that it too would remove almost a dozen Hikvision surveillance cameras over concerns they could be used for spying. Australia’s National Disability Insurance Agency has similarly pledged to replace more than 130 cameras in the first quarter of this year, since discovering Chinese government-linked equipment operating at their offices in Melbourne.
“Given the deployment of these cameras at sensitive sites,” researchers at Watchful_IP said in 2021, “potentially even critical infrastructure is at risk.” Follow Gavin Butler on Twitter.