BBC Panorama Report finds 6 year old security flaw in Hikvision Cameras

A recent BBC Panorama investigation (video available here with the segment regarding this story available between 11:57- 20:48) has uncovered security vulnerabilities in two of the world’s leading manufacturers of surveillance cameras, Hikvision and Dahua, both of whom have head offices based in China. The report reveals that these flaws could potentially allow hackers to seize control of the devices, leading to grave security implications.

In an experiment set up by Panorama, a Hikvision camera in a darkened BBC studio in London was intentionally targeted, demonstrating the ease of access that malicious threat actors could have to these cameras. The camera’s vulnerability allowed a hacker thousands of miles away to monitor every keystroke made by an unsuspecting BBC employee, including his iPhone passcode. The hacker, who in this case worked in collaboration with the BBC for the study, remarked, “I own that device now – I can do whatever I want with that.”

This hacking experiment was conducted on a camera containing a firmware vulnerability from 2017. The flaw was characterised by Conor Healy, the director of US-based IPVM (one of the world’s leading authorities on surveillance technology), as “a back door that Hikvision built into its own products.”, something that Hikvision denies. It is important to note that Hikvision has addressed this vulnerability and has fixed the security flaw. The company has emphasised that the flaw was not intentionally programmed and that a firmware update was released promptly after it was made aware of the issue. Hikvision stated that the Panorama test is not representative of the security of devices currently in operation.

Despite this, Conor Healy suggests that potentially over 100,000 cameras worldwide, which have not been properly managed and maintained, could still be susceptible to this issue, raising concerns about their potential misuse. Cameras from Hikvision (among others) are widely used across the UK’s infrastructure, including; power supplies, transport networks, private businesses, and much more, are now feared by many to be potential “Trojan horses”, which could be capable of causing significant disruption if they were targeted in a similar manner.

Hikvision and Dahua surveillance cameras are not just confined to the UK’s streets, but are also prevalent in government buildings. A quick survey by Panorama revealed Hikvision cameras outside the Department for International Trade, the Department of Health, the Health Security Agency, Defra, and an Army reserve centre among many more throughout the UK. Concerns have been raised about these cameras’ potential threat to UK national security, but Hikvision has firmly rejected these allegations, stating that it has never conducted any espionage-related activities for any government worldwide.

Hikvision have issued a statement to partners that the camera used in the BBC Panorama investigation “was in fact supplied by, and compromised with the collaboration of IPVM, an organisation with a vendetta against Hikvision“. Further from this, the BBC Panorama report confirmed that the test camera was installed on a “test network, with no firewall & little protection”. It is important to state that at One2Call we always recommend network security and will work with businesses to help secure all of the devices on their network, not limited to CCTV Solutions.

As part of Hikvision’s official statement to partners (which has since been released publicly) they went on to state;

Hikvision’s conduct with regards to this vulnerability has followed all internationally accepted standards of best practice. When made aware of the vulnerability in March 2017, Hikvision patched it in less than one week. The vulnerability – and Hikvision’s patch – were subject to further scrutiny in the US with the then-Chairman of the US House of Representatives Small Business Committee noting in a public hearing that Hikvision’s work with the US Department of Homeland Security on this vulnerability meant that any continuing issues resulting from unpatched equipment would lie with ‘small businesses that do not engage with the government or the DHS regularly’.

Going further, the Deputy Assistant Secretary for the US Department of Homeland Security Office of Cybersecurity and Communications said they ‘worked with the company’ to resolve the problem and that ‘standard practice was followed’.

There is no reason to believe that circumstances would be any different in the UK. After all, the vast majority of public sector organisations have processes in place to respond to vulnerabilities and regularly update their firmware. It is virtually certain that every public sector organisation in the UK has patched its cameras since 2017 and therefore no reason to assume there is any risk today.

Dahua cameras were not exempt from similar security concerns. In a second test, hackers successfully infiltrated Dahua’s cameras by exploiting the software controlling them. Upon discovering this vulnerability last year, Dahua claimed to have carried out a comprehensive investigation and issued a firmware update to rectify the problem promptly and dismissed allegations that its equipment could disrupt the UK’s critical infrastructure.

While both Hikvision and Dahua have addressed the issues raised in the BBC Panorama investigation, the UK’s surveillance camera commissioner, Prof Fraser Sampson, has warned against the potential risks of what he terms “digital asbestos.”. The pervasiveness of surveillance cameras across the UK, coupled with their demonstrated vulnerabilities, underscores the need for more robust security measures to protect the nation from any potential cyber threats. When asked if he trusts Hikvision and Dahua, he responded by saying “Not one bit.” At One2Call we believe that it is important that cameras used throughout the UK are regularly maintained, updated and have the necessary network security measures in place to protect them from attacks.

At One2Call, we believe that it is important that we stress that the investigation conducted by BBC Panorama was done on a “test network, with no firewall & little protection” and based on Hikvision camera firmware from 2017 which was patched as soon as Hikvision were made aware of the issue. 

At One2Call we specify, install, manage and maintain Hikvision security cameras for customers across the UK, including their network security. Before every camera leaves our offices we ensure that they are updated with the latest firmware, ensuring that any cameras that have been installed since this security flaw was discovered will be protected from this type of attack & we will work with businesses to ensure that their network security is also setup to protect these devices from targeted attacks. Similarly many of our customers have CCTV maintenance agreements in place for their systems and have ongoing IT Support Contracts with us, as such all cameras and systems are updated regularly with the latest firmware available and work with our customers to ensure that their network security is designed to protect all devices on their network from targeted attacks . We will also be working with businesses, even if you are not an existing customer, who do not have active maintenance contracts to ensure they are aware of the security flaw and put measures in place to ensure they are protected from this type of attack, including ensuring that your Cameras and Network Security are designed to protect your business. We can also work with your business to conduct a complete Cyber Security Assessment to help your business understand if you could be vulnerable to any other forms of Cyber Attacks.

Latest News Stories