Chinese Camera Ban Not About Cyber Security

The Australian government’s recent Chinese camera ban not about cyber security.

Chinese Camera Ban Not About Cyber Security – A recent ban on Chinese cameras and video intercoms by some Australian government departments, which began with the announcement 11 last-gen Hikvision cameras would be removed from Australia’s War Memorial in Canberra, and has extended to the offices of some Australian MPs, poses more questions for security installers and end users than it answers.

Is the decision based on geopolitical considerations? Have new threats been discovered in these last-gen cameras and intercoms from Hikvision and Dahua, most of which were due for replacement anyway? Are some government networks not considered secure enough to allow IT experts to monitor network and sub-net activity in a way that satisfies assessment of risk? Are the moves simply a reaction to criticism from the federal opposition? Are IP cameras even capable of carrying ‘spyware’, as Liberal Senator James Paterson recently asserted?

The signalling from government around the move has been confused. Senator Paterson stated government offices were “riddled” with spyware-infected Chinese CCTV cameras. Australian War Memorial Chief Kim Beazley said no new risks had been found and the move was predicated on an “abundance of caution”. Foreign Minister Penny Wong said the cameras were not connected to the internet, or any government data network, and were not considered a cyber security threat.

Professional CCTV Network Topology

Since what some experts considered a password-free engineering hack was found between firmware layers in Hikvision cameras around 5 years ago, CCTV cameras manufactured in China have been squeezed from Australian federal government contracts, despite the fact no Chinese-made video surveillance camera in Australia (or anywhere else in the world) has been found transmitting video streams to the Chinese Government.

Isolation

At this point, it’s worth noting that almost all professional CCTV cameras are installed on secure subnets supported by dedicated switches, servers, and video management systems, or they are installed standalone on DVR and NVRs. These systems log network actions from authorised users, including camera views, saves, searches and applications of analytics functionality, where this applies.

It goes without saying that no pro-grade network intrusion detection system could fail to alert network engineers to the transmission of big band video signals from secure network ports to an external network location. It would generate an immediate alert, remedial action and public condemnation.

Firmware

While IP cameras can upgrade firmware automatically over public networks and will undertake handshakes with a manufacturer’s servers, these actions are ubiquitous across network devices of all types and, in the case of CCTV cameras, can be deactivated, with devices either left using original firmware, or upgraded manually.

Typically, network-based electronic security systems are updated manually by security teams managing system maintenance. These Australian security techs are highly integrated with an end user’s security operations team and will respond at a moment’s notice to issues of camera performance, network failure, or network breach.

Further, in compact applications, such as in the suburban high street offices of MPs, 3-4 CCTV cameras are installed in a basic star configuration that revolves around a PoE NVR/DVR supported by a dedicated keyboard, mouse and monitor. They are not connected to local data networks, let alone hooked to out of country servers – unlike a significant number of other manufacturers, neither Hikvision nor Dahua offers VSaaS in Australia.

Typically, the basic turret cameras used in such applications are mid-wide angle, have modest resolutions, fixed lenses, and are installed with an outward-facing angle of view covering front and rear entrances, car spaces and foyers to allow recording of events for police investigation after an incident.

Recordings are undertaken on local hard drives and written over after 30 days. Viewing of footage and event searches can only be undertaken by a person with access control rights to the location, and who is authenticated with a password issued by a nominated system administrator – typically an admin assistant or office manager who works on-site.

These cameras are installed for safety and security, not to ‘spy’ on MPs. Nor are these cameras being ‘found’ by shocked staffers in third-tier government applications, as if the cameras crept in at night and hung themselves onto walls, as some news websites have implied.

Local Installers

These CCTV systems were installed in plain sight by professional Australian security technicians using products supplied and supported by professional Australian security distributors with technical support from suppliers’ local operations, after an official government tender process.

These cameras and related systems were chosen by government decision makers because they offered the best performance for the least cost. This is not an imperative that will change when government agencies next take locations with modest security requirements to tender.

Similar strictures around installation and governance apply to the 11 Hikvision cameras at the Australian War Memorial, which are likely external bullet cameras installed to view choke points and entries, and are entirely governed by local subnet rules and managed and viewed using an over-arching video management system provided by a third party.

This server-based VMS brings together all the cameras across the site onto a video wall for monitoring by a dedicated security team. It’s normal for a major site like the Australian War Memorial to have multiple camera brands and camera types installed for different reasons at different times with different priorities of budget. Expensive upgrades are undertaken in stages.

Chinese Camera Ban Not About Cyber Security

In SEN’s opinion, the most cybersecure IP surveillance camera is Mobotix, however, the Australian government rarely uses this brand, despite its enormous operational flexibility and impeccable cybersecurity credentials. Bosch, Axis and iPro are also highly regarded, and tier 1 offerings from everyone else – including Hikvision and Dahua, which put considerable effort into cybersecurity and transparency to correct early issues that impacted all CCTV camera makers – are close behind.

Unsurprisingly in the current geopolitical climate, Chinese CCTV cameras are by far the most examined network devices when it comes to cyber security, and their camera firmware and supporting management solutions are constantly trawled through by experts looking for issues in devices that, despite their ‘surveillance’ function, are static edge sensors, governed by the settings of the network switches and servers that manage them.

It’s impossible to believe the Australian government’s highly qualified cybersecurity experts are not perfectly aware that edge devices, like CCTV cameras, when properly commissioned and installed on well-designed and secure data networks, are impossible to access remotely, and can’t be infected by ‘spyware’ in the way a mis-managed workstation or laptop might be.

Instead, they must be acutely aware the greatest security threats to security systems are posed by errors in network application, a failure to activate camera cybersecurity settings during installation and pre-commissioning, and weaknesses in the physical security around network components. And cybersecurity experts must know such risks apply to every networked device across a department’s topology – phones, switches, wired and wireless routers, laptops, servers, apps – not just to devices offering click-worthy headlines.

In our opinion, given the highly evolved state of cybersecurity in professional CCTV cameras (and intercoms), the possibility edge devices in secure subnets from any camera manufacturer, could suddenly breach network security settings and start operating unilaterally is so vanishingly small that cybersecurity can’t be the problem.

Instead the government’s core issue seems to be one of uncertainty and misunderstanding around a technology that, when properly installed and managed, leaves virtually no room for uncertainty at all.

More news from SEN.

‘The Australian government’s recent Chinese camera ban not about cyber security.’