Banned Chinese Security Cameras Are Almost Impossible To Remove (bloomberg.com) 89
An anonymous reader quotes a report from Bloomberg: U.S. federal agencies have five weeks to rip out Chinese-made surveillance cameras in order to comply with a ban imposed by Congress last year in an effort to thwart the threat of spying from Beijing. But thousands of the devices are still in place and chances are most won't be removed before the Aug. 13 deadline. A complex web of supply chain logistics and licensing agreements make it almost impossible to know whether a security camera is actually made in China or contains components that would violate U.S. rules. The National Defense Authorization Act, or NDAA, which outlines the budget and spending for the Defense Department each year, included an amendment for fiscal 2019 that would ensure federal agencies do not purchase Chinese-made surveillance cameras. The amendment singles out Zhejiang Dahua Technology Co. and Hangzhou Hikvision Digital Technology Co., both of which have raised security concerns with the U.S. government and surveillance industry.
Despite the looming deadline to satisfy the NDAA, at least 1,700 Hikvision and Dahua cameras are still operating in places where they've been banned, according to San Jose, California-based Forescout Technologies, which has been hired by some federal agencies to determine what systems are running on their networks. The actual number is likely much higher, said Katherine Gronberg, vice president of government affairs at Forescout, because only a small percentage of government offices actually know what cameras they're operating. The agencies that use software to track devices connected to their networks should be able to comply with the law and remove the cameras in time, Gronberg said. "The real issue is for organizations that don't have the tools in place to detect the banned devices," she added. Also, since many of Dahua and Hikvision's cameras are sent to equipment manufacturers and sold under those brands, those cameras have completely different labels and packaging. This means it would be nearly impossible to tell if the thousands of video cameras installed across the country are actually re-labelled Chinese devices.
Despite the looming deadline to satisfy the NDAA, at least 1,700 Hikvision and Dahua cameras are still operating in places where they've been banned, according to San Jose, California-based Forescout Technologies, which has been hired by some federal agencies to determine what systems are running on their networks. The actual number is likely much higher, said Katherine Gronberg, vice president of government affairs at Forescout, because only a small percentage of government offices actually know what cameras they're operating. The agencies that use software to track devices connected to their networks should be able to comply with the law and remove the cameras in time, Gronberg said. "The real issue is for organizations that don't have the tools in place to detect the banned devices," she added. Also, since many of Dahua and Hikvision's cameras are sent to equipment manufacturers and sold under those brands, those cameras have completely different labels and packaging. This means it would be nearly impossible to tell if the thousands of video cameras installed across the country are actually re-labelled Chinese devices.
Lolz I truly don't know (Score:4, Insightful)
There are surveillance cameras with components NOT made in China? Who makes those?
Re: (Score:3)
Re: (Score:2)
Well it is. And it has become easier than ever to get the FUD flowing because for the media it's just another bandwagon to jump on to.
Does that mean the Chinese aren't spying? Not at all. China is about as fanatic about spying as the US is about conquering and dominating and getting the population to support it.The styles are quite different.
Re: (Score:2)
Russia
Re: (Score:2)
In Soviet Russia, camera remove you!
Solve the problem - not country of origin (Score:1)
Solve the problem.
FCC should have not lost its ability for meaningful certification. They also need a national software firmware source code repository for cheap stuff - unless open sourced and say on GIT
Import tax on insecure cameras
Less tax for supported upgradable cameras
and Return supertanker to origin for POS devices with known defects.
It should be illegal to discriminate by country. But quality is a usable non tariff trade barrier.
Re: (Score:2)
I don't usually deal with ACs but you are right. This is something the FCC is equipped for and empowered to handle. They need to get with the times, all government branches do really.
Re: (Score:2)
wrong, the FCC has neither the means nor knowledge to determine what is "insecure" or not. They should not interfere in the market
Come on (Score:2)
Go ahead and find me one *not* made in China. Even if you do find one the chipsets will be of Chinese origin.
Re: (Score:2)
Designed in Germany. Made in China.
and...
China has developed into an important market and manufacturing base for Bosch. In 2012, Bosch had 34,000 employees and a revenue of 41.7 billion Yuan (about 5 billion Euro) in China.
Re: (Score:3)
Most stuff that says Bosch on it isn't made by Bosch even under contract, they're just licensing out their name. For some reason their name is still good to most people, even though those in the know understand that the last time they made anything worth a fuck was in the eighties.
For example, Bosch sold their 12V starter and alternator division to the Chinese a few years back, in order to better concentrate on 48V. They still say Bosch on them, but Bosch has absolutely fuck-all to do with making them.
Bosc
Re: (Score:2)
Depends which chipset you care about. If they care about the encoder or decoder chipsets for MPEG2/H.264 or H.265, etc, they're chasing their tails. The networking hardware and software/firmware are what we needto worry about. So, yeah, checking each one will still be a hassle, but if you're talking about a bunch of CCTV cameras made who-knows-where, at least you really only have to worry about the central "concentrator" (not sure what hte analog ones were called) DVR itself. And fortunately, that's just
Easy fix: no cameras! Save privacy and create jobs (Score:3, Insightful)
Re: (Score:3)
Even if its made in the US, you can be assured that *all* cameras will have at least a few parts made in China.
Just like everything else. If a China ban ever turned into something complete , it'd set technology back 40 years. Well for the US it would. The rest of the world would keep on keeping on. Well at least until the current whitehouse went away and someone sane took charge of foreign policy
don't use cloud dvr systems use zoneminder (Score:3)
don't use cloud dvr systems use zone minder in an isolated network
Re: (Score:2)
It doesn't sound like that satisfies the legal requirements.
Re: (Score:2)
That's probably true, but at least it survives the intent/spirit of the regulations. I know, I know, try explaining to some investigative body that doesn't know the difference, doesn't care to learn it, or god forbid, just wants to meet quota or have an axe to grind with your face.
Re: (Score:2)
Are there any models of camera which either come with entirely open source firmware, or can have the firmware replaced?
Most of the chinese cameras seem to be linux based, but then the actual camera functionality is implemented as a monolithic binary blob running on top of a (usually quite old) linux kernel. If someone creates an openwrt-style firmware for these cameras i'd go out and buy whatever models they supported.
I've found a lot of the cheaper cameras don't quite work with zoneminder, as they deliver
Use some of them to spoof the spies (Score:5, Funny)
If the US has anything, it's the world's greatest effects experts. Wait until the Chinese are trawling through their spycam footage and come to the Pentagon testing a mind control ray, a gooey blob alien intern in the White House, a time portal in the Nevada Test Site control center opened to the Song dynasty in an attempt to manipulate Chinese history...
Re: (Score:2)
As they say, power corrupts...
But also the political process is such that it tends to attract those who are already greedy and power hungry.
You will never get a benevolent leader under such a system, your best chance is actually a hereditary monarchy as the monarch is given power wether they want it or not so it's a roll of the dice as to what kind of leader they would make.
Re: (Score:2)
Re: (Score:2)
that's a lot of components to track down. in some stuff, the chips have their part numbers and manufacturers bleached/rubbed off. What do they do then? trash a $80,000 camera system that isn't even connected to a network?
Ironically, the NDAA is slowed down by NDA's between companies source parts between each other.
Re: (Score:2)
If the components have their part numbers intentionally removed then that alone is grounds to suspect the equipment. Why go to the trouble of hiding something like that?
What is the NSA for? (Score:2)
Seems like the NSA should be able to scan all Internet exit points from the US (or have the UK do it if they are squeamish about posse comitus) and provide the GAO and DOD a list of all nodes communicating with the camera makers' collection points.
Re: (Score:2)
Re: (Score:2)
For understanding the data, yes. For knowing the routing instructions...that should be doable without too much problem.
(Yes, there are fancy ways around that, but these are cameras, not heavy duty processors.)
Re: (Score:2)
ie they are busy globally collecting and supporting other agency work.
Looking around Russia/China for all and any CCTV networks.
Re: (Score:2)
They Are Lying (Score:2)
Just separate the network (Score:2)
Not a federal agency, but a company who happened to have just installed 9 cheap ~$50 hikvision wired ip cameras. There are 2 concerns.
1. default password is weak/predictable - it's up to you to setup it well.
2. The cameras may send the videos to unwanted entity. - setup the cameras into separate, unreachable network.
Don't mix cameras into normal office network. give it separate network which the camera can only see itself, and recorder. Then make sure only recorder itself is connected to outside network. Ah
Re: (Score:2)
You also have to consider camera placement...
If the cameras are outside, they could potentially be stolen or an attacker could disconnect their network cable and connect a malicious device in its place. This attack actually becomes slightly harder with wifi, as you'd need to physically steal the device and take it away for analysis in order to extract the wireless key from it (often held in a plaintext configuration file).
Ofcourse wireless has other weaknesses, denial of service is trivially performed remot
Resale bargain? (Score:1)
What are they going to do with all of those? Maybe us residential folks can pick some up for a bargain home security system.
President Xi isn't interested in watching cats poo on my shrubs.
Port blocking and the uselessness of law in Europe (Score:2, Insightful)
Combine this with a growing, disturbing trend on Europe on blocking all access to the router and many ports, forcing owners of security cameras to use foreign proxy servers to be able to remotely view their cameras and trashing innovative development. Despite the introduction of the toothless net neutrality law Scarlet ISP in Belgium as just once example block all access to port forwarding facilities on their routers. The only way to remotely view many of the Chinese security cameras is by making use of the
Re: (Score:1)
That's one approach I guess.
In addition to ISPs like Scarlet blocking these facilities it's also near impossible to find out any documentation indication what is allowed and what is not, also in violation to the net neutrality laws. But try and get a politician to do something about it... if I former president of the European commission can't even get a working law enacted I doubt anyone else can get this sort of thing enforced, the larges corporations have bigger lawyers than you or I.
Re: (Score:2)
That sounds plausible. This should still be clearly ascertainable before you buy the service though. The chap for whom this applied couldn't get a straight answer out of any ISP he tried in Belgium.
Re:Port blocking and the uselessness of law in Eur (Score:4, Insightful)
The reason these cameras use external proxies like this is because of the shortage of ipv4 and slow deployment of ipv6... Most users simply don't have enough addresses to make cameras directly reachable (many users now are behind nat themselves provided by the isp and don't even have a single directly reachable ipv4 address), and don't have the technical skills to set up a vpn in order to access them (and cant setup such a vpn in the isp operated nat situation).
Once You Install Cameras (Score:1)
Once you install cameras, you introduce a problem in controlling where the images from them are delivered to. That is the problem, and possibly too many cameras have been installed.
The solution is egress control. These cameras should not be on the global Internet. They should be strictly cordoned off to the places they are being used. Local security camera should only be connected to local networks and only accessible at local endpoints.
Block China at the firewall / Pi-Hole (Score:3)
Two things that immediately make these cameras more secure:
Oh yeah, and change the defualt cam logins to something other than admin / admin. That's the #1 way people get "hacked." Duh.