,
27 tweets,
6 min read
Read on Twitter
To understand why so many are highlighting the Chinese cameras in Leinster House, one must first recognise that China does not do business or espionage like the West. There's no separation between industry sectors the CCP deems strategically important.
The #IOT, #5G, #AI and #SmartCities sectors are integral to China. These sectors have billions of dollars pumped into them from Chinese government central and regional funds and are controlled centrally by the CCP, with the CCP placing key personnel into these companies.
One other area of interest to the Chinese government is #BigData - and boy do they have the opportunity to gather as much of this as possible thanks to the West. This data is used to forecast and predict actions, reactions of markets, industry and people - most importantly people
Anyway, to Leinster House and the cameras:
Firstly, these cameras are not just in use in Leinster House, they are also in use in Garda stations and other government buildings across the country. Various gov dept. were warned last year not to use them, but they ignored it.
Firstly, these cameras are not just in use in Leinster House, they are also in use in Garda stations and other government buildings across the country. Various gov dept. were warned last year not to use them, but they ignored it.
And this can also be a failing of the public procurement system which can often lead the procurement officer to select the vendor or company with the cheapest tender for a project - and as many in telecoms know a lot of Chinese kit is CCP subsidised.
The subsidies take many forms including; research grants, Export Credits, vendor financing, local market prioritisation in deployment contracts to increase manufacturing economies of scale etc. None of which Western manufacturers can take advantage of.
So failure 1 - the procurement system which is often biased towards the cheapest option coupled with past performance with other government depts leads to these companies being awarded contracts over many western manufacturers. This is the first security failure.
Hikvision cameras have been hacked in Ireland before: in Limerick. The ability to hack a camera is excellent news for criminal gangs who can track Garda movement, security guards and targets of interest.
Failure 2 - past performance in Ireland
Failure 2 - past performance in Ireland
Hikvision has faced long-standing accusations of spying on behalf of the Chinese Government. As of last year, the Chinese government retained a 42% share of ownership of Hikvision. So it's not a particularly massive private enterprise, a good chunk is Chinese gov owned.
The company grew from its contracts related to China's military surveillance networks - the networks that are used to identify ethnic minorities and political dissidents in China. Here's a link to them doing this - ipvm.com/reports/hikvis…
Hikvision received a $1.2 billion Chongqing 'Safe City' project in 2011 where they installed over 200,000 cameras to monitor the population. A foundation for the social credit system we hear of.
They are also involved in the surveillance systems in China's Xinjiang province - an oppressive place where you can be locked up without trial, subject to medical testing without consent and are required to have malware on your phones to share data with Police and Chinese Intel.
For a number of years, like Huawei, Hikvision has engaged in what many believe to be shoddy and sub-standard engineering methodologies and are alleged to have deliberately created security flaws in their systems to allow access to those who know how to take advantage of it.
Such flaws in the past relate to insecure password protections, the discovery of poorly or intentionally written coding that would allow a hostile actor to gain access to the images, audio and metadata on the devices or storage systems.
The US is not the only country with concerns about Hikvision - Australia removed all Hikvision cameras from sensitive locations (including military bases) once it has been discovered their equipment was being used. This raises so many flags about procurement and supply chain
Hikvision has form for having severe or critical vulnerabilities in their equipment - and these are not related to Chinese espionage - just shoddy testing and quality assurance in a rush to market - but nonetheless these vulnerabilities can be used against us.
Last year Hikvision IP cameras had an Exec Code Overflow vulnerability which was rated 7.5/10 by security experts for its critical nature. It would have allowed an attacker to corrupt memory or crash a system
Now to be fair, on a list of vendors with Common Vulnerabilities and Exposures, Hikvision has not been the worst, by any measure. However, given the sensitive locations, these devices are operating in vigilance is key.
At the end of last year, another critical vulnerability was found in Hikvision security cameras where an attacker who successfully obtains the IP address of the camera can remotely execute code with root privileges on the camera (via LAN or internet)
To Hikvision's credit, they did fix the issue as soon as it was brought to their attention. But the discovery also exposed some serious issues with their engineering processes, that are often common in Chinese manufacturers. The UK HCSEC report highlighted this for Huawei.
One such issue is the use of very old firmware that's no longer serviced, odd use of unsafe functions. It is imperative that Ireland introduce a full audit of these camera systems, their locations and assess how the firmware is being updated.
We should also do random inspections of both the code and hardware as a matter of course; to ensure no unexpeted coding or hardware has been introduced during the manufacturing process.
There may be nothing to Hikvision technology in Leinster House, or Garda stations, however Hikvision cameras can be used in tandum with facial recogition software and AI linked to a centralised database.
That database, with these types of vulnerabilities, could be one put together by a hostile actor who uses these cameras to track persons of interest. As previously stated Hikvision patched the last ones, and quickly. But other Chinese vendors are not so quick to do so
It's hard to give any more analysis without knowing exactly which models are in use and the type of system they operate on. I would wonder if Leinster House is using any facial recognition software too? (doubtful). We need to start highlighting these things though.
5G will be an epoch for espionage and counterintelligence placing it into the world of the every day.
