A critical vulnerability found in surveillance cameras from Chinese firm Hikvision—which are used extensively in Europe—added to previous concerns about the company’s data practices, according to an Oct. 6 report from Politico. Hikvision is controlled by a Chinese military-industrial group and has been accused of collaborating with the Chinese Communist Party (CCP) in violating human rights against Uyghurs.
Watchful IP, an anonymous security researcher, discovered a high number of Hikvision cameras’ software have a security vulnerability which “permits an attacker to gain full control of [a] device,” according to a report published on Sept. 18.
“This is the highest level of critical vulnerability,” reads the report. “Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk.”
IPVM, a research group, says the vulnerability could affect 100 million cameras globally, reported Politico. Most affected models are recent ones, though this vulnerability can be traced back to at least some 2016 models, according to Watchful IP.
Hikvision has been the main provider of surveillance systems and cameras in Europe, according to Politico. For instance, Spanish airport operator AENA recently hired Hikvision as a supplier of 175 cameras distributed over dozens of airports, which includes Madrid-Barajas and El Prat in Barcelona.
Though Hikvision admitted to the vulnerability and made new software available to repair it, concerns about data privacy were not alleviated.
According to Hikvision’s 2020 Annual Report (pdf), the company’s “actual controller” is a Chinese military-industrial group called China Electronics Technology Group Ltd. (CETC). CETC is also “China’s largest electronics defense contractor.”
Chinese military-industrial groups are forced to comply with the CCP, even if it asks companies to hand over data. Hikvision is monitored by a party committee and has many CCP representatives within the company. In addition, the company’s official website stated the CCP’s activities in the firm, which have the purpose of “upholding and improving the CCP’s leadership.”
The CCP can then use data to monitor the population, according to Lord Alan West, former British security minister. At a debate in the House of Commons, he stated China uses “facial recognition and they use this information on a grand scale to control their population.
“The systems gather a lot of personal data,” Audrey Fritz, a researcher at the Australian Strategic Policy Institute, told Politico. “The primary concern is that it doesn’t stay within the country, that it’s not bound to the laws and regulations of your country … Because of [China’s] laws and regulation that Chinese companies are required to hand over to government authorities, that becomes the concern.”
Because of these concerns, European contracts with Hikvision prompted opposition from some authorities.
“Europe should be cautious to allow foreign powers too much control over systems, warning of ‘possibilities to attack us on where it might be very sensitive,’” Alex Voss, member of the European Parliament, told Politico.
Hikvision has also been accused of collaborating with the CCP’s persecution of religious minorities in Xinjiang.
In 2019, the Trump administration blacklisted Hikvision among 27 other entities. These Chinese companies had been “implicated in human rights violations and abuses in the implementation of China’s campaign of repression, mass arbitrary detention, and high-technology surveillance against Uyghurs, Kazakhs, and other members of Muslim minority groups,” according to the Department of Commerce.
China’s treatment of Uyghurs has been designated as a “genocide” by both the previous and current U.S. administration, the parliaments from Canada, The Netherlands, Lithuania, Belgium, Czech Republic, and the United Kingdom, along with international legal experts and scholars.
According to the Norwegian Council of Ethics (pdf), Hikvision’s surveillance cameras are spread across Xinjiang, particularly near mosques and labor camps, reported Politico.