Press play to listen to this article
Surveillance technology firm Hikvision is facing criticism over a new vulnerability found in its products, adding to mounting concerns the company’s high-tech cameras, which are used all over Europe, pose security risks.
An anonymous security researcher found a glitch in Hikvision’s products that “permits an attacker to gain full control of the device,” they said in September. The researcher said the cameras had “the highest level of critical vulnerability.”
Hikvision acknowledged the vulnerability and instructed the cameras’ users to install new software on affected devices.
The incident puts additional pressure on Hikvision, which — like other Chinese tech firms, including Huawei — was already being quizzed by authorities over how it protects data gathered in Europe, and was suspected of collaborating with Chinese authorities to enable mass surveillance and human rights violations in China.
With the vulnerability, the company faces charges of lax security in addition to its data practices and ties to the Chinese state.
According to security research group IPVM, the Hikvision vulnerability could impact over 100 million cameras globally. Gaining access to the cameras’ data would be an “easy hack to perform,” said director Conor Healy, adding, “something to understand about these surveillance cameras is that they’re computers, not just cameras. They’re sophisticated devices.”
Hikvision is a leading provider of closed-circuit television and surveillance systems. Its surveillance cameras are popular in Europe, and it also began selling thermal camera systems after the coronavirus pandemic that could identify if people had fevers.
One recent example includes Spain, where the company landed a contract in July to supply airport operator AENA with 175 cameras used across dozens of airports, including Madrid-Barajas and Barcelona’s El Prat.
That Hikvision’s dominant shareholder is a state-owned defense association has not yet dissuaded public authorities in Europe from striking deals with the company, even as the company remains on the United States’ blacklist due to alleged ties to the Chinese military.
But some officials in Europe have been calling for a stop to deals with the company.
Axel Voss, a member of the center-right European People’s Party in the European Parliament, said Europe should be cautious to allow foreign powers too much control over systems, warning of “possibilities to attack us on where it might be very sensitive.”
A report published by the defense ministry of Lithuania, a country hawkish about China, concluded Hikvision’s equipment posed “a chance that cyberattacks … or malicious code insertion, will be carried out.”
Others point to its opaque data practices, which they say do not indicate where Europeans’ personal data is transferred, and warn that it could be moved to China.
“The systems gather a lot of personal data,” said Audrey Fritz, a researcher at the Australian Strategic Policy Institute who monitors Hikvision’s activities. “The primary concern is that it doesn’t stay within the country, that it’s not bound to the laws and regulations of your country … Because of [China’s] laws and regulation that Chinese companies are required to hand over to government authorities, that becomes the concern.”
According to John Lee, senior analyst at the Mercator Institute for China Studies, a Germany-based think tank, there are provisions in various Chinese laws and regulations obliging Chinese companies to cooperate with the Chinese government for national security and public interest purposes — even if, Lee said, no single Chinese law gives the Chinese government direct, unfettered access to data collected by Chinese firms abroad.
A Hikvision spokesperson denied the charge. In a statement, the company said it follows the data protection regulations of the European Union, including the GDPR. Hikvision added that as a surveillance technology manufacturer, the company neither stores data nor has access to the data. The end user owns the data, the statement read.
Human rights issues
Hikvision first faced intense public scrutiny in the U.S., where the House of Representatives passed a bill including a ban on the U.S. government’s use of the company in 2018. A year later, U.S. lawmakers put Hikvision on a sanctions list, effectively blocking U.S. companies from selling to it due to human rights and security concerns.
In the U.K., lawmakers have debated restrictions on Hikvision’s technology — which is used widely by local authorities in the country — and the U.K. parliament’s Foreign Affairs Committee called for a ban on the equipment in July, which the parliament has not yet passed.
Some governments accuse the company of collaborating with Chinese authorities to use facial recognition technology to track and control the mostly Muslim Uyghur minority in China’s Xinjiang region, where authorities have detained hundreds of thousands of people in internment camps since 2017.
Hikvision has denied allegations that its technology has been used by the Chinese state to suppress Uyghurs.
A Hikvision spokesperson said “Hikvision takes all reports regarding human rights very seriously and recognizes our responsibility for protecting people and property. The company has been engaging with governments globally to clarify misunderstandings about the company, our business, and address their concerns.”
But the Norwegian Council of Ethics said the company has a substantial presence in Xinjiang. The company received public contracts from the region’s authorities, and its surveillance cameras are now used across the region — especially near mosques and the internment camps, which the state calls “re-education centers.”
Laurens Cerulus and Mari Eccles contributed reporting.
Want more analysis from MediaFrolic? MediaFrolic Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.