Cameras: The Backdoor of the Security Industry

Private-label security cameras can be a threat to corporate security. Here’s why.

The U.S. Government is finally cracking down on the dirty little secret the security industry has been hiding for years. Last month the FBI raided and arrested the entire executive team of Aventura Technologies, a video surveillance system supplier to the federal government. The initial charge to the company is defrauding the federal government with the supply of “professional-grade surveillance cameras made in the USA,” but were manufactured in China by a company named HikVision.

Aventura went to the extent of having the manufacturer ship fully assembled products with a “MADE IN THE USA” sticker, falsified certificate of origin documents and secured government contracts as a woman-owned business (WBE) with the owner’s wife as the CEO, who had nothing to do with the business.

HikVision is owned by the People’s Republic of China (PRC) and was banned by the U.S. government earlier this year for compounding cyber vulnerabilities and espionage accusations because of its surveillance systems. The final straw to the ultimate blacklisting by the U.S. was HikVision’s involvement in human rights violations, with the designing and supplying of surveillance systems for re-education concentration camps. In a province far west of China named Shenyang, the PRC held millions of people in these concentration camps. It’s estimated the PRC spent over a billion dollars on security systems provided by their own “commercialized” security camera business.

Many other major brands and manufacturers continue to private-label cyber vulnerable Chinese products under OEM agreements, which is not well-known to those outside the security industry—or even to many within the industry. The vulnerabilities discovered have also been found in private-label cameras as well.

Of course, private-label products are also banned under the new law, but enforcing that ban is much more difficult. For Hikvision products, merely looking at the label will tell government procurement agencies that they are off-limits. That isn’t so easy for OEM products and is a significant reason that the risks associated with these companies’ products and technology are not going away anytime soon.

This security industry scandal is the tip of the iceberg as most security insiders know all too well the common practice of private-labeling products from Asian manufacturers. The reality is it’s been going on for decades.

If the market value of professional surveillance systems were a stock, it would look like GE’s chart over the past few years. No coincidence that a division of General Electric named Interlogic, a brand of commercial security equipment, recently shut down operations. Speculation in the security industry is that part of the shut-down is because GE Interlogic (like Aventura) was one of Hikvision’s largest U.S. OEM customer private-labeling and reselling to U.S. businesses.

The demand for lower-cost commercial-grade security cameras has increased over the years, but with the national exposure of cyber vulnerabilities from Chinese cameras going mainstream, the tide might be turning back to quality and a new premium set on an original MADE IN THE USA security equipment that has built-in cybersecurity capabilities.

There are massive numbers of these cameras installed around the world, the No. 1 reason is that they are cheaply made and, by extension, inexpensive to purchase and deploy. However, the potential security costs far outweigh whatever savings end-users realize from buying from these manufacturers. The U.S. government is now tasked with ripping out all of the $88 million worth of security equipment that was supplied by Aventura since November 2010.

Remember that time in late 2016 when the internet practically came to a standstill because of a big botnet attack? It would be hard to forget because it wasn’t just big; The Mirai botnet attack was the largest DDoS attack in history, one that nearly broke the internet. It was triggered by remote commands to unsecured networked devices, which had been compromised and hijacked. Care to guess what the majority of those devices were? Spoiler alert: IP surveillance cameras.

But why choose to hack security cameras? Because they are the ideal entry point for network breaches. For starters, they are constantly connected to the internet. In fact, they need this connection to enable the real-time live-look-in capabilities we’ve come to expect. This convenience comes with severe consequences because that exposure to the internet also opens the door for hackers to not only find connected cameras but also to exploit them.

Cybersecurity (ethical) hacker Alissa Knight explains on the Security In-Focus Podcast how she uses IP surveillance cameras to infiltrate a business network:

“I just sat in my car. These cameras were connected to the wireless network for the organization that I was hacking. Unfortunately, there was weak encryption being used with the wireless network. I used some basic tools. One, in particular, was a Pwn Pad which is a tablet that was purpose-built from the ground up as a wireless hacking device, and I was able to crack the key for the wireless network, and I was then able to become a client on this wireless network that the cameras were connected to. This allowed me to then reach the IP addresses of the cameras that were sitting in the parking lot from my car and jump in…”

Wake-Up Call for the Security Industry

It’s unconscionable that these vulnerabilities have been allowed to persist. Manufacturers who either bury their heads in the sand and ignore the problem or don’t care about anything but profits are not just part of the problem—they are the problem.

As manufacturers continue to drag their feet or put up roadblocks every step of the way, they are doing a severe disservice to those who have invested in technologies to protect themselves. Worse yet, they are putting people and property in danger, all in the name of convenience or profit. Now that the government is finally taking notice, it doesn’t mean this problem is solved. It’s only just beginning. Hundreds of companies remain that have similar business models to Aventura technologies, and the demand for dirt cheap surveillance cameras isn’t going away.

Now that the backdoor is clearly exposed, it’s time for the security industry to police themselves—or, as we saw last month, the United States Federal government will do it for you.

Thomas Carnevale

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Thomas Carnevale

Thomas Carnevale is an internationally recognized security entrepreneur, author and active speaker. He currently serves as the Chief Operating Officer of Umbrella Technologies, a security consulting company dedicated to physical security technologies being enterprise video surveillance, access control, mass notifications and business intelligence. With a background in the telecommunications industry Thomas took his technical insights into the security industry and began his first entrepreneurial start-up JCS Digital Security which premiere focus was to integrate the best in breed surveillance technologies for all of their commercial and governmental clients. Next and for over 14 years he founded a technology company which invented the Industries 1st single-sensor open-platform immersive panoramic camera technology which was used to secure fortune 500 companies, major cities, and some of the largest mass transit agencies in the world. Honored by the Security Industry Association, ASIS & Multiple Security Publications over the years for his value in security innovation- Thomas has taken his experience in training system integration firms direct to the End-User with Umbrella Technologies.

thomas-carnevale has 2 posts and counting.See all posts by thomas-carnevale