KYIV – As Russia’s full-scale invasion of Ukraine nears the two-year mark, hundreds of thousands of Chinese-made Hikvision and Dahua video-surveillance cameras, used by government-run security systems, residences, and private companies throughout Ukraine, heighten the risks of attacks by the Russian military, Ukrainian digital-security experts and government officials fear.
When Russian missiles struck Kyiv in a January 2 attack that killed at least three people, two ordinary outdoor CCTV cameras – one for a condominium, the other for a parking lot — helped guide their way, the State Security Service of Ukraine (SBU) claims.
After hacking the cameras, Russian intelligence used them “to spy on the Defense Forces in the capital” and to record images of “critical infrastructure facilities,” according to the SBU.
One of those cameras was a 2016 Chinese-made Hikvision device, a law enforcement official who requested anonymity because of the sensitivity of the subject told Schemes, the investigative unit of RFE/RL’s Ukrainian Service.
“Such cameras are usually just connected to the Internet and are already relatively outdated — that is, with software that has not been updated for a long time and has many known vulnerabilities,” said Serhiy Denysenko, executive director of the Ukrainian information-security company CyberLab’s Digital Forensics Laboratory.
Manufacturers’ “basic” camera software means that “hackers — or, in this case, the Russian special services – who are scanning the Internet can find this camera and gain access to it,” Denysenko said.
To test the SBU’s claims, a Digital Forensics Laboratory specialist hacked into a 2015 Hikvision CCTV camera in about 15 minutes.
From 2014 to 2022, three Ukrainian companies imported over 875,000 CCTV cameras and other devices related to video surveillance made by Hikvision, and a single company imported nearly 1.1 million cameras and other devices related to video surveillance made by Dahua, according to data from the import-export database ImportGenius.
Other companies also imported smaller numbers of devices made by Hikvision and Dahua, which dominate the world video-surveillance market and rank as Ukraine’s most frequently imported CCTV cameras.
They also rank among the world’s most controversial cameras — in 2022, the U.S. Federal Communications Commission prohibited future authorizations for the import or sale of Hikvision and Dahua “communications equipment” as “an unacceptable risk to national security.” Australia, Taiwan, the United Kingdom, and other countries have also imposed bans or restrictions on the cameras’ use.
Such regulations do not exist in Ukraine, though in 2023 it named both Hikvision and Dahua Technology “international sponsors of war” for tax payments to Moscow and sales of equipment that have military applications.
A Chinese Foreign Ministry spokesperson told Reuters on February 1 that China “firmly opposes” the inclusion of 14 Chinese companies on that list, and “demands that Ukraine immediately correct its mistakes and eliminate negative impacts.”
It did not address the issue of potential consequences from the hacking of Chinese CCTV cameras.
Vulnerable To Hacking
Hikvision and Dahua cameras and software account for 74 percent of the CCTV systems used in Ukraine’s national video-surveillance system for roads, streets, parks, apartment buildings, and other public spaces, Bezpechne Misto (Safe City), according to the Interior Ministry.
Another 24,000 Hikvision and Dahua cameras are used in similar public surveillance systems, the Interior Ministry told Schemes in response to a query.
Russian-supplied TRASSIR video surveillance systems — which, as Schemes reported in December, have been used at the shuttered Chernobyl nuclear power plant as well as several Ukrainian cities and sensitive facilities such as the Administration of Sea Ports of Ukraine in Odesa — in many cases use Hikvision cameras, though the software is TRASSIR’s own.
Schemes asked President Volodymyr Zelenskiy’s office, the cabinet of ministers, the National Security and Defense Council, and the SBU whether they believe these cameras pose a security risk and whether Kyiv plans to remove the devices from Ukraine. None has responded.
Experiments run for Schemes by the Digital Forensics Laboratory and the Digital Security Laboratory, a Kyiv NGO, indicated that Hikvision and Dahua cameras are vulnerable to hacking and that they send encrypted data to servers controlled by state-run or partly state-run Chinese companies.
A 2015 Hikvision camera accepted the easily hackable password “1234567890” as a login. A 2023 Hikvision model required a more complex password with symbols, but sent some encrypted user and registration data to a server in China owned by ChinaNet, a state-owned Internet service provider.
A 2019 Dahua camera, even when its cloud-server connection was switched off, still sent encrypted information, including the user’s login and password, to cloud servers in Germany run by China’s uCloud Information Technology, a partly state-owned company, and the private U.S. firm Zenlayer.
The security of CCTV transfers depends on the manufacturer, the connection with the server, and “who can use this information and how,” said Digital Security Laboratory expert Ivan Antonyuk. “And here’s the question: Do you trust the Chinese developer or not?”
Though the information is encrypted, “decoding such information will not pose a problem for the manufacturer and developer of these cameras,” Denysenko emphasized.
“Our experts are convinced that when using such a service, access to the cameras can be easily obtained by the manufacturer’s representatives if necessary,” he said. “Also, taking into account the current relations between China and Russia, this may carry certain security risks.”
Schemes did not find direct evidence that China transferred images from Chinese CCTV cameras in Ukraine to the Russian military, but the legal framework exists for such transfers.
China, whose ties with Russia are described by both countries as a “no limits” strategic partnership, does not publicly support Russia’s war against Ukraine.
‘Powerless To Protect Users’
China’s national intelligence law stipulates that companies hand data over to the government if needed for security reasons. Beijing has “essentially unfettered” access to China’s Internet servers, CPO Magazine, a Singaporean website that tracks data privacy, commented.
“Chinese companies are powerless to protect users from digital rights violations by one of the most powerful — and unaccountable — governments in the world,” researchers for Ranking Digital Rights, an international project by the Washington-based think tank New America, wrote in 2020.
Hikvision’s largest shareholder, with 36.35 percent according to the company’s website, is the China Electronics Technology HIK Group, which is a full subsidiary of the state-run China Electronic Technology Corporation Group. That firm, known as CETC, lists on its website its contributions to China’s defense industry, including “electronic warfare” and UAVs, or drones.
Dahua Technology also has a significant government shareholder: The state-owned China Mobile, a telecommunications firm, owns roughly 9.5 percent of the company. Dahua has said that China Mobile does not have “operational control” or “undue influence over its decision making.”
In 2022, the U.S. Department of Defense designated both Dahua and Hikvision, as well as their state-owned co-owners China Mobile and CETC, as “Chinese military companies” — corporations whose technical skills the Chinese military uses.
A July 2023 report from the U.S. Office of the Director of National Intelligence found that, despite international sanctions and export restrictions, China “is providing some dual-use technology that Moscow’s military uses to continue the war in Ukraine.”
Intelligence sharing also makes up part of China and Russia’s 2021-2025 Road Map to Military Cooperation, the Congressional Research Service noted.
Schemes contacted Hikvision and Dahua about the security of their cameras in Ukraine and about whether the companies cooperate with Russia, but has not received a response.
The U.S. subsidiary of Dahua Technology, however, claimed in July 2023 that the tech giant only sends “peripheral products and accessories” to Russia and that “none of our products globally are currently designed for military use.”
The SBU said on January 2 that it has blocked more than 10,000 CCTV cameras in Ukraine since the start of Russia’s full-scale invasion on February 24, 2022.
Responding to a query from Schemes in January, Ukraine’s Interior Ministry said that it “does not recommend or approve” purchases of Hikvision and Dahua CCTV cameras and is seeking to ensure that those used in government-controlled video-surveillance systems are replaced.
According to Ukraine’s public-procurement database Prozorro, some government bodies, such as the Kyiv region’s Zolochiv village council, started breaking contracts for the cameras, citing security concerns after Hikvision and Dahua were named “international sponsors of war.”
Existing government-run surveillance systems that use Hikvision and Dahua cameras were deliberately placed “in a closed local network” without access to “the public Internet” in order “to prevent the risks of information leakage” to China, the Interior Ministry said.
The ministry has proposed a bill for a “unified” public CCTV system that would function with Ukrainian and Israeli-made software, but it has not yet come to a vote.
