Your surveillance camera sees everything. Have you secured these pervasive systems,
or are you still unaware of who sees what your camera sees?
“There was no way of knowing whether you were being watched at any moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time.”
George Orwell painted a grim picture in his dystopian fiction novel 1984, showing us the uncertainty and pervasive nature of video surveillance in the society of 1984. Though a work of fiction, the Orwellian literature mirrors reality as boundaries grow thicker, chips shrink, and codes get longer. While humans may put up security cameras to deter thefts or prevent crime, surveillance inevitably records everything in its vision. Everything! Now, picture all these live visuals accessible to anyone on the internet. Anyone!
Last year, San Francisco brought in a camera ordinance, granting the city police the authority to request access to live footage from privately owned internet cameras to respond to real-time crimes. While the San Francisco police needed permission to access surveillance footage, a quick online search can lead you to Insecam, which streams live footage from around the world, along with approximate coordinates and the camera’s internet protocol (IP) address.
But how can this website access this surveillance footage? We spoke with Divyanshu Verma, CEO, Redinent Innovations, who revealed a shocking incident of accessing footage from police cameras in a geopolitically sensitive region. “People may not even realise they are being watched!” he exclaimed. The concerned authorities were alerted to the system’s vulnerability. They took steps to address the issue and put up measures to deal with the glitch accordingly, but not every story ends happily.
While most people may not have experienced a direct hack, the vulnerability exists. The live camera feeds, with multiple streams, are accessible. Even if an organisation secures one or two streams, a determined hacker or crawler can access the others and collect the data, which is then shared on the internet.
“It is particularly concerning when this data includes sensitive locations, such as airports. These crawlers, powered by AI or machine learning, are adept at collecting data from various devices, including cameras. The scope of this problem transcends international boundaries, and a lack of security in these devices can make the data available to crawlers, regardless of the location, be it in India, Pakistan, China, or elsewhere,” Verma says.
The neighbouring threat
Cameras are complex systems with multiple optoelectronic components integrated with electronic circuits, processors, software, and interfaces for user computational devices with interaction and data storage. Despite the intricate circuitry, cameras are relatively compact devices with limited memory and computing power, primarily designed for imaging and video functions.
“Over time, cameras have been added to our systems without thorough checks, creating a situation where even subpar companies can produce inexpensive cameras, often with substandard components. When a camera is compromised, it becomes a potential entry point into our systems, and it’s alarming how frequently this occurs,” Verma explains.
It is no secret that governments and organisations worldwide have repeatedly sounded the alarm over the proliferation of substandard surveillance equipment, which can be easily compromised by malicious actors, posing a risk to security. Global geopolitics and the ongoing technological trade war between China and the West, led by the US, have added to the concerns about the vulnerability of Chinese surveillance systems. To provide additional context, China’s National Intelligence Law of 2017 requires organisations and citizens to “support, assist and cooperate with state intelligence work.”
In 2021, US President Joe Biden signed a Secure Equipment Act, imposing further restrictions on Chinese surveillance equipment manufacturers such as Huawei, ZTE, Hikvision, Dahua, and Hytera. A year later, in November 2022, Washington banned the import of surveillance equipment made by Hikvision and Dahua, citing “an unacceptable risk to national security.” In February 2023, Australia’s Defense Department removed Chinese-made surveillance cameras from its offices after an audit found 900 pieces of surveillance equipment were produced by companies partly owned by the Chinese government. Shortly after, in June, Britain followed suit, removing Chinese-made surveillance equipment from sensitive government sites for national security concerns.
At home, the government has taken steps to prevent the infiltration of such equipment, particularly for projects funded by the government, public sector undertakings (PSUs), defence, and other publicly funded initiatives. Despite these efforts, earlier this year in March, trade body the Confederation of All India Traders (CAIT) claimed that many CCTV cameras used in India are either controlled or partially owned by the Chinese government and demanded an immediate ban on their use in India, in a letter to the minister of electronics and IT, Ashwini Vaishnav.
Cybersecurity expert Dr Shubhamangala Sunila explains that the security challenge arises from the lack of transparency regarding the origin of components while sourcing them from different countries for use in India. “In India, the prevailing mindset seems to prioritise affordability over security when implementing projects. There is a tendency to opt for the least expensive options without considering the potential risks. This approach could be detrimental to overall security,” she elaborates.
CEO of Outdu Mediatech, Sridhar Subrahmanya, further elucidates the rules governing the procurement of components for manufacturing surveillance camera systems in India. “The Indian government has mandated that suppliers provide declarations stating the availability of the firmware’s source code if it originates from non-friendly nations. Additionally, the suppliers must guarantee that their products do not increase vulnerabilities or threaten national security. Despite these clear mandates, we have observed instances where even large system integration companies have found ways to circumvent these rigorous requirements, providing certifications with limited insight into the products they procure,” he points out.