back to article UK bans Chinese CCTV cameras on 'sensitive' government sites

The United Kingdom has decided Chinese video cameras have no place in government facilities. "A review of the current and future possible security risks associated with the installation of visual surveillance systems on the government estate has concluded that, in light of the threat to the UK and the increasing capability and …

  1. Kevin McMurtrie Silver badge

    Good idea anyways

    The software quality on those cameras is a disaster. They have trivial exploits, tons of bugs, and they phone home. I know they're cheap, but what's the use of a security camera with no security?

    They're also very hard to avoid. Even many reputable looking brands of cameras are a Hikvision with a customized housing and UX. Just log into the exposed telnet port and "strings" the executable.

    1. steviebuk Silver badge

      Re: Good idea anyways

      Yep. Problem is the footage quality is good and they are cheap. We are a charity so they, unfortunately, went with Hikvision cameras for a few of the sites. We have been looking and thinking about their server setup. But I've now been putting it off due to the CCP links.

    2. Anonymous Coward
      Anonymous Coward

      Re: Good idea anyways

      If you can telnet in it already a guaranteed disaster.

      What is really needed is a quality whitelist - but don't be too surprised to find CCTV Medpro on the list.

      1. tomuk

        Re: Good idea anyways

        No china manufacturers are no better

    3. EnviableOne

      Re: Good idea anyways

      the problem is for the price you can't get equivalent features, anything not from china, you are looking at 10 times the price, and when you have a paranoid employer with 50 cameras in each store....

    4. Anonymous Coward
      Anonymous Coward

      Re: Good idea anyways

      Some people seem to think that China only produces cheap low quality tat. Yes, they do make a lot of it, but many well-designed high quality goods are also made in China.

      Hikvision make a variety of cameras at various different price and quality levels. I haven't tried the cheapest ones, but the mid-range ones are truly excellent. By far the best on the market. I've had them for several years and the only problem has been a failed disk in the NVR. The disk was made in Thailand by Western Digital, an American company.

      People seem to worry about the Chinese government being able to access Hikvision cameras, although there is no evidence that they can actually do that. Yet there is actual documented evidence of US government agencies accessing Ring doorbell footage and nobody seems to care about that. Personally I don't think any government would care too much about what my cameras are monitoring.

      1. Blazde Silver badge
        Unhappy

        Re: Good idea anyways

        "Personally I don't think any government would care too much about what my cameras are monitoring"

        Presumably they aren't monitoring anything that would risk revealing the identity of the Anonymous Coward posting? :)

        Hikvision cameras are decent I agree. What I don't understand is why, several years into paranoia about Chinese cameras, there isn't a N.American or European company producing decent cameras (probably still manufactured cheaply in China, with plenty of Chinese parts, but overall designed and software-d some place more trustworthy). Are Hikvision getting huge state subsidies? Is there some insurmountable intellectual property issue (like H.265+ is pretty neat)?

        Or is it just the broken monopolistic nature of western tech companies where nothing is worth doing unless you can charge a monthly subscription, horde your customer's data on the cloud, and then bombard them with ads or whore their data to someone who will, and any entrepreneurial upstart who tries to break the mould gets bought out by one of the giants? While we laugh at the Chinese government for castrating their own tech giants.

        1. Casca Silver badge

          Re: Good idea anyways

          There are non china companies. Axis is one for example.

          1. Kevin McMurtrie Silver badge

            Re: Good idea anyways

            I have three Axis cameras. The lenses aren't the best but the durability and software support are amazing. The IP cameras are self-sufficient Linux servers so no central video processor is needed.

            They're worth the price if you don't want to be fussing around to keep the cameras running.

        2. Paul Crawford Silver badge

          Re: Good idea anyways

          We use Vivotek which is Taiwanese and have been very good. Yes, the hardware is made in China (at least models i have used) but firmware is not under the immediate influence of the CCP, which really is the obvious political risk.

          But no matter what, you should assume cameras and other IoT tat is insecure by design and have them isolated from both the internet at large and any critical systems.

      2. I could be a dog really Silver badge

        Re: Good idea anyways

        People seem to worry about the Chinese government being able to access Hikvision cameras, although there is no evidence that they can actually do that.

        Unless they are firewalled off from the outside world, then its trivial for them to "phone home". If that's permitted, then it's trivial for "home" to be able to give them instructions via the channel created. Think about what Ring advertise their doorbells to be capable of - someone presses the button, your mobile phone rings, you can see and hear the caller, AND you can speak back to the caller.

        But few people know how to firewall off devices to stop them phoning home - the default on the majority (of home, and at least small business) networks is to permit all outbound traffic from internal devices. Most ISP supplied routers probably don't have the facility anyway even if the user cared and knew to do it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Good idea anyways

          So the worry is that the Chinese government will create and deploy a firmware update for every hardware revision of every camera model. Then without anybody noticing, literally millions of cameras will start streaming exabytes of hi definition video footage back to a server in China where an army of people will have to sort through it to find anything that might give them a military advantage?

          That's not a trivial undertaking. To be practical, they would need to know in advance the serial numbers of cameras in sensitive locations and target those cameras specifically.

          1. Lil Endian

            Re: Good idea anyways

            Reductio ad absurdam can work, but not here.

            A burglar may case many houses, yet can only burgle one at a time. Why allow the unauthorised ingress vector in the first place?

            Some hunt with a blunderbuss, some with a sniper's rifle.

          2. John Brown (no body) Silver badge

            Re: Good idea anyways

            Not so much sending all the feeds direct to Communist Part headquarters, more creating an entry into whatever networks they are connected to. Whether it could or will happen is a different question, but there have been reported instances of CCTV cameras and other IoT devices being co-opted into DDoS attacks, so if it's accessible, then anything is possible.

          3. Twanky
            Boffin

            Re: Good idea anyways

            No, I don't think the bad guys* are particularly interested in the video feed. What they may be interested in is having one or more devices under their control on the same network as some machines processing classified information. For example they could try to embed malware into the video stream to try to subvert the machines which are used to view the video stream locally. They could just cause disruption from time to time with network 'noise' or they could try to infiltrate other devices (eg printers) to intercept classified information.

            *The bad guys are not necessarily Chinese just because they're (ab)using kit made in China.

          4. nijam Silver badge

            Re: Good idea anyways

            > So the worry is that the Chinese government will create and deploy a firmware update

            Or more likely, use an undocumented features that they previously insisted the manufacturers implement.

    5. Lee D Silver badge

      Re: Good idea anyways

      Don't allow devices that are plugged into random publicly-accessible network ports to be on your network and connect to the Internet when it's not necessary for their primary function.

      Applies to any device, of any type, from any manufacturer.

      At minimum, stick them on a closed-off VLAN, it takes about 10 seconds extra per camera to do so, and a multi-home config on the NVR box.

      But they should be firewalled off, denied outgoing traffic, denied cross-VLAN access, and the ports they're on should be authenticated or forced to a VLAN.

      Home users might want to use a zero-config fancy cloud app without having to port-forward, etc., businesses should be far more careful.

      Also: Printers. Phones. If you're not already doing this for THEM as well, they are just as at-risk (especially as most IP phones just TFTP request firmware insecurely, and thus in theory their entire internal "OS" can just be flashed by any network user able to pretend to be the TFTP server to do whatever they want with it).

      1. Yes Me Silver badge
        Flame

        Re: Good idea anyways

        Can't say this too loudly:

        Applies to any device, of any type, from any manufacturer.

        This paranoia about Chinese equipment is just that: paranoia. Any device that is pointlessly connected to the open Internet is a vulnerability. Made in China, made in Milton Keynes, who cares? It's the software, stupid, and that comes mainly from GitHubLand.

        1. Trigun

          Re: Good idea anyways

          I agree in principle, although it does make sense to be aware of who your state actor adversaries are and at least put *some* effort into blocking obvious attack vectors from them.

      2. Richard 12 Silver badge

        Re: Good idea anyways

        It's nuts how insecure-by-design IP phones are.

        Especially as they do it every boot.

        I was utterly horrified when I discovered what I'd have to do to get the Cisco 'virtual' IP phone to work.

    6. Tridac

      Re: Good idea anyways

      If they phone home, they can also download code to probe the network they are connected to. Initial firmware may be innocent and verifyable by agencies, but dynamic update capability can never be completely covered. Same with router or any other network based kit. Only way to be sure is to ban all kit from suspect countries...

    7. ian 28

      Re: Good idea anyways

      I’d agree with most of that. The software is terrible and obviously ran through a translation service but Hikvision is certainly not cheap. It’s amongst the most expensive kit out there.

    8. Stuart Castle Silver badge

      Re: Good idea anyways

      Ideally any CCTV camera should be on a private network. If they need access to the internet, it should be through a server that is well protected against attacks.. That said, I do realise that if custom software is required on the server, it's also probably written the cheapest way possible, and therefore likely full of security holes.

  2. steamnut

    At what cost?

    I am sure that you will hard to find a video camera that does not contain Chinese logic in it.

    Even if you make a camera from scratch using, say, a Raspberry Pi, the processor and network chips are of Chinese origin.

    We sleep walked into this situation and it will be costly to get out of it.

    1. Yet Another Anonymous coward Silver badge

      Re: At what cost?

      >the processor and network chips are of Chinese origin.

      Probably also want to stay away from Sony imaging chips. Remember Pearl Harbour !

      1. Neil Barnes Silver badge
        Coat

        Re: At what cost?

        Oooh, now I'm starting to worry about those 74HC00s I just bought from LCSC!

      2. steviebuk Silver badge

        Re: At what cost?

        That's a Wumao thing to say.

    2. Lil Endian
      Unhappy

      Re: At what cost?

      The option is simple! Use equipment designed and manufactured in the UK. There are loads of bleeding edge tech firms: we're a market leader!

      Oh. Wait. I seem to have misplaced my flux capacitor.

    3. Vista

      Re: At what cost?

      It's not that hard to find network cameras that aren't Chinese, Axis (Swedish) and Hanwha Techwin (formally Samsung) come to mind and they make their cameras outside of China and in fact Axis (not sure about Hanwha) make their design their own SOCs for their cameras.

      1. ChrisC Silver badge

        Re: At what cost?

        Having just done a quick search for those two manufacturers, and compared the prices of their cameras to the equivalents from the likes of Hikvision, it's not hard to understand why the latter suppliers get all the business...

      2. Anonymous Coward
        Anonymous Coward

        Re: At what cost?

        Mobotix cams are made in Germany. Good cams those.

        To ChrisC - yes, the Chinese cameras are cheaper and image quality is good on them as well.

        I find Axis software to be quite polished (vs others) and the whole system well documented. Axis reacts to security alerts and pushes firmware updates for security (and bugfix) reasons for several years. Hik, Dahua and other Chinese companies less so.

        1. localzuk

          Re: At what cost?

          Mobotix cameras are nice indeed, but when you can get multiple Hikvision cameras for the same price as a single Mobotix camera, you know which one companies will choose generally.

    4. DrXym

      Re: At what cost?

      Yes hardware could be hacked too but I suspect for these cameras the real issues are a) insecure firmware, b) back doors, c) camera calling services / addresses in China.

      So if the camera calls home for any reason then it probably passes through Chinese government routers which could flag interesting IP addresses and from that, the manufacturer could be pressured to give up any backdoors or exploits that can take it over. From that they could steal wifi credentials, get into the network remotely or a drive by, watch the feed remotely and so on.

  3. Anonymous Coward
    Anonymous Coward

    Meanwhile…

    …everyone will be carrying an android or apple device into those same "sensitive" areas. :o)

    PS: coaxial cameras are still a thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile…

      What like your Chinese made iPhone with Siri activated, perhaps tracking you with your Chinese made AirTag.

    2. cyberdemon Silver badge
      Thumb Up

      PS: coaxial cameras are still a thing.

      Yes actually! HD-SDI CCTV cameras are amazing, I don't know why so few companies sell them!

      You have zero latency, zero compression artefacts (until you compress the video yourself, on your own server that is), and the full resolution of an IP camera.. No crappy ONVIF "non-specification" mess to deal with. Standard RS-485 for PTZ, etc. And of course, no worry about security implications!

      What else could you want from a camera?

      1. I could be a dog really Silver badge

        Re: PS: coaxial cameras are still a thing.

        HD-SDI CCTV cameras are amazing, I don't know why so few companies sell them!

        Having just had a very quick look, I imagine because few companies perceive there to be a big enough market to make it worthwhile. Given the price tag, I suspect it is a fairly niche market compared to budget IP cameras from the likes of Hikvision.

      2. an.other_tech

        Re: PS: coaxial cameras are still a thing.

        Thermal and X-ray !

        Thermal really pricey and X-ray, well, you know ;)

    3. John Brown (no body) Silver badge

      Re: Meanwhile…

      "…everyone will be carrying an android or apple device into those same "sensitive" areas."

      If it's truly sensitive, no, they won't. Everything with a camera or storage is placed in a lockbox at the entry point. Anything inside the sensitive area with storage is not taken out again in form where the data could be read.

      1. xyz Silver badge

        Re: Meanwhile…

        True... Nothing passes by the entry point. The difficulty comes when x number of people all congregate at the same point every day with their phones blabbing before they are locked away. Doesn't take much work to track back to find out who they are, what sort of work they do, what their weak point are etc and so you get a very good idea of what said sensitive site does and how to get in there. As others have said... Air gap, faraday cages etc but that only goes so far. The best defence is to buy 20 times the cameras you need and point most of them at stupid things to create "noise". Or the old favourite, go into a random shop, buy random cameras and pay cash.

  4. Paul Crawford Silver badge

    Even before the question of ripping them out, WTF are cameras in 'sensitive' areas doing if they have any external access allowed to the Internet?

    1. Phil O'Sophical Silver badge
      Coat

      Recording cabinet ministers snogging their mistresses?

      1. wolfetone Silver badge

        All he did was fall in love!

        With his friend's PPE.

  5. Anonymous Coward Silver badge
    Holmes

    Doing it wrong

    If your CCTV can access the internet, the game is lost already.

    No, there are no excuses or mitigations.

    That just leaves proximity based attack vectors - if they're vulnerable to certain RF interference or similar, that can be mitigated with a metal box. If you're concerned that they might be able to scan a QR code and exfiltrate data by flashing the IR illuminator, just make sure that there's no sensitive data they can acquire in the first place (that isn't equally available if you're that close with line-of-sight to the camera anyway).

    1. Dave 126 Silver badge

      Re: Doing it wrong

      If your CCTV camera is attached to the internet it isn't a Closed Circuit Television Camera anymore, by definition.

      1. ThatOne Silver badge
        Unhappy

        Re: Doing it wrong

        But in a time even your fridge or washing machine needs to be connected to the manufacturer's servers, it's hard to find kit which accepts to work all on its solitary own on a air-gaped network.

      2. Anonymous Coward
        Anonymous Coward

        Re: Doing it wrong

        > If your CCTV camera is attached to the internet it isn't a Closed Circuit Television Camera anymore, by definition.

        Yes it is. Only people on the internet can access it. :o)

    2. James R Grinter

      Re: Doing it wrong

      If we want to spit-ball possible risks, perhaps you aren’t trying to exfiltrate data, but infiltrate the physical location? What if you could flash a QR code that made the camera keep transmitting an old image, or just go off line for a bit, or something else carefully planned.

      Don’t even need to have the camera on the Internet to ensure that regular software updates are applied, any of which could introduce new features, because your organisation security policy undoubtedly requires you to keep software up to date. Especially if they fix disclosed vulnerabilities.

  6. elregidente

    State surveillance via private video cameras

    Does this not then mean, as seems obviously to be the case, that any video camera installed in a country, privately or publicly, can be used by the Government of that country, with or without the knowledge of its owner?

    In fact, I would say every Government these days and many for a long time has tapped into the main network exchanges in its own country; the video streams from most cameras are unencrypted, and can be monitored on the fly just by watching the packets go by, and it has been so for at least a decade, probably two.

    1. Anonymous Coward
      Anonymous Coward

      Re: State surveillance via private video cameras

      Yes, this was all openly revealed and more-or-less admitted to publicly about 10-15 years ago.

      Then everyone forgot about it and continued freely sharing endless personal information.

  7. RussellX

    Wrap security around insecure components

    Whilst the inevitable march towards tight cloud-integration may present problems for some systems, there should never be a complete reliance on any individual vendor or component to maintain overall security... it is all about the architecture.

    For Hikvision NVR appliances, you do not need to use the Hik-Connect cloud service: you can just stick the NVR into an isolated subnet, with filtered / blocked access to the Internet or the rest of the internal network and use your own VPN to remotely connect to it.

    I do appreciate that for the average home or small business, they will just connect these devices to a single network and rely on whatever cloud service is included to bypass NAT, so there is an argument for protecting less sophisticated users who just want to Plug & Play...

    But is it unrealistic of me to expect that for any government facility, especially sensitive ones, *any* brand of CCTV equipment would be deployed and integrated in a more secure and thoughtful manner?

    (Perhaps I don't want to know the answer.....!)

    1. Strahd Ivarius Silver badge
      Devil

      Re: Wrap security around insecure components

      It will be installed and configured either by the lowest bidder or by Capita, your choice

    2. ifekas

      Re: Wrap security around insecure components

      Yes indeed; we had an audit form sent by the Home Office for one of our sites, and yes we have mostly Hikvision cameras as they are good and cheap, but the Hikvision cameras are on their own subnet on an isolated network and just connect to a separate ethernet port on the Milestone XProtect DVRs... so I can't see how these would be able to 'phone home' if they wanted to!

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrap security around insecure components

        your probably correct, the cameras on your network are unable to phone home due to your setup

        but have you checked to see if they are trying to do so?

        i put a cheapo poe camera on a subnet, but also turned on firewall logging. it was trying to make a lot of conections to ip addresses which didn't seem to resolve to anything i could find. so when that ip was blocked it started trying udp unicast and a few diff address.

        everything, every service i could find was turned off via the web front end, but still the traffic continues to be sent out. not that it gets anywhere.

        clearly we are not the only people who think these cameras are trying to get back to the mothership and present a security risk.

    3. nijam Silver badge

      Re: Wrap security around insecure components

      > ...for any government facility ... CCTV equipment would be deployed and integrated in a more secure and thoughtful manner?

      For any government facility ... CCTV equipment would be deployed and integrated by the incumbent outsourcing contractor.

  8. jollyboyspecial

    "But worries persist around the world that the mere presence of Chinese products creates the chance to map networks, which is very useful intelligence, or that workers at Chinese vendors could be members of the Communist Party. The potential for Chinese equipment to be crippled by faulty software updates or even bricked at Beijing's command is also a concern."

    Except that if the network in which the camera is installed is secure then those pesky commies wouldn't be able to connect to the cameras and the cameras would not be able to call home.

    OK so it's not ideal putting suspect kit on any important network, but it's far from ideal having supposedly secure network where stuff like that can communicate with anything and anybody in the outside world.

    I recall an old employer buying some devices (not cameras and not IIRC Chinese) that wouldn't install and configure without a connection to the internet. There was absolutely no reason for them to need internet access, but you couldn't configure them without that access. The vendor tried to argue that the devices only needed to call home once to access the licence server, but I wasn't convinced so I tried one on a DIA test line and configured it. As soon as I moved it back to the sandbox network for testing it ceased to function. The vendor then told me that the device needed to call home to the licence server at every boot. Needless to say the devices went back to the vendor with only one box opened.

    I can sort of understand why a device may need to check in with a licence server if there were different levels of functionality in software that needed verification, but these didn't have any functionality like that. And firmware could (according to the documentation) be updraded from a local TFTP server so I don't see why any connectivity out to the internet was needed.

    1. ThatOne Silver badge

      > if the network in which the camera is installed is secure

      But how will the big boss be able to check on his flock from his golf club managerial retreat seminary, using his iPhone and the local WiFi?...

  9. Anonymous Coward
    Anonymous Coward

    Where did it all go wrong ?

    There must be a source of cheap cameras that can be source from somewhere within the Commonwealth of Nations ?

    Surely it is as simple as shoving a raspberry pi in a box, and bish bash bosh, job done.

    1. Anonymous Coward
      Anonymous Coward

      Re: Where did it all go wrong ?

      Why not start up a company?

  10. Eponymous Bastard

    From a few years ago . . .

    this post springs to mind

    http://www.theregister.co.uk/2006/09/01/video_hams/

  11. Number6

    Firewalls

    I have a bunch of stuff on my network that is blocked from talking to the outside world and is set up to talk to a local server. I know that can be circumvented by various means, but it adds an extra layer for someone to get through.

    When it comes to routers and other stuff, I tend to buy equipment that will work with OpenWRT and replace the on-board software with that. Perhaps a half-way house for those who are concerned but not ultra-secure, is for an open-source camera software effort along the same lines, where we could still buy the decent hardware and reprogram it. Always assuming the hole isn't in the bootloader, of course.

  12. ColonelClaw

    Devil's Advocate

    Putting aside politics, what do people here think are the chances that Chinese-made CCTV cameras have a built-in government-mandated backdoor? I'm asking from a purely technical point of view.

    Personally I think it's obviously possible, but I suspect keeping it from being discovered would be extremely hard. Given enough time, I feel it would be found, sooner or later. And then there's the human point of view i.e. you have to keep everyone involved sworn to silence for the rest of their lives. It's a tough ask.

    As for exploiting the security of the absolutly shite software they tend to ship with (I have plenty of painful experience as an end-user here), I would say that would be by far the easiest attack vector for any government to exploit. So why bother with a backdoor at all? If it was discovered the ramifications would be enourmous.

    1. Anonymous Coward
      Anonymous Coward

      Re: Devil's Advocate

      "Putting aside politics, what do people here think are the chances that Chinese-made CCTV cameras have a built-in government-mandated backdoor? I'm asking from a purely technical point of view."

      It's certainly possible, although Huawei and the UK Government ran (I don't know if it still exists) a site called "The Cell" which looked for any such backdoors (albeit not in cameras I don't think) and nothing was found.

      "Personally I think it's obviously possible, but I suspect keeping it from being discovered would be extremely hard. Given enough time, I feel it would be found, sooner or later. And then there's the human point of view i.e. you have to keep everyone involved sworn to silence for the rest of their lives. It's a tough ask."

      Not at all - the people that developed and know the backdoors just meet mysterious ends - Dr Kelly in the UK is an example re. the non existing WMD in Iraq ;)

      "As for exploiting the security of the absolutly shite software they tend to ship with (I have plenty of painful experience as an end-user here), I would say that would be by far the easiest attack vector for any government to exploit. So why bother with a backdoor at all? If it was discovered the ramifications would be enourmous."

      In my view it's all propaganda to ensure China doesn't surpass the US militarily or financially.

      1. Paul Crawford Silver badge

        Re: Devil's Advocate

        In the case of Huawei the UK gov / GCHQ did not find any back doors, but they did fine plenty of piss-poor software process control and general bugginess. Nothing terribly surprising there, and indeed the likes of Cisco, Fortinet, SonicWall, etc, have plenty of critical CVE related to their products to suggest they are not much better.

        Beyond the issue of deliberate back-doors to specific product, many devices now phone home and can do firmware updates "for security reasons" on their own. If you control the company that controls that process you can simply find products on a given IP range and push our special versions of the firmware to them. And that is the fancy way, simpler is world+dog using your cloud service that is available to your government of choice (not just China, but also USA Cloud Act).

        Trust nobody really, keep crap off the outside world with your chosen combination of VLAN and firewall rules, etc. Not only for government spying but for other industrial espionage and general criminal hacking for fun or profit.

    2. an.other_tech

      Re: Devil's Advocate

      Methinks that's perhaps why they've brought this in ?

      There is more than enough public reports of backdoors to prove it happened.

      For the secure sites, thats going to be a bit of a pain in the rectum for sure.

      The irony is that Closed Circuit Television isn't closed anymore, we want to watch our remote sites, or desks from elsewhere. And for added security, upload any data to 'the cloud' which for some of the lower budget stuff is definitely Chinese controlled.

      It used to be camera to monitor, then recorders came in, video tape, then optical disk, then magnetic disk, now solid state storage.

      And along the way, Cloud storage.

      When you see an extra IC on a board and it serves no logical purpose, it was that point you asked, why.

      1. Peter Gathercole Silver badge

        Re: Devil's Advocate

        Inserting an extra IC on a system is so old school.

        Nowadays, they'll just assign a region of silicon on their SoC for the extra hardware, or even worse, just do it in firmware. For these cameras, spotting more than one IC may well be problematic.

  13. Anonymous Coward
    Anonymous Coward

    I forrsee it'll only be a short time before ...

    all humans of Chinese genetic make up (but UK and US born) will be housed in camps for their own safety and security ... I mean - historically there's certainy precedence for this (the US did this to Japanese individuals during WW2 - so what's a little pre-emptive security?)

    I wonder how much longer the US and the UK can bang on about security before people see it for what it truly is - stopping China from surpassing the US in terms of economic "power" - although again - to be fair - they managed to invade and destroy an entire country (Iraq) on the grounds of non existent WMD, and faced absolutely no censure for this, so again - there's grounds for this too.

    I'm not standing up for China - I'm sure the Chinese are spying - but i KNOW the US and UK are spying too ;)

    1. Jason Bloomberg Silver badge

      Re: I forrsee it'll only be a short time before ...

      I wonder how much longer the US and the UK can bang on about security before people see it for what it truly is - stopping China from surpassing the US in terms of economic "power"

      Quite some time I imagine as most people will accept whatever propaganda gets fed to them by those running the witch-hunt, the media who support them, and the echo chamber they get their fake news from.

      There are plenty of people who aren't gullible sheeple but it never fails to amaze me how many are. I don't see that changing any time soon.

  14. Anonymous Coward
    Anonymous Coward

    Is China Snooping?

    Probably......yes.......I'm sure China is snooping. But the recent hack attempts here locally look like this:

    141.98.83.134 Unknown

    185.156.72.34 Ukraine

    185.196.220.28 Netherlands

    193.32.164.16 UK

    194.26.229.211 Russia

    194.26.29.113 Russia

    45.227.254.19 Belize

    45.227.254.54 Belize

    5.181.86.88 Seychelles

    77.83.36.32 Seychelles

    89.248.165.198 Seychelles

    89.248.165.50 Seychelles

    91.213.50.81 Russia

    Funny that......an unknown UK IP address attempting to hack a UK citizen!!!

    Maybe we've got more to worry about than China!!!

    1. Kevin McMurtrie Silver badge

      Re: Is China Snooping?

      RIPE says 193.32.164.0/24 is in Indonesia, with a London address, and specific a Yandex contact shared with some Russian networks. I'm gonna go with "fake RIPE record."

    2. Anonymous Coward
      Anonymous Coward

      Re: Is China Snooping?

      How do you get an IP address with an unknown physical location

      1. Peter Gathercole Silver badge

        Re: Is China Snooping?

        You've been watching too much NCIS and other US crime dramas that assert that IP addresses have corresponding physical addresses.

        Back in the day, you used to be able to work out at least what country just by the IP address, and probably which organisation ran it by chasing back through the IP block registrations with the Regional Internet Registrars (as the poster a few points above has done). But since IPv4 addresses have been scarce, and pooled address blocks are dynamically assigned by Internet Service Providers, this is no longer so easy, and relies on the text description registered for a block if addresses to be correct. Plus you have mobile devices muddying the water.

        If something like traceroute is enabled, you may be able to probe the routers to try to work out where traffic is going or coming from, but you really cannot work out exactly where the system owning a particular address actually physically sits.

        From where I am at the moment, I could (if I could be bothered) direct traffic through a network running on private international infrastructure, using a non-routable network space, and have it cross to the Internet proper at a number of places around the world.

        Nowadays, if you see an address as the source of a stream of network packets, you can probably tell where it touches a private network or TOR, but from that point it could go anywhere (note that security agencies infiltrating TOR either can monitor traffic from multiple TOR endpoints, or have managed to get a system they control into TOR.)

  15. Anonymous Coward
    Anonymous Coward

    I completely wrap our cameras in tin foil

    Cover the lens

    Disconnect the power

    Remove the battery

    Never had a Chinese web incursion yet!

  16. an.other_tech

    Having dived head long into CCTV for both work and fun (yes, it's true), the image quality to cost impact is unbeatable.

    However, as previously pointed out by many other commenters, the security (for us, not China), doesn't exist.

    All the software and apps have massive 'phone home and share the audio and video' holes, so much so that on some of the apps, you can see somewhere in China, likely Shenzhen, a nice bland factory, but you can move the camera view !

    So when my 360 camera cost, and please sit down for this gem, £3.66 Inc VAT and Amazon delivery, was powered by usb and had IR and a white light option. I bought 2, just to take one apart.

    It still works !

    And going up to the £75 per camera bracket, was full colour night vision, using a superb fixed lens, was 5mp res, and had line crossing and if used with the right NVR, number plate recognition ! That was Hikvision.

    We can't compete, on any level, so I have no idea, when pretty much all the boards and units are China made, that it makes any difference which name is on the outside.

    Maybe the UK government would like to start our own CCTV and electronics factory, just so they can guarantee what goes on their sites, and not rely on sub-contracts.

  17. Anonymous Coward
    Anonymous Coward

    In some ways this is just formalising actions that have already been driven by the NIC on more critical areas.

    I have commented before about the presence of videoconferencing equipment in our then-new cyber security control centres; that attempted to phone home to China. Obviously, pulled and disposed of.

    The trouble is where do you get a trusted device from. Ahh, yes, there isn't one. Laptop? Nope. Printer? Hell nope. Camera? A cursory look at Shodan reveals all...

  18. Anonymous Coward
    Anonymous Coward

    Be afraid, very afraid

    "Oliver Dowden ... the second-most senior minister in cabinet behind the PM."

    This is too scary for words.

    1. sgp

      Re: Be afraid, very afraid

      "Chancellor of the Duchy of Lancaster" is an official title, apparently.

  19. PhilipN Silver badge

    Sensitive sites

    Can't wait to find out which ones.

    Idle curiosity of course.

  20. Anonymous Coward
    Anonymous Coward

    Spying on monitoring PC's too

    Well, we have a Hikvision system and it insists you install an addon that needs admin permissions to install and run (not so secure!), without this you can't see the video footage, then it runs at logon every boot and demands admin creds to run. So basically they potentially have access to whatever your local admin account has access too, all the time, very scary.

  21. Col_Panek

    Internet connected picture frame

    ... that my wife got as a present, goes to a server somewhere to get photos people email to her. A search turned up a white hat on Reddit who was a little suspicious when one was gifted to a government official for his desk. I await his analysis.

    But i think the eyes in the picture follow you around the room.

  22. Libertarian Voice

    Boot on the other foot

    It is fine for the authorities to spy on us then, but not so nice when someone might be spying on them. Well guess what authoritarians of all shapes and sizes: "IF YOU HAVE NOTHING TO HIDE THEN YOU HAVE NOTHING TO FEAR".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like