Canada orders Chinese CCTV biz Hikvision to quit the country ASAP Canada’s government has ordered Chinese CCTV systems vendor Hikvision to cease its local operations. Minister of Industry Mélanie Joly announced the order on Friday, when she said a national security review concluded the company’s ongoing operations “would be injurious to Canada’s national security.” Canada’s government will …
Why did Canada's government purchase a Chinese CCTV product in the first place ? Aren't there any Canadian ones available ? Oh, I know : budget concerns.
Well that's a winner now, isn't it ?
On top of which, it's CCTV. It's not supposed to communicate with anything but the computer of the security guard that is supposed to check it between coffee and donuts.
How can that be a national security risk ?
> high end professional ones like ... work fully offline, and on the prosumer side...
If we're talking about people who have turned to Hikvision, is it really sensible to compare against high-end or even prosumer kit?
"If we're talking about people who have turned to Hikvision, is it really sensible to compare against high-end or even prosumer kit?"
The BBC did a documentary not that long ago (in the past 1 or 2 years?) about how many UK central government department buildings and MOD buildings and (I think) even GCHQ's London office use Hikvision CCTV cameras and raised the issue of whether there were national security implications regarding this.
It does WAY more than that......
there is hidden functionality in the cameras, you just need the correct http or https end point
and don't even get me started about the ability to proxy & tunnel thru most firewalls.
Plus they have a new firmware, which is so frighting.... I actually rolled back my cameras...
Companies, institutions and consumers that use Chinese CCTV cameras are just begging to get burned. And they will.
Governments especially a rife with clueless civil servants who blindly purchase this cruft when they should know better. They'll claim that they're obliged to purchase the cheapest gear because the law says so. But they should know well that there are always escape clauses concerning national security.
"On top of which, it's CCTV. It's not supposed to communicate with anything but the computer of the security guard that is supposed to check it between coffee and donuts."
True. Though, since the cameras use Ethernet (PoE probably as well) the contractors installing it probably just hook it up to the existing LAN infrastructure. Perhaps the recording server is also connected to the internet and the the cameras not fire-walled appropriately. Bit of an overreaction since you want the "closed-circuit" part for your CCTV. Or have we learned nothing from the Mirai botnet?
"How can that be a national security risk ?"
The Hikvision network video cameras are/were so full of vulnerabilities that they are/were security risk to their owners irrespective of the jurisdiction.
We operated them on a single isolated, untrusted wired network containing only the cameras and the server capturing their video; So effectively a Closed Circuit TV system.
Having them on a shared internal network or on a wifi network probably displays more courage than wisdom. Generally advisable to keep this class of technology well away from anything else, I would have thought.
It's not supposed to communicate with anything but the computer of the security guard that is supposed to check it between coffee and donuts.. How can that be a national security risk ?
Maybe because:
a) it may try to communicate to other things that this computer
b) it has backdoors enabling another actor to watch the video from elsewhere
Which is why it isn't wired to anything other than the security guard's computer(s).
That is the case for every security camera system, whoever manufactured it - if you haven't bothered to just buy another Ethernet switch to keep your kit isolated then you should first get a black sharpie and cross out the word "security" on everything around you.
Many CCTV products from US and western brands are relabeled Hikvision. I bought a cheap bundle of CCTV cameras and NVR for my business about 10 years ago, don't remember the brand name. I heard about some sort of security issue with Hikvision that was said to affect dozens of brands and one of the ones listed was mine. Since I kept them on an isolated network with no internet connectivity I wasn't too concerned, but not everyone will do things like that - heck many don't even do minimum level stuff like changing default passwords.
If all Canada is doing is banning products sold under the name "Hikvision" they are changing nothing.
How difficult is it for someone to just package a Raspberry Pi and a Pi Camera into one enclosure and call it a product? Not very I'd say.
But governments have these silly procurement clauses that state that they may only buy from multi-billion dollar enterprises and since Western billion dollar conglomerates aren't interested in making this stuff only the Chinese can apply.
I have tried and it isn't very easy at all. As much as I love the Pi for all sorts of uses, it isn't a match for dedicated hardware in specific roles.
The Raspberry Pi camera is good for general media use, but isn't optimised for low light levels and low data rates for continuous transmission to recorders without transcoding, and doesn't have sound without additional hardware. Packaging it in waterproof case isn't easy, I've tried various cases with clear lids which went cloudy due to UV, eventually I switched to a dummy CCTV camera which just has enough room for a Pi Zero inside and the camera replacing the dummy lens. But don't leave it in the summer sun running motion detection and transcoding software as it will fry.
After a couple of years of experimenting with this I gave in and bought a Tapo C325WB, much better picture day and night, fully weather proof, better motion detection, local recording, and cost less than all the bits I'd bought for the Pi.
Okay, maybe I'm a little optimistic and you need to do a little more homework to get it right. Add another sensor and lens mount and choose a suitable lens.
I mean there's pretty sizeable market for this. Western governments are cueing up to buy locally made and designed cameras. Or you could strike a deal with a Chinese manufacturer and let them develop the hardware while you develop the firmware and cloud recording functionality.
The problem with all of these is a monolithic binary app (Sofia) that's running on top of the embedded Linux distro (usually on Huawei silicon - hisilicon)
Sofia isn't encrypted but it is large and amongst other failings seems to incorporate a bunch of GPL stuff within itself whilst not making source code available
A concerted effort to pull Hikvision and others through the GPL court process may pay dividends (as it did against Taiwanese manufacturers) but additionally a concerted reverse engineering project and replacement with an opensauce CCTV suite would deal with most of the issues
Having dealt extensively with Chinese makers, the problem isn't usually spyware as much as poor programming(*) and making the same errors western developers made 20 years ago, because they're determined to be "independent", which includes not referring to past code
(*) Including programmers paid "by the yard" and a general 1990s Microsoft approach to coding - "slap on a bandaid and carry on"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
