Kyiv’s $16 million video surveillance system uses Hikvision cameras banned in the US and Europe

There are thousands of CCTV cameras in Kyiv, used for various tasks – from vehicle number-plate recognition and face recognition to safety surveillance in schools and kindergartens. Often, both hardware and software are supplied by the same Chinese manufacturer, Hikvision. This brand has raised many questions abroad and is on the US sanctions list. AIN.UA’s editor explains what the problem is.

What is used in Kyiv

Video surveillance has been working in Kyiv for many years. The main project for the installation of cameras and other monitoring equipment in Kyiv is called “Bezpechne Misto” (“The Safe City”) and works as part of the Kyiv Smart City initiative. Back in 2017, the Kyiv authorities claimed that the CCTV system had proved effective; then, there were about 4,000 cameras working in the city. At that time, the mayor Vitali Klitschko, in a speech broadcast by the Newsone channel, mentioned an incident when a child was kidnapped from a kindergarten but later found with the help of CCTV records and brought back home.

In 2020, the number of cameras in the city’s surveillance system was about 2,000. According to official figures, this system has helped reduce the number of crimes in the city: the crime situation has improved by 37%.

What are the thousands of cameras for? They watch leisure areas, parks and streets, monitor road traffic, look after schools and kindergartens, recognize people’s faces. Last year, there was even a move in the Kyiv City State Administration (KCSA) to buy cameras that would measure people’s temperature in the crowd in order to fight the coronavirus (the tender for the purchase of the equipment was later canceled due to its technical flaws and the uproar about the unnecessary spending of public funds). According to Liga.Tech citing Kyiv Smart City as its source, by the end of 2019, the city had spent nearly ₴450M to develop such a surveillance system.

Often, both the cameras and their software are supplied by the same Chinese manufacturer, Hikvision. This can be seen from the tenders for the purchase of CCTV equipment that the KCSA conducts through its subsidiary, “Informatika,” such as:

  • The tender for the intelligent traffic cameras held in April, 2021, that resulted in an agreement worth about ₴2.6M; procurement items: Hikvision iDS-TCD203-A IP cameras.
  • The 2019 launch of a new analytical module for the “Bezpechne Misto” system, which searches for criminals in the crowd: the camera images are collated with a database of offenders and when there is a match, the operator receives an alert signal. This module is part of the Unified Data Center complex, with the software and hardware developed by Hikvision.
  • The agreement worth ₴6.9M which provides for the purchase of Hikvision DS-2CD3686G2T face recognition cameras to be used for video surveillance in the Kyiv metro, etc.

According to Liga.Tech, most of the city’s cameras are of this brand. According to Hikvision representative Anatoly Storozhko, quoted by the online magazine, the advantage of this equipment is that data analytics is carried out in the device, and it is only possible to send metadata – processing results – to the server. That saves time and computing devices of servers.

However, Hikvision’s solutions have security issues, which have been discussed for a long time.

Why there are problems with the Hikvision cameras

Hikvision is one of the leading manufacturers of video surveillance systems in the world. But Hikvision equipment has several peculiarities. First, it was prohibited in Europe and the US for its involvement in human rights abuses. Secondly, cybersecurity and video surveillance experts have repeatedly reported about the backdoors found in these cameras. Let’s analyze each of these particularities.

Human rights violations and sanctions

Hikvision is a supplier of equipment to Chinese “re-education camps” where Uyghurs are held. The European Parliament installed Hikvision cameras to measure temperatures in 2020. However, because of the situation in the camps in April 2021, 89.4% of MEPs voted to remove the equipment. Even before this voting, the media reported that thousands of employees of EU organizations were rejecting this equipment.

In 2020, the Council on Ethics for the Government Pension Fund Global, which invests oil and gas profits in various companies, recommended excluding Hangzhou Hikvision Digital Technology Co Ltd from applicants for the investment. The reason was that “the company is involved in serious human rights violations.”

The company is also under US sanctions. Since 2019, US government agencies are not allowed to purchase and install this equipment. That also means that US businesses, including those in the IT and telecom industries, cannot work with it. For example, ONVIF, a company that develops standardized communication protocols for IP cameras, refused to certify the brand and suspended it from its work.

Security issues

Hikvision cameras have come to the attention of security specialists many times. For example, back in 2016, there were discussions on forums that the cameras have a backdoor that makes it possible to remotely gain full access to the device (admin access), and it is better to disconnect the cameras from the Internet.

In 2017, the US Cybersecurity and Infrastructure Security Agency ICS-CERT confirmed that the cameras are do affected by backdoor. Experts from this agency reported that the DS-2CD2xx2F-I Series, DS-2CD2xx2FWD Series, DS-2CD4xx5 Series, and other camera models have a vulnerability that allows remote access to the device without requiring special “hacking” skills from the performer. Even before this announcement, Hikvision cameras had been repeatedly featured in reports about security risks (examples: 1,2,3). The company responded to the ICS-CERT report by releasing an update to the camera software.

However, the vulnerability problem remained. For example, in 2019, Lithuanian researcher Tomas Savenas wrote about a vulnerability in Hikvision devices that allows obtaining admin rights and passwords of all system users in plain text.

“I had a couple of requests to test local network security and I have seen vulnerable Hikvision cameras. An exploit is a publicly available and simple HTTP request. Full disclosure of this backdoor you can find here,” he writes.

Secur, which provides security systems, says that backdoors in Hikvision cameras have generally been shut down since 2017, but the sanctions (including the suspension of ONVIF membership) are still relevant. “Backdoors are periodically detected, they are closed, new ones are discovered, it’s an endless cycle,” the company says. It should be noted that Hikvision’s products have a higher priority among security professionals compared to other surveillance equipment vendors.

The main reason is that it is viewed as an instrument of the geopolitical influence of China. It is believed that the company is created and controlled by this state.

According to Bloomberg and other media, the company is 42% state-owned. The state-owned China Electronics Technology Group (CETC) controls its shares through its subsidiaries, the China Electronics Technology HIK Group Co., LTD (CETHIK) and CETC No. 52 Research Institute. At the same time, Hikvision positions itself as an independent company.

You can check the vulnerability of such cameras using the search engine, which searches for vulnerable devices online – enter the brand name Hikvision and see how many devices are in the public domain with IP addresses. And knowing the IP address, an attacker can google the hacking algorithm.

As IPVM, a specialized American service, which tests the security cameras, told AIN.UA, the more expensive cameras Hikvision (with Ultra or Pro in the name), as a solution for urban surveillance, have advantages compared with other brands: quality, relative reliability. But in terms of software, Hikvision is weaker than the competitors. “Their recorders and video recording management system do not have as many features and are not as easy to use in the city as Milestone or Genetec, which are used more often,” says IPVM.

As for the face recognition module mentioned in the article, IPVM has never tested the Hikvision software separately. But tests of cameras with face recognition features used in Kyiv showed that they do not work particularly well. As for potential links with China, the company says the following:

“We can’t confidently answer it without knowing what firmware version is used and how it is configured. If their cloud connection is turned on (Hik-Connect), there will be outgoing requests, but they are not always to China. In our testing (a couple of years old now), the requests went to US-based Amazon Web Services servers. It is worth mentioning, though, that once data reaches the cloud (AWS), we cannot see how it’s accessed, so it could be accessed from anywhere. So it isn’t impossible that data goes back to China, but we have not verified this,” the company says.

Comment of KCSA about the cameras

KCSA in it response to AIN.UA said the following:

  • Due to the fact that since the beginning of the video surveillance system and the cloud platform of the data center in Kyiv, the Hikvision equipment was used, further, in the specifications, the requirements for technical compatibility with it were indicated.
  • The video surveillance system in Kyiv has a comprehensive information protection system. The certificate of conformity for it is registered in the State Service for Special Communications No. 20798 and is valid until 2024.
  • In the city data center on Dehtiarivska Street, there is a system of information protection that meets the requirements of normative documents for technical protection of information and is certified by the certificate of the State Service for Special Communications No. 20979, which is valid until 2024.
  • Now, there are 6,705 cameras, including 224 specialized cameras for face recognition, in the video surveillance system of Kyiv.