The Danish Intelligence Agency PET (Politiets Efterretningstjeneste) has sent official notices to the Danish government recommending that they stop installing and using China's Hikvision and Dahua video surveillance systems, citing their cyber vulnerability and China's laws obliging Chinese companies to help China's intelligence.
In this article we will review the details of Danish intelligence report.
Denmark joins the UK and becomes the second European country to officially impose restrictions on Hikvision and Dahua. Previously, the British military issued official guidance recommending not to install Hikvision hardware and software.
What is PET and why it is important.
The Danish Security and Intelligence Service or PET (Politiets Efterretningstjeneste) is the main agency that ensures the national security of Denmark and describes itself as a service that counters threats to freedom, democracy and security in Danish society. In its role as the national intelligence and security authority, PET is responsible for detecting, preventing, investigating and countering threats to freedom, democracy and security in Danish society. This applies to threats in Denmark as well as threats against Danish citizens and Danish interests abroad.
Ban of Hikvision and Dahua
In December 2021, PET sent a letter to the Danish National Police (Rigspolitiet) outlining its concerns about equipment from Hikvision, Dahua and other Chinese manufacturers.
This comes after Danish media raised concerns in August 2021 that the authorities in Aarhus (Denmark's second largest city) were using around 300 Hikvision cameras. In 2020, Danish media also reported that Hikvision and Dahua products are listed in public procurement catalogs and that the Danish Navy also uses Hikvision.
The letter advised the police not to use Chinese equipment and software, especially in areas of interest to PRC intelligence, such as public transportation and critical infrastructure.
With regard to systems connected to the Internet (“open”), PET notes that the China Intelligence Law of 2017 provides that Chinese companies, organizations and individuals, no matter where they are in the world, are obliged to provide assistance and report to the Chinese intelligence services, at the request of the authorities. Against this backdrop, PET recommends against the use of Chinese Internet-connected security systems, especially in areas that may purportedly be of interest to Chinese intelligence agencies. Such areas may include areas related to industrial espionage against private businesses, the security of senior government agencies, critical infrastructure, public transport, defense, security and Danish emergency preparedness.
The law referred to in the PET report states that Chinese companies "Shall support, assist and cooperate with national intelligence agencies" [Article 7, Intelligence Law, 2017 PRC].
Hikvision and Dahua
As one of the points in support of PET recommendation, they refer to two specific Hikvision vulnerabilities and unspecified Dahua vulnerabilities that can be used for malicious purposes.
PET has information about two specific vulnerabilities in specific cameras from Hikvision. Two vulnerabilities are registered in the US National Vulnerability Database (NVD) under the corresponding number. CVE-2017-7921 and CVE-2017-7923. In addition, PET is aware of other vulnerabilities in Chinese IP cameras, including Hikvision and Dahua cameras.
These vulnerabilities were detailed in 2017 in Hikvision Backdoor Exploit and Hikvision Backdoor Confirmed. At the same time, Dahua was also found to have serious vulnerabilities. For example, Dahua registrars were subjected to massive hacking.
PET did not mention the more recent and also critical vulnerabilities of both companies from 2021: Hikvision's "highest-level critical vulnerability" and Dahua vulnerability, allowing their equipment to be used in creating botnet networks.
Risks that were specified by PET include three factors
Factors to consider when using Hikvision and Dahua systems:
- Which systems are connected to the same network as Hikvision and Dahua systems. Their equipment connected to the network can be used as an entry point to other systems on the same network.
- How critical is the information about people who move in the area of installation of these systemsм.
- How critical is the information in these systems. Vulnerabilities in hardware can be used to steal, delete or change this information.
Possible new restrictions in Europe
In Europe, control over the implementation of solutions from Hikvision, Dahua and companies from the PRC is being strengthened. The Italian and Belgian media are also investigating their government's use of Hikvision solutions. In the long term, this makes it likely that more European countries will impose restrictions or bans on the use of solutions from Hikvision, Dahua and companies from the PRC, based on national and cyber security considerations.
- Previously, Hikvision encountered problems in Italy, where they lost a €65 million government contract.
- And in France, where all Hikvision equipment was dismantled in the building of the European Parliament.
Ban of Hikvision and Dahua Solutions in the US
In the US, the fight against Chinese security companies began much earlier.
- As far back as the Trump administration, the 2019 NDAA was drafted and enacted, banning Dahua and Hikvision, Huawei, ZTE (and their OEMs) from being used by the U.S. government, for U.S. government-funded contracts, and from “critical infrastructure” and "national security".
- In 2020, ONVIF began to suspend the membership of Dahua and Hikvision, Huawei in the organization. In 2021, it was officially announced that the products of these companies will lose access to ONVIF tools and will no longer receive ONVIF compliance confirmation.
- The Biden administration continued the work begun by Trump and made changes and expanded bans against companies from the PRC operating in the security and telecom industries.
- In November 2021, Biden signed the Safe Equipment Act, which requires the FCC to block new equipment approvals from Dahua, Hikvision, Huawei, ZTE, and Hytera "no later than 1 year," which could effectively mean a ban on equipment imports data of vendors in the USA.