How Chinese Surveillance Cameras Penetrated Czech Critical Infrastructure

cross-posted from: https://lemmy.sdf.org/post/53891627

Archived

Cameras from Chinese state-owned companies are monitoring the entire Czech Republic. They can be found on the building of the General Staff of the Czech Army, at stations along the Czech railways, at the airport in Karlovy Vary, on Czech Post buildings, at regional police stations, on the buildings of the Ministries of Defense and the Interior, at the Supreme Court, and even in the courtrooms of the District Court in Teplice.

Investigace.cz also found cameras from Chinese brands Dahua and Hikvision in military weapons depots and on military bases, as well as on the building of the Prague headquarters of the National Cyber and Information Security Agency, which itself warned against the use of these cameras last August. In fact, according to Investigace.cz’s findings, numerous Czech institutions classified as critical infrastructure have continued to purchase Chinese cameras this year despite the cyber agency’s warnings.

[...]

Chinese Cameras Film Those who Warn Against Them

[...]

We found the same type of camera at a Czech Post branch in Prague’s Žižkov district, which also houses the Prague headquarters of the National Cyber and Information Security Agency (NÚKIB). Last August, NÚKIB issued a warning specifically against the use of Chinese network cameras, particularly those from Hikvision or Dahua.

“Their products are high-risk, particularly with regard to technical, political, legal, or ethical aspects,” NÚKIB states in its warning. According to their analysis, products from Chinese companies held a one-third share of the Czech public market between 2016 and 2023, amounting to more than 13 billion crowns.

“The deployment of Chinese network cameras poses a high risk, given the combination of their technical weaknesses with non-standard Chinese legislation, Beijing’s role in the companies’ ownership structures, their cooperation with security and party agencies, and China’s past activities against Czech interests and those of its allies. It is likely that some of the cameras have been compromised to some extent by Chinese authorities,” warns the cyber agency.

[...]

“NÚKIB is fully aware of the risks associated with Dahua technologies. However, the building is owned by the Czech Post. NÚKIB operates here solely as a tenant with no influence whatsoever on the selection, installation, or management of the external camera system. Security systems owned and operated in the premises used by NÚKIB do not contain similarly risky elements,” says agency spokesperson Jakub Neščivera in response to a question from Investigace.

The spokesperson added that NÚKIB has long planned to purchase its own building in Prague. “By its very nature, operating a security institution in a rented space imposes certain limitations that are not optimal for an agency of our type. At present, however, the Agency has no other alternative,” says Neščivera.

Czech Post, which is also part of the state’s critical infrastructure, did not respond to the editorial team’s inquiries by the time of publication.

[...]

Chinese Hikvision cameras are also found in the most sensitive and heavily guarded locations in the Czech Republic [...] Examples include military units in Hradiště and Olomouc. In March, the army ordered repairs to the camera system at the military training area in Hradiště. The published contract indicates that the Hikvision cameras (the contract specifies the model DS 2CD7347G0-XS) that needed repair are located in the Czech Armed Forces’ (AČR) and military police’s weapons depot.

A similar model (Hikvision DS-2DF8A442IXG-AE) also required repair last June. The contract also specifies its location: “Camera repair—detailed view of the vehicle fleet (fuel station).” The client was also the Military Training Area in Hradiště.

[...]

We also asked the army about the Hikvision cameras found on the General Staff building. According to the spokesperson, this was purchased based on a contract from 2019, when the bid with the lowest price won.

The cameras in question are reportedly only connected to the building’s security systems and do not have internet access. “This measure eliminates the possibility of data leaks. We are currently in the process of upgrading our physical security equipment, which includes replacing the Hikvision camera system,” the army spokesperson clarified.

[...]

According to ethical hacker and cybersecurity expert Martin Haller, however, one cannot simply equate being disconnected from the internet with camera security. In his view, it is necessary to regularly verify and enforce strict measures, including disconnection from the internet.

The reality he encounters when addressing cyber incidents, he says, often does not match the original specifications. “A system may be deployed correctly at the outset, but over the years, configuration changes occur, remote management is added, connections to surveillance systems are made, service access points are established, or links to other networks are created. The result can be that a system that was supposed to be isolated is, in fact, not isolated,” he explained.

“That’s why I wouldn’t say that a camera without a direct internet connection automatically poses no security risk,” adds Haller. Czech state institutions, however, use precisely this argument to justify their actions.

[...]

Most of the cameras reported on so far were purchased in the period before the cyber agency’s warning. Czech state institutions, however, did not stop purchasing them even after the warning. One example is the Czech police, which even today continues to purchase Hikvision or Dahua cameras for regional headquarters.

[...]

Uyghur Analytics, Missile Guidance in Ukraine

It is perhaps here worth mentioning the not-so-distant history of the Chinese brands with which various Czech authorities are cooperating. Cameras from Hikvision or Dahua are still used for mass surveillance of the Uyghur minority in China.

NÚKIB also mentions this in its warning: “Camera manufacturers such as Hikvision, Dahua, and Uniview offer so-called Uyghur analytics, through which the systems can racially/ethnically distinguish Uyghurs from other ethnic groups,” the cyber agency describes.

Rushan Abbas, chairwoman of the international organization Campaign for Uyghurs, also testified about this feature firsthand. In October 2023, she testified at a conference in the Czech Senate that “This year, Hikvision won a $6 million contract that explicitly requires their analytical software to identify Uyghurs. So they developed software specifically designed to identify the ethnic groups that are to be monitored and to suppress dissent.”

Another security risk involving Chinese cameras emerged in Ukraine. According to findings by investigative journalists from Radio Free Europe and the Hungarian website Átlátszó, Chinese cameras may have been used by the Russians to spy on Ukrainian cities or even to guide missiles toward them.

[...]

Hikvision and Dahua are subject to sanctions, and cooperation with them is prohibited in many Western countries.

[...]

However, no such ban currently exists in the European Union. In 2022, the European Parliament issued a resolution condemning brands including Hikvision and Dahua for their complicity in the genocide of the Uyghurs in Xinjiang Province.