Chinese surveillance cameras dumped by American authorities over Beijing’s spying threat are still used by Lithuanian border guard service, police and migration departments, as well as in cars of state leaders, LRT Investigation Team has found.
Products by Hikvision and Dahua were blacklisted by the US for human rights violations, including being complicit in China’s repressions against Uighurs and other Muslim minorities.
Both companies take up 40 percent of the global video surveillance market and their technologies are used widely across Europe.
Read more: Lithuanian club signs deal with China company involved in Uighur repressions
“Many of these companies have known data security problems and known cyber security issues that they‘ve been slow to address,” according to Klon Kitchen from the conservative Heritage Foundation in the US. “[Second], there‘s the broader concern about how the Chinese government uses private companies as the extension of their surveillance state. And so the US government is completely rational in wanting to limit their exposure to what is essentially a Chinese espionage.”
Hikvision and Dahua cameras were used in American military bases and other secure institutions, he said, and the information gathered by the cameras ended up in servers in China where it could be accessed by Beijing.
With the ban, the US sought to prevent Chinese intelligence services from recording and identifying people working on the bases.
In 2017 and 2018, the Dignitary Protection Service (VAD) which protects Lithuania’s current and former leaders bought 16 and 14 cameras and surveillance equipment sets from Hikvision and Dahua, respectively.
The service used the equipment in less sensitive locations, said Paulius Nemira, deputy director at VAD, adding that the department guarantees information security.
However, in 2017 the US said that some 200 different models of Hikvision cameras had security flaws that could allow external actors, like China, to gain access.
Dahua also admitted last August that their cameras could allow external access to recorded audio, even if the owner had disabled the feature.
Read more: Chinese money connects Lithuania to Belarus' nuclear plant – LRT Investigation
Kitchen from The Heritage Foundation said Hikvision and Dahua were analysed by private and governmental security agencies in the US and in all cases, large-scale security issues were identified.
“Both US and Chinese-made cameras have vulnerabilities, but it’s better if they’re known by our allies, and not given up to totalitarian states,” said Mindaugas Ubartas from Infobalt, Lithuania’s association for information and communication technology industry.
Lithuanian police in 2018 bought 45 Dahua cameras for undisclosed use. The Public Security Service under the Interior Ministry has also bought Dahua cameras.
Meanwhile, the State Border Guard Service (VSAT) has procured Hikvision and Dahua cameras to monitor aviation, as well as perimeters and border fences.
“The cameras used by the service [...] are connected to the Interior Ministry by cables, and not via wi-fi,” said Giedrius Mišutis from VSAT, assuring that the information cannot be accessed remotely by hackers.
“Border fence surveillance systems have an additional firefall,” in addition to the firefall used by the Interior Ministry, he added. “Therefore, access to the video footage is protected.”
Lithuanian state-owned air navigation company, Oro Navigacija, uses several Dahua cameras to monitor air traffic over a Vilnius’ aerodrome.
Read more: China's soft power: Pro-Beijing screening in Vilnius attracts government figures and officials
The company's spokesperson has told LRT that the system is stand-alone and isn’t connected to any data processing or flight control network.
However, Ubartas from Infobalt insisted that even secure systems could be breached, pointing to the Wannacry ransomware attack that managed to hack even Microsoft systems that were considered safe.
“We have a problem with cyberliteracy,” he said. “So long as nothing happens, officers are not thinking about it.”
“If you have a potentially threatening device in your internal network, maybe the information cannot leave the network as long as it’s sealed internally. But who can say that a window can't be opened and useful information [taken],” he said.
LRT requested comments from Fima and ATEA companies in Lithuania that won contracts to supply video surveillance equipment to public institutions. Only Fima responded to the questions.
The company said that, over the last three to five years, it had sold several hundred Dahua and several dozen Hikvision cameras, which accounted for only a small part of the thousands of cameras supplied to various government agencies.
Read more: China's push for Lithuanian port poses risk to NATO
Fima representatives said they were aware that Hikvision and Dahua were blacklisted in the US, but Lithuania had no such policy.
“Fima puts forth proposals that meet the technical, functionality and security terms [of the tender] and do not run counter to Lithuanian laws,” the company said in a written statement. “We always seek to present the best offer for the smallest possible price.”
Laws did not close loopholes
Last spring, the Lithuanian parliament passed amendments to public tendering regulations, adding a clause on national security. Under the new rules, government institutions have the right to demand for secure equipment and also remove companies from tendering if their products are deemed unsafe.
However, there are no provisions on who decides if a product poses a threat, according to the acting director of the Public Procurement Office, Jovita Petkuvienė.
“The law leaves full responsibility to the procuring organisation,” said Petkuvienė.
For instance, the Lithuanian Migration Department bought 105 Hikvision cameras in December 2019 when the amendment had already been passed.
The department’s spokespeople said the Chinese cameras would be used in non-sensitive settings, and that their networks were protected from hacking. Therefore, there was no need to use the provisions in the law.
In a written response, the department also said they bought the equipment from a Lithuanian provider that “offered the lowest price”.
Read more: The rough face of China’s soft power in the Baltics – Investigation
During the bill’s consideration, the parliamentary committees on economy and audit found that institutions were not have expertise to judge whether the offered products posed a threat to national security. There are also no obvious and easy-to-use security criteria that could be used.
The Economy and Innovation Ministry told LRT that there was an existing procedure to judge security aspects during tendering. However, after reviewing the procedures, it remains unclear what concrete steps institutions can take to analyse the products they are offered.