Chinese Hikvision and Dahua surveillance cameras used by Lithuanian institutions and leaders are vulnerable to interception and some are connected to servers in Russia, the National Cyber Security Centre (NKSC) said on Wednesday.
In February, LRT revealed that Chinese surveillance cameras dumped by American authorities over Beijing’s spying threats were still used by Lithuanian border guard service, police and migration departments, as well as in cars of state leaders.
Read more: Chinese cameras banned in US monitor Lithuanian leaders – LRT Investigation
The National Cyber Security Centre, which is part of the Lithuanian Defence Ministry, launched an investigation following the report by LRT.
On Wednesday, the cybersecurity centre has reported that Hikvision and Dahua cameras have 61 points of vulnerability, send data to Russian servers, can be remotely accessed by their manufacturers, and use lightly protected passwords.
“These cameras have remote controls. Passwords are sent via non-encoded channels, and the passwords themselves are encoded using weak and very old algorithms,” said Rytis Rainys, the head of the NKSC.
During the course of the investigation, passwords used on Hikvision and Dahua cameras were taken over and encoded, and then decoded for the cameras to be accessed remotely.
“With such [light] security level, one can intercept the passwords [...] from the communications traffic, decode and log onto cameras and do anything,” said Rainys.
Once the password is intercepted, the cameras can be switched on and off and their settings can be changed, he added.
The Chinese manufacturers also have unhindered access to the equipment for maintenance, which means they are able to freely log into the cameras, said Rainys.
Users are also directed via Chinese IP addresses to Russian servers for software updates, which may end up harvesting user data.
“We have also found that a mobile app, used to allow remote control from mobile phones, collects sensitive data about the user and the equipment,” said Rainys.
According to the NKSC, the surveillance cameras are used by 57 public sector institutions in Lithuania and 24 of them are connected to the internet.
LRT Investigation Team found that 36 municipalities may be using the cameras, which covers 60 percent of Lithuania.
Adomas Bužinskas, deputy director of administration at Vilnius municipality, has confirmed that the cameras are also used in the Lithuanian capital.
According to the Lithuanian suppliers of Hikvision and Dahua equipment, low cost is usually a key factor in public tenders. Therefore, Chinese cameras are likely to continue winning public contracts.
The centre advised to use firewalls and block internet access to the cameras. The software updates should also be made available to download from servers in the EU.
Rainys added that software downloads should be subject to additional checks, and said public tenders should call for the latest software updates – fixing the existing loopholes – to be pre-installed,
Both companies take up 40 percent of the global video surveillance market and their technologies are used widely across Europe.
Producst of Hikvision and Dahua, however, have been blacklisted by the US for human rights violations, including being complicit in China’s repressions against Uighurs and other Muslim minorities.
No need to replace the cameras
Lithuanian Defence Minister Raimundas Karoblis said there was no evidence that the security loopholes had been exploited.
“Both possibilities and risks must be managed,” Karoblis told reporters on Wednesday, adding that the cybersecurity centre didn’t recommend replacing the cameras.
Read more: Lithuanian club signs deal with China company involved in Uighur repressions