The BBC recently ran a documentary reporting supposed security flaws in CCTV cameras from certain manufacturers and how this could lead to overseas governments accessing information. Here’s how the story went down
The CCTV sector came under the spotlight at the end of June with an edition of Panorama on BBC One entitled “Is China watching you?”. The programme addressed concerns with recent activities of the Chinese government and covered, amongst other things, spy satellites disguised as weather balloons.
One of the main topics of the programme was CCTV cameras. The show was publicised in advance with the line: Chinese-made surveillance cameras are used across the UK. Panorama has investigated security flaws involving the two top brands. How vulnerable are they and what does it mean for our security? Sounded like it could be a “must watch” for those in the security industry, but unfortunately was more of a “feel free to miss it” as it featured only one-side of the debate and brushed off the responses of the accused manufacturers as mere inevitable “they would say that, wouldn’t they” soundbites.
Given the success of Chinese brands Hikvision and Dahua in the UK market, there are a lot of them about, but the programme sought to show how vulnerable the cameras are to attack with the help of the US-based website IPVM, and then link the ease of the “backdoor” access to the theory that the Chinese government could therefore jump onto any IP camera to gather information, visual and audible, for its nefarious benefit. Notably, they chose not to apply the same test conditions to cameras from any other manufacturers.
What’s more, the programme also included the opinion of privacy campaigning organisation Big Brother Watch, with no counter argument offered at all.
An alternative view of the documentary did come ahead of it being shown in an email sent out by Justin Hollis of Hikvision. Included in the message was the revelation: “The BBC will broadcast a ‘hack’ of a six-year-old Hikvision camera to exploit a vulnerability that was identified in 2017, but was patched and publicly disclosed less than one week after it was brought to the company’s attention. To claim that this stunt has uncovered a security breach or an intentional backdoor in June 2023 is farcical. It sensationalises a problem that was already fixed to universally recognised CVE standards. Furthermore, this test has not been conducted on a typical network, but rather an unsecured one. This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC have run.”
Justin went on to conclude: “The BBC has been misled by IPVM and will now, in turn, mislead others.”
Surely this wouldn’t be the case, would it?
The fallout
After the broadcast there was quite a kerfuffle on social media about the testing procedure and the comments of those interviewed for the show. For example, Prof Fraser Sampson, the UK’s surveillance camera commissioner, who in the past has described Hikvision as digital asbestos, didn’t get the applause he was expecting on his LinkedIn feed announcing his participation. He said: “I’m interviewed on tonight’s BBC Panorama “Is China Watching You?”, which looks at how easy it is to hack Chinese-made surveillance cameras, and what the security implications are.” To which the replies included:
Delwyn Goodchild: Wow. I can’t believe you have put your name to the utterly shameful Biased Broadcasting Corporation’s scaremongering drivel.”
Paul Mountney: “I love that the first person to blame in a network flaw is the manufacturer of the end device….. Let’s forget about how the manufacturer works tirelessly to implement firmware updates to fix certain flaws, and even more so let’s forget about the network infrastructure and firewall, which is responsibility of the that manufacturer how?”
Dean Field: “I find it abhorrent that someone with your “experience” has even put your name to this tosh from the BBC. Absolute drivel”
Aiden Wroe: “Tested on a network without a Firewall. Fair test then?”
Thom Bell: “Maybe I missed something, or you can provide some insight, but how would anyone consider hacking a camera on an unsecured network be an adequate test…? That’s like putting a Ford Fiesta (other brands are available) on a random council estate and saying ‘the security on a Ford Fiesta is utterly useless, just look how long it takes to steal it’ putting a brick through the window and disappearing with it…”
Max A: “Microsoft releases security updates fortnightly. Should we ban Microsoft for releasing vulnerable products? Absolutely biased and political rubbish.”
Indeed, much of the fallout did concern the testing carried out by IPVM who also supplied the unit that was installed in the BBC studio. Apparently, as pointed out by Justin Hollis, Panorama could not run the camera on a BBC network for security reasons – so it was put on a test network where there was no firewall. The BBC’s own description of the test said that the camera Panorama tested contained a vulnerability discovered in 2017 and that Hikvision released a firmware update to address it almost immediately after it was made aware of the issue. Yet the test was still presented as proof that the Chinese government are able to spy on the UK.
The “hackers” also carried out a second test – accessing Dahua’s cameras by infiltrating the software that controls them. The two test cameras were set up in IPVM’s headquarters with no further information given as to the age of the camera or the security on the system. Unsurprisingly, they soon found a vulnerability.
Further responses online to the testing procedure included these from BBC Panorama’s Twitter feed:
Steven Lynas: “There really needs to be a full disclosure here of what you’ve used to test, the communication you’ve ignored from the manufacturers and why on earth you feel using a camera from around 2017 with a flaw that was corrected a week after it was found, is relevant six years later.”
Alex Matthew: “Every single internet provider gives you a firewall as part of your internet package. It’s obvious that if you switch the protection measures off bad things happen. Like, let’s drive into a wall without wearing seatbelts and then act surprised that someone got hurt.”
Paul Martin: “What a load of rubbish. This documentary is pure scaremongery. The so-called vulnerabilities in these cameras can be managed by good IT security practices.”
Adam Downey: “So the PC was compromised giving away access to ANY device on his network not just a Chinese product.”
Conclusion
It is important to state that PSI does not have a horse in this race. It is not our role to take one side or another when it comes to politics, but we recognise that it is important to call out when the security sector and its services are misrepresented, deliberately or not, especially on prime-time TV. Do not take this article as us endorsing anyone involved, we are simply pointing out the weaknesses of the documentary and the subsequent reactions of the industry to it. In fact, just in case you think we are in the pocket of any particular manufacturers, just check out the number of NDAA articles we’ve carried. We cover all angles – unlike some….
It is a shame that the BBC, and let’s be honest so much of the mainstream media, puts out documentaries that only offer one side of an argument and use responses from those under the microscope as throwaway comments right at the end of a long segment spent bashing them.
It’s not a case of whether or not you are concerned about the activities of overseas governments and big businesses (best get rid of your smartphone if you are), it is more about the way in which the programme drew damaging conclusions from flawed information.
Quite what the eventual fallout from the general public will be from this we are yet to fully gather – you may have had some customers asking you about vulnerabilities, but hopefully it will not result in a question being raised over the viability of CCTV technology across the board, from any manufacturer. Clients may not have the inclination to want to discuss the flaws in the Panorama testing procedure so you may instead need to provide assurance that you won’t leave it six years to perform a firmware upgrade or advise turning off a firewall as part of the service you offer.
Perhaps the only ones coming away from this project with a reduced level of trust will be the BBC…?
