A Quiet Access Problem Hidden in Plain Sight
Poorly secured, internet-exposed
cameras running outdated firmware can provide the kind of quiet, persistent
access a state-backed actor needs for long-duration operations—especially
inside critical infrastructure.
A Hikvision Camera Inside a Defense Drone Program
A Chinese-made Hikvision CCTV
unit was found monitoring the control station of an indigenous Indian military
drone program.
The Real Issue Is Systemic Dependence
The camera was the symptom. The
disease was an ecosystem—engineered so dependency remains invisible until it is
too late to reverse.
What DRDO Showed in June 2023
In June 2023, DRDO’s official X
account posted photographs from the 200th flight demonstration of the
indigenous TAPAS medium-altitude long-endurance unmanned aerial vehicle at the
Aeronautical Test Range in Karnataka’s Chitradurga.
The Ground Control Station: The Nerve Center
The images showed the ground
control station—the nerve center where a tri-services team was introduced to
the UAV’s capabilities for the first time. Screens displayed flight telemetry
and surveillance feeds, with equipment racks lining the walls. Senior officers
in flight suits gathered around the consoles.
A Camera Watching the Screens
Mounted on the ceiling, aimed
directly at those displays, was a Hikvision CCTV camera.
Why Hikvision Matters
Hikvision is the world’s largest
video surveillance equipment manufacturer. It has partial Chinese state
ownership through the China Electronics Technology Group Corporation (CETC),
one of China’s major defense electronics conglomerates.
What the Camera Could—and Couldn’t—Do
The camera was likely
air-gapped, operating on a closed-circuit local recording system with no
internet or external network connection. In that setup, it cannot “phone home”
or transmit data to a remote server.
But Risk Doesn’t Depend on Internet Connectivity
Still, the vulnerability in
Hikvision products is not speculative.
The 2017 CISA Warning
In May 2017—six years before the
photograph—CISA issued an advisory about an improper authentication
vulnerability affecting several Hikvision camera series.
A Flaw That Could Grant Full Control
Rated 9.8/10 for severity, the
flaw could let a remote attacker bypass authentication entirely, escalate
privileges, and gain full administrative control—enabling live video viewing,
configuration access, credential extraction, and data downloads.
Exploitation Confirmed Years Later
In March 2026, CISA added this
issue to its Known Exploited Vulnerabilities catalog, confirming active
exploitation. Public offensive tooling has been documented using the weakness
to retrieve configurations, credentials, and video snapshots.
A Compromised Camera Can Enable Lateral Movement
A compromised camera can become
a launching pad into the broader network where it sits—turning “local
surveillance” into a pathway to deeper compromise.
“Launching Pad” Isn’t Just a Phrase
It is literal in real-world
campaigns.
Recorded Future’s Account of TAG-38
In April 2022, Recorded Future’s
Insikt Group published a threat analysis describing a campaign by a likely
Chinese state-sponsored actor it designated TAG-38. The group had targeted
Indian power grid infrastructure since at least September 2021, including at
least seven State Load Despatch Centres (SLDCs) in North India near the
India–China border in Ladakh.
Why SLDCs Are High-Value Targets
SLDCs manage real-time
electricity dispatch and grid control. They maintain access to SCADA systems.
These are not “soft” targets; they are operational nerve centers of India’s
power grid.
Command-and-Control Through Hijacked Cameras
What TAG-38 used for
command-and-control was striking: compromised internet-facing DVR and IP camera
devices. Many of these cameras were geolocated primarily in Taiwan and South
Korea—not India—and were used as relay nodes for ShadowPad malware deployed inside
victim networks.
Making Malicious Traffic Look Normal
After separate breaches placed
ShadowPad inside Indian networks, the malware needed covert communication with
its operators. Configured to talk to hijacked cameras, its traffic could
resemble benign connections to random surveillance devices in Seoul or Taipei—rather
than communications with a Chinese intelligence operation.
The Pattern Repeats
Poorly secured, internet-exposed
cameras running outdated firmware provided the quiet persistence such
operations require.
The Broader Implication: Cameras as Infrastructure
Even if not all cameras in those
cases were Chinese-made, the core problem remains the same: weakly
authenticated, outdated internet-connected surveillance hardware—exactly the
class dominated globally by Chinese CCTV manufacturers like Hikvision and Dahua.
The Risk Scales With Concentration
The vulnerability is
architectural: any insecure camera can be turned into attacker infrastructure.
But when the world’s largest vendors are state-linked and have a decade-long
trail of known issues, the overall risk compounds.
What’s Already Inside the Walls
Delhi’s Camera Footprint
Delhi alone has about 2.74 lakh
CCTV cameras installed by the Public Works Department since 2020. Of those,
about 1.4 lakh cameras installed between 2020 and 2022 were sourced from
Hikvision—and the account indicates every unit was Hikvision.
More Cameras Added Later
Another 1.34 lakh were added
between 2025 and 2026, though the government states these are now being
procured from compliant sources.
A Reference Point: Israel’s Tehran Camera Hacking
The risk is easier to understand
by looking at what has happened elsewhere. During the shadow conflict with
Iran, Israel reportedly hacked Tehran’s traffic camera network over several
years—at one point accessing feeds across the city to track the movements of
senior leadership, including Ali Khamenei. The footage was used to build
“pattern of life” profiles—routes, routines, and security behaviors—turning a
civilian camera grid into a powerful intelligence layer.
Delhi’s Replacements, But Not the End
Hikvision units in Delhi are
reportedly being removed. But Delhi may have been the most visible case—not the
only one.
Chinese Surveillance Hardware Embedded Nationwide
Hikvision and Dahua surveillance
systems are embedded across India’s critical infrastructure: railway stations,
airports, power plants, and port terminals. For years, these two vendors
dominated the market with cheap, feature-rich equipment available at scale—while
scrutiny on where data went, and what firmware did once online, was limited.
Cameras Are No Longer Just Cameras
A modern CCTV system is a
networked computing device. It runs firmware, processes video through onboard
SoCs, connects to cloud platforms for storage and remote access, and often runs
AI analytics like facial recognition, motion detection, and number-plate
reading.
“A Computer With a Lens”
Functionally, it’s a computer
with a lens. Like any computer, it is only as trustworthy as its code and chip
design.
The Supply-Chain Contradiction
CP Plus as the Market Leader
India’s CCTV market is led by CP
Plus, the flagship brand of Aditya Infotech, with roughly 21% market share.
When the company went public in July 2025—raising Rs 1,300 crore—it leaned on
“Make in India” and “national security,” citing the STQC certification
framework as a structural tailwind.
The Prospectus Tells Another Story
But the filings show a
complicated dependence: in FY25, around 24.7% of Aditya Infotech’s revenue
(roughly Rs 770 crore) came from products supplied by Dahua, the world’s
second-largest surveillance equipment maker. Historically, Aditya Infotech was
Dahua’s exclusive distributor in India.
A Security Brand With Chinese Revenue
In effect, a company positioning
itself as a pillar of indigenous security was deriving about a quarter of its
sales from a Chinese supplier.
Gradual Reduction, Not Immediate Exit
That dependence declined over
time—34% in FY22, 32% in FY23, 28% in FY24, and 25% in FY25—ending in practice
as STQC rules took effect.
Growth Supported by Chinese Supply
The trajectory suggests
something important: the leading Indian brand rose partly because it could
scale with Chinese hardware, while building distribution and recall.
Materials Still Flow Through a China-Adjacent Chain
Supply-chain dependence also
matters. A significant share of inputs comes via AIL Dixon (a joint venture
involving Dixon Technologies and Aditya Infotech), which accounts for about 52%
of materials consumed, with roughly 85% imported. Given China’s dominance in
surveillance components and electronics manufacturing, a meaningful portion of
inputs may come from Chinese or China-linked suppliers.
This Dependency Didn’t Happen by Accident
The Engineering Phase Begins
The penetration of Chinese
surveillance and IoT hardware into India—and globally—was not just free-market
competition. It was engineered. And the engineering has entered a new phase.
China’s 2026–2028 IoT Action Plan
In mid-March 2026, nine central
Chinese ministries jointly released a new action plan for China’s IoT industry
covering 2026–2028. It builds on directives dating back to 2009, when Beijing
designated IoT as a “strategic emerging industry” and a “commanding heights”
driver of industrial competition.
From Gadgets to Cyber-Physical Control
This plan defines IoT not as
consumer tech, but as a total cyber-physical environment—aimed at “ubiquitous
intelligent connections among people, machines, and things,” linking the
digital and physical worlds.
No comments:
Post a Comment