How Xinjiang-linked Chinese surveillance equipment is ‘stealth-sold’ in Europe, dodging detection
An open-data probe into Dahua and Hikvision exposes how OEM sales tactics are on the rise amid growing ethical concerns over the business with surveillance firms linked to China’s human rights violations in Xinjiang.
In Europe, the US and Britain, it’s becoming trickier to detangle whether surveillance equipment is connected to human rights violations in Xinjiang — China’s surveillance and oppression of minorities in Xinjiang is well documented.
By selling to third parties which place their own brand labels on the equipment, companies mask the real origin and support companies’ profit footing the bill for more human rights violations.
It makes buying ethical surveillance equipment trickier for both private and public entities in the west, this news analysis finds.
Amid increasing concerns over supporting their businesses’ profits among European and British policymakers, calls for a boycott grew louder. Two Chinese surveillance firms increasingly revert to novel tactics to circumvent the bad reputation by selling their ware to western consumers and governments via third parties.
‘New brand, good PR, no problems’
Hikvision and Dahua are key suppliers to China’s surveillance state, says Conor Healy at IPVM, an analyst at the intelligence company for surveillance equipment who conducted in-depth research into OEMs linked to Dahua and Hikvision.
These are organizations that trained face recognition software to recognize Uyghur Muslim faces for the police and profit from the genocide in Xinjiang. The UK government should reflect whether it is unethical to award them with public business, he adds.
The practice is called Original Equipment Manufacturing (OEM) and is widespread in the sector.
How does OEM work? A local western company buys the surveillance camera equipment from Dahua or Hikvision and poses as the original manufacturer. In reality, the company just take the products, put their own label on the devices, often reuses the exact same software and manual and remove any other traces that link the product back to the original makers in China.
Amid rising hesitance among governments and private buyers to opt for Hikvision and Dahua products, we might see a rise in OEMs tactics that might eat into the direct sales by Dahua and Hikvision.
Research into OEM companies with a larger footprint in the UK confirms the involvement of three OEMs — LTS, Interlogix and Stanley 3x Logic — , all alleged to sell covertly Hikvision’s surveillance equipment, according to IPVM. It bases its claims on research that disassembled the devices and found proof inside (though, these aren't the only ones. IPVM cites a long list of other Hikvision OEMs).
I reached out to the three firms and inquired about whether they sold relabelled Hikvision cameras — and if so, whether they sold them via government contracts into the UK public sector. At the time of publication, none replied.
Spotting Dahua products among Honeywell’s camera product series is easy, explains Healy: “If they call it a ‘performance camera’, then it’s Dahua. They confirmed this to us, plus with a single Hikision OEM as well’, he adds.
Failing to disclose links
A open source intelligence (OSINT) driven Google search-result analysis across six confirmed OEMs with business in the UK finds that they largely fail to disclose links to Dahua and Hikvision. Five out of six OEMs didn't advertise it on their website infrastructure.
There are almost never any markings or obvious disclosures, Healy says. Companies selling OEMs do whatever they can to keep this information secret, and often refuse to answer questions about the true manufacturing origins of their products, he adds.
“It isn’t easy to trace. Most users of these cameras are not able to determine on their own if they have a Hikvision or Dahua OEM. The only way to be certain is to take it apart”.
Selling more via OEMs makes business sense for the two Chinese surveillance equipment makers, and may help spread the risk should consumers boycott the brand or the government impose more formal trade sanctions.
Hikvision has a strong presence in the UK. Previous estimates put the number of Hikvision cameras in the UK at 1.2 million.
As one of the largest suppliers of video surveillance equipment for civilian and military purposes, Britain remains a key market, especially now when it faces growing pressure in the west and a competitive trade climate between China and the US. In its 2020 annual report, Hikvision states that it’s “establishing local factories in the United Kingdom, to support global product supply”.
The media picked up on Hikvision in the UK and the connection to Xinjiang, with some in the UK calling for an embargo on new purchases, reporting by The Intercept from 2019 says. Sales to public bodies didn’t stop.
In February, Journalists at the Thomson Reuters Foundation reported that at least half of London’s boroughs purchased China-made surveillance systems linked to the abuse of Uighurs.
Dahua’s involvement in Xinjiang’s re-education camps was documented by IPVM (below).
Human rights monitoring group Human Rights Watch called China’s behaviour in Xinjiang ‘crimes against humanity against Uyghurs and other Turkic Muslims’.
The link to Xinjiang is not the only concern. Critics stress the poor track record in preventing cybercrime by the two brands.
Previous incidents from 2016 and 2017 show that Dahua’s and Hikvision’s surveillance equipment pose significant cybersecurity risk. Dahua built devices that were easily infected by malware, opening up backdoors to company networks, in one case a major Fortune 500 company.
Both Dahua and Hikvision have a poor cybersecurity track record, with Dahua’s backdoor gaining a 9.8 out of 10.0 score from the DHS ICS-CERT (a rating score by the US Cyber and Infrastructure Security Agency). Hikvision’s backdoor gained a 10.0 out of 10.0 score, citing risks that the system is ‘remotely exploitable and [requiring] low skill level to exploit’.
James Lewis at the Center for Strategic and International Studies (CSIS), a Washington, D.C-based think tank, says the Chinese espionage is the principal concern with Hikvision and Dahua surveillance cameras. “If they didn’t connect to the internet, no one would care.”
Import/sales bans could drive OEM sales
The US is already one step ahead of the EU and the UK. In March, the country’s Federal Communications Commission (FCC) said that Dahua and Hikvision, among others entities, “pose an unacceptable risk to US national security”, banning sales to public entities.
With US-based OEMs buying and reselling Hikvision and Dahua cameras avidly, tracking and detection become much tougher. Experts at IPVM recorded numerous instances when Hikvision and Dahua camera equipment was sold to the government, undetected and probably breaching US laws.
[The publication The Intercept will soon come out with their story on the US]
The UK could follow suit with a similar embargo. At present, public and private space in the UK (and particularly in London) remains packed with Hikvision and Dahua web-connected devices, this analysis finds.
Hikvision/Dahua camera detection
An online search engine for web-connected devices, Shodan, is able to shed light on where Dahua/Hikvision cameras operate. Each result for a connected device is issued with a location.
The most prominent British entities using connected Dahua or Hikvision cameras/devices include BT, Sky and Virgin Media and most of them are concentrated in and around London. BT alone is featured with around 180 Hikvision devices listed across the city.
Data from 2017, lists compromised/backdoored cameras by Hikvision. Some are on public property and alongside public roads (see below).
For BT alone, we find 180 Hikvision cameras or devices connected across the city of London.
Some are located in sensitive spots, near police stations, policy-making institutions and even near British intelligence agencies.
The Guardian reported last September that Hikvision cameras were being used in sensitive locations, such as leisure centres in London and school toilets in west Norfolk.
After the EU Parliament installed Hikvision fever cameras in 2020, it announced in April it had removed them again.
It’s feasible, that in order to protect their European business, Hikvision and Dahua might increasingly seek to go the OEM route. It worries experts.
Will the EU follow the US in an attempt to ban Hikvision and Dahua? Lewis at CSIS says that “[on Hikvision], his impression is that Europeans want to stay out of the middle. They don’t trust China but they don’t want to get into a fight with it”.
Healy urges the UK government to give serious thought to how they source technology. The UK should consider following the US example, which was to ban any government purchasing of products from these manufacturers, he says. OEM products should be more clearly labelled, he says, disclosing the actual manufacturer, not just for surveillance, but for all IoT-connected devices.
Credits: Big thanks to Shodan for granting us an academic license which made the search for connected devices by Hikvision and Dahua much easier.