Security concerns about Chinese-made video cameras and security systems have been all over the headlines lately — and with good reason. The thought of anyone gaining unauthorized access to the video feeds on these systems is alarming. More concerning is that the video, which is meant to keep your riders and operators safe, could be exploited by unauthorized users or hackers and could threaten the security of transit systems.
In August 2019, the U.S. federal government began bans of many companies, including telecoms Huawei and ZTE and surveillance camera manufacturers Dahua and Hikvision, due to security concerns. Despite that, experts at Forescout, a device visibility and control company contracted by the government, determined there were at least 2,061 Dahua or Hikvision surveillance systems installed on U.S. federal government networks as of August 19, 2019.
The federal government isn’t the only one using banned technology. According to John Matherly, founder of the internet device scanning service Shodan, there are at least 200,000 Dahua devices and 15,000 Hikvision devices currently in use across America. Matherly believes that this problem could be further exacerbated by a practice called “white labeling,” in which tech produced by companies such as Dahua and Hikvision can be repackaged under another brand name and sold to customers who might not otherwise purchase that brand’s products.
To help you avoid inadvertently purchasing dangerous equipment, here are some actions you can take to ensure your next purchase of an on-board video security system is safe:
1. Require your vendor to supply General Services Administration (GSA) compliant equipment. The GSA requires that vendors only provide products that are Trade Agreement Act (TAA) compliant. Essentially, the U.S. government under the GSA contract only allows the sale of goods tmanufactured in approved countries. As you probably guessed, China is not currently on the list of approved sourcing countries. Further, the GSA requires vendor compliance with new rulings such as those that prohibit these banned manufacturers. Using these federal government rules as best practice in your purchasing strategy will protect your agency from purchasing dangerous goods, provide some protection from future price increases due to tariffs, and ensure the goods you are procuring are sourced from a country with ethical labor and trade practices.
2. Buy with security in mind. Security doesn’t end with simply avoiding banned manufacturers. Security threats are real and don’t arise solely from manufacturers or foreign governments. Additionally, it’s important the video you are recording is authentic and can be proven as such — so that video is admissible as evidence. To cover all these bases, you need to ensure secure data access, transmission, recording, and reporting.
To secure data, take care that the recorder and cameras share a mutual authentication system, as security is critical between these points. Every system should be equipped with a firewall and port authentication system to prevent unauthorized access and broadcasting of unwanted data to a third party or “the middle man.”
SSL, TLS, HTTPS will provide a cryptographic protocol that ensures end-to-end security of data sent over private network or the internet. By ensuring your video system relies on these steps, you can avoid potential malicious activities, including data snooping, alteration, or destruction of data during transmision.
Transmission obviously requires a router or access point. Many recorders, such as Luminator’s offering, include embedded Wi-Fi. For cellular, companies can partner with vendors like Cradlepoint to provide best-in-class certified cellular technologies with the latest technology advancements, optimized for bandwidth and data speed, plus security features with a wide range of options to ensure safe connections and compliant connections. Management software is ideal for managing the devices remotely in a way that is both easy and secure.
To ensure video clips (recordings) are authentic and tampering hasn’t happened along the way, encryption or other mechanimisms such as chained-fingerprint technology are used. Basically, this means each video frame recorded is connected to both the next and the previous frame, like a chain. If this connection is broken, you will be alerted by the playback software — the video clip you review will indicate there is an issue.
Finally, for reporting — be sure the software management system tracks all actions associated with the system in terms of accessing and reviewing video clips and live video feeds. The reporting within the system is vital for evidence submission, as well as tracking down violators in the event a video clip goes “viral.” That said, the video clips themselves should be password protected — protecting a video clip by password goes a long way to preventing your video from being published to YouTube.
3. Operate with security in mind. Too often, we think about and are concerned about cybersecurity risks but aren’t sure exactly what to do to protect ourselves. The same holds true for all your transit technology. Taking simple steps to protect the system, such as changing the default password, is a great move that, surprisingly, many agencies forget, or choose not to take. It’s great if your management software integrates with the active directory — then you can simply piggyback on the existing profiles your IT department has already established.
Additionally, a simple study of your network can expose security vulnerabilities and provide easy-to-implement recommendations to improve the security of your overall network and that of the video security system. There are many resources available to conduct these security scans. Luminator offers on-site support visits whereby network experts are deployed to analyze and recommend changes. If you obtain a local resource or want to utilize one that you already have on staff, be sure that they have network security certifications and have appropriate background checks. And, remember vulnerabilities and cyber securitythreats are always changing and evolving, so be sure this is part of your regular maintenance schedule.
4. If you already purchased banned goods, consider an upgrade. At the time of this article, the Federal Acquisition Regulation (FAR) has banned security cameras and equipment from four Chinese companies. Unfortunately, if your current system or components are labeled “Made in China,” it is likely that it was sourced, either directly or white labeled by another company, from an organization that is now banned or may be banned in the future. If you are considering an upgrade, it’s important to remember cabling and other components can often be retained to lower equipment and installation labor costs. You may also be surprised by some advancements in software and technology that have improved since your last deployment — and how these new tools can improve your bottom line through gained efficiencies in managing the system.
By proactively considering these factors, you can ensure your passengers and agency are protected with a secure and responsibly sourced on-board video security system.
Werner Malcherek is CTO at Luminator Technology Group.
Originally posted on Metro Magazine