We are rapidly becoming a surveillance state. That's not all bad. The threat of terrorism has created a dangerous world and surveillance can help with our security. But do we need to watch, the eyes watching us? The answer may be yes. Believe it or not, we are buying a lot of surveillance cameras, from foreign countries that may able to turn them into Spying Eyes. Our Lisa Fletcher explains how.
Walk around our nation's capitol, nowadays security is as evident as the iconic dome up on the hill. Barriers on the ground and if you look up, the ever-growing network of cameras that watch your every move. Most think those spying eyes work to make us more secure. That may not be the case.
Dr. Stephen Bryen: If you take Chinese electronics, that's 80 percent of the US market. And the fact that instead of providing security, they're providing insecurity.
Doctor Stephen Bryen was the Pentagon's Deputy Undersecretary Of Defense. For years he's been sounding the alarm bells about foreign governments weaving their way into our classified systems. Many use the backdoors of cameras, a generic security code that easily grants remote access.
Lisa: Is this a well-kept secret that these cameras are insecure?
Dr. Stephen Bryen: It's not a secret. It's just the well-kept lack of attention to security that's permeating the US government and the private sector as well.
China is the world's leading exporter of security equipment, accounting for more than a quarter of the global market. By 2021, that number is expected to increase to 38 percent. A pair of powerhouse Chinese companies, Hikvision And Dahua, driving the bulk of that growth.
Hikvision ad: At Hikvision, we are committed to unleashing the power of machine vision.
Let's start with Hikvision, 42 percent owned by the Chinese government. Their cameras are helping the Memphis police scan the city streets for crime. They also once served as the security eyes inside the US embassy in Kabul, Afghanistan.
Dr. Stephen Bryen: So if somebody really wanted to attack let's say an American embassy, they shut down all the cameras and they'd be blind. And then they could attack them with relative ease.
Lisa: Is that hard to do?
Dr. Stephen Bryen: No, not today no because they're all insecure. And that's denial as we call it a denial of service attack which means to flood the system so it no longer functions is one of the easiest attacks to launch against a camera system.
Terry Dunlap: This is something that we think is prevalent throughout the industry.
Terry Dunlap is a veteran of the National Security Agency where he researched security vulnerabilities. He's now CEO of Refirm Labs, a cybersecurity firm. His team recently looked at China's second-largest camera manufacturer Dahua. In most cases, he says backdoors are simply the result of human error but that's not what his team found when they hacked into this Dahua camera.
Lisa: So your conclusion is that when Dahua created the firmware they intentionally left a backdoor there for people to enter through?
Terry Dunlap: That is our claim. That is what we stand behind.
According to its website, Dahua cameras provided exclusive security for the 2016 Olympic games in Brazil and their cameras monitor part of the LA Police Department that covers the Compton school district.
Terry Dunlap: This is not Hollywood anymore where you can freeze the image to look like nothing is happening while somebody breaks in and steals a vehicle. Breaks into a data center steals some hard drives or some servers or you know.
Lisa: This is the 2018 version of Sandra Bullock in Speed, right?
Terry Dunlap: Yeah or Ocean's 11.
Ocean's 11 Scene: Are you watching your monitors? Keep watching.
Lisa: you understand why this freaks people out?
Terry Dunlap: Yea, absolutely. It should. It should freak people out. And what we plan to do here is simulate an attack.
Terry's team showed us exactly how quickly and easily we can access the backdoor of a security camera. Cameras similar to those used in the American embassy in Kabul.
Lisa: So Terry this is your server room and we're looking at a live feed from the surveillance camera.
Terry Dunlap: Yes. We find these surveillance cameras in many server rooms.
Lisa: I'm going to walk into that room just to show everybody that's really a live picture of what's going on right now. Alright so now I'm in the server room visible on the live surveillance feed.
Terry Dunlap: Once she leaves we will simulate the attack.
Among the lines of code the hacker types, the word freeze.
Terry Dunlap: So what has happened here is that we have actually launched an attack that has frozen the image in place and now that the image is frozen this will allow an attacker or some nefarious individual to enter the server room without any suspicion from a security personnel like myself.
Lisa: So now I'm gonna go back inside the server room, now that that surveillance camera has been hacked. The surveillance camera has an image of a clean room, you cannot see me. The only place you can see me is on our cameras.
Dr. Stephen Bryen: You know we spend billions of dollars on cybersecurity. It's like securing jello. I mean you know it's wasted time instead of those billions of dollars going down a hole, why don't we spend the money on something that really does support security and that's worthwhile and so when you consider that tens of billions, hundreds of billions, of dollars in the defense budget each year, that's a lot of money and to see that compromised is very dispiriting its very bad.
Just a few weeks ago, both Hikvision and Dahua were the subject of a Congressional Committee on cybersecurity. Lawmakers are beginning to look into risks posed by security cameras. We reached out to Hikvision and they tell us their equipment is not used to spy for the Chinese government that they do not have access to cameras sold to customers. We also reached out to Dahua, so far no response from them.