MEMPHIS (Wall Street Journal) – The Memphis police use the surveillance cameras to scan the streets for crime. The U.S. Army uses them to monitor a base in Missouri. Consumer models hang in homes and businesses across the country. At one point, the cameras kept watch on the U.S. embassy in Kabul.
All the devices were manufactured by a single company, Hangzhou Hikvision Digital Technology . It is 42%-owned by the Chinese government.
Hikvision (pronounced “hike-vision”) was nurtured by Beijing to help keep watch on its 1.4 billion citizens, part of a vast expansion of its domestic-surveillance apparatus. In the process, the little-known company has become the world’s largest maker of surveillance cameras. It has sold equipment used to track French airports, an Irish port and sites in Brazil and Iran.
Hikvision’s rapid rise, its ties to the Chinese government and a cybersecurity lapse flagged by the Department of Homeland Security have fanned concerns among officials in the U.S. and Italy about the security of Hikvision’s devices.
“The fact that it’s at a U.S. military installation and was in a very sensitive U.S. embassy is stunning,” says Carolyn Bartholomew, chairwoman of the U.S.-China Economic and Security Review Commission, which was created by Congress to monitor the national-security implications of trade with China. “We shouldn’t presume that there are benign intentions in the use of information-gathering technology that is funded directly or indirectly by the Chinese government.”
Some security vendors in the U.S. refuse to carry Hikvision cameras or place restrictions on their purchase, concerned they could be used by Beijing to spy on Americans. The General Services Administration, which oversees $66 billion of procurement for the U.S. government, has removed Hikvision from a list of automatically approved suppliers. In May, the Department of Homeland Security issued a cybersecurity warning saying some of Hikvision’s cameras contained a loophole making them easily exploitable by hackers. The department assigned its worst security rating to that vulnerability.
The concerns about Hikvision are reminiscent of the controversy surrounding Chinese technology giant Huawei Technologies Corp., whose telecom gear was effectively banned in the U.S. after a 2012 congressional report raised fears that its networking equipment could be used to spy on Americans. The company, founded by a former Chinese army engineer, has repeatedly dismissed such concerns.
Hikvision says its equipment is safe and secure, that it follows the law wherever it does business and that it worked with Homeland Security to patch the flaws the agency cited. It says it “cannot in any way access and control the content of the video cameras.” It says the vast majority of its products are sold through third-party vendors, meaning it often doesn’t even know where they wind up. It declined to comment on Ms. Bartholomew’s remarks.
“Hikvision is a business,” said Chief Executive Officer Hu Yangzhong, one of several Hikvision executives interviewed for this article. “It would be impossible for us to add a backdoor to our cameras, as that would damage our business.”
Vulnerabilities in surveillance cameras have become more of a concern as internet-connected devices become more prevalent. Cameras can be a weak link in an organization’s information-technology network, potentially opening “backdoors”—ways to gain access by bypassing security mechanisms—for hackers, including state-backed ones.
Last year, hackers took control of hundreds of thousands of cameras, including many made by a Chinese rival of Hikvision, to launch a huge “denial of service” attack that security experts said made sites run by Amazon.com Inc., PayPal Inc. and Twitter Inc.unavailable for hours.
Hikvision grew out of a government laboratory started a half-century ago to develop military and industrial technologies. Its largest shareholder is China Electronics Technology Group Corp., or CETC, a state-owned defense and military electronics manufacturer. Its biggest individual shareholder is Gong Hongjia, a Hong Kong billionaire and university classmate of top Hikvision executives. Some executives are Communist Party members also employed by subsidiaries of CETC, according to securities filings in China.
Mr. Gong said in an interview that he provided capital to help found Hikvision in 2001, in an arrangement that gave the government-backed lab a 51% stake. Although the size of that stake has since declined, the government only began to more actively aid the company in the past few years. “The government can’t help you sell in overseas markets,” Mr. Gong said. “That was all thanks to the years the company spent investing in expanding our presence.”
CETC didn’t respond to a request for comment.
Contracts from Chinese government agencies propelled the company’s rise. It helped with security at the 2008 Beijing Olympics. In 2011, the company said the value of contracts for its “safe city” camera project in Chongqing, a large city in China’s southwest, reached $1.2 billion. Its cameras are now ubiquitous on the city’s streets.
China’s President Xi Jinping, who has made high-tech security a priority, visited the firm’s headquarters in 2015. Since that year, Hikvision has received major loans from two of China’s three policy banks, which finance state development goals.
Zheng Yibo, a Hikvision vice president, says CETC has no role in Hikvision’s day-to-day operations. He declines to say how much revenue comes from the Chinese government, but says its “government-sales portion isn’t high.”
Hikvision’s head of research, Pu Shiliang, holds a leadership position at a Hangzhou laboratory run by the Ministry of Public Security, China’s police force. The lab explores ways authorities can leverage data gathered by the company’s cameras and other sources to improve policing, according to the lab’s website.
Chinese authorities are encouraging new surveillance projects in China to feature artificial-intelligence capabilities, Mr. Pu told an audience in Beijing in September. Scores of high-tech companies have emerged to address the government’s call for more innovative surveillance techniques.
China has been rolling out new technologies to monitor its people in ways that would unsettle many in the U.S. and the West. Unfettered by privacy concerns or public debate, Beijing’s authoritarian leaders have introduced facial-recognition technology and other surveillance measures in a vast experiment in social engineering. Their goal is to influence behaviorand identify lawbreakers.
At Hikvision’s Hangzhou showroom, walls are lined with monitors and video cameras that employ artificial intelligence to recognize objects and sounds from afar and to produce visible images despite pollution or darkness. Hikvision’s “Darkfighter” thermal camera enables it to record under ultralow light conditions, the company says. Its “Blazer Pro” server, it says, allows license-plate recognition. It says its dome-shaped “bullet” cameras are explosion-proof, and it offers camera-equipped drones and cameras programmed to alert authorities to large gatherings.
The company’s consumer camera line, called “EZVIZ,” can sync with a smartphone app. One softball-sized device can detect noises—a dog barking loudly or the sound of a door opening—and automatically direct its lens at the source of the disturbance, sending an alert to the phone.
Global sales of surveillance equipment has increased 55% in the five years through 2016, according to consulting firm IHS-Markit. By pricing cameras below those made by Western competitors, Hikvision has become the top seller of surveillance equipment in Europe and No. 2 in the U.S., according to IHS-Markit and other industry analysts. Its cameras frequently are sold without the Hikvision name and are rebranded by U.S. distributors—a frequent practice in the industry.
This year, Hikvision opened research-and-development offices in Silicon Valley and Montreal. It plans to employ 350 people in North America by year’s end and 800 by 2022, the company says.
Its shares have risen sharply since its initial public offering on Shenzhen’s stock exchange in 2010, and they have more than doubled this year, giving the company a valuation of $56 billion, close to that of Sony Corp.
Fort Leonard Wood, an Army base in Missouri’s Ozarks, uses Hikvision cameras in its security system, according to the Chinese company and NexGen Integration, a U.S. company that handled the installations. The base offers basic combat training and includes a school for chemical, biological and nuclear-defense drills.
To win the contract with the Army, Hikvision says, it had to show its cameras could stream at 30 frames per second, providing sufficiently fast motion detection. It custom-built some of the technology to accommodate the base’s limited internet bandwidth.
Chris Nickelson, NexGen’s owner, says none of his customers have raised any issues about Hikvision gear. The army base referred questions to the U.S. Army’s installation management command public affairs office, which said it doesn’t discuss equipment or capabilities, but added that “any equipment or software that goes on a military network is thoroughly tested for security vulnerabilities.”
At the U.S. Embassy in Kabul, Afghanistan, Hikvision cameras were installed “to monitor nonsensitive electrical closets for theft prevention,” says a State Department spokesperson, referring to closets housing electronics equipment.
Last year, the security-industry trade publication IPVM published a procurement order for several dozen Hikvision cameras, revealing their presence in the Kabul embassy. The government canceled the order in September 2016 and removed the Hikvision cameras already in the embassy.
A State Department official says that was because security officials at the department, who are supposed to be notified of new security-related installations, weren’t given a heads up about the purchase. The department wouldn’t comment on whether security concerns were a factor in the removal of the existing cameras.
In a written statement, Hikvision said it had no knowledge of the Kabul project’s particulars “on the end-user level,” and that “accepting or removing particular products is always at the discretion of the end-user.”
Shortly thereafter, the General Services Administration removed Hikvision from a list of automatically approved suppliers, companies that make their products in countries that have certain trade agreements with the U.S. The agency says it nixed the firm after it was alerted the products were manufactured and assembled in China, which isn’t on the list. U.S. government agencies that want to buy Hikvision gear can’t go through the GSA system, but have to take extra steps such as showing the items are fairly priced.
Hikvision says its gear was listed on the GSA by two resellers, which it says it hadn’t authorized. Hikvision says it asked the resellers to remove the products from the GSA list.
In January, Italy’s government awarded a $49 million contract to a supplier in a deal that included the installation of Hikvision cameras at some state buildings. The deal was publicly questioned in June by Italian legislator Arianna Spessotto, who said the cameras “could pose a risk to national public security” and asked how the government planned to verify the cameras’ safety.
A spokesman for Italy’s government procurement agency said the supplier “guaranteed a level of security appropriate to the risk,” but that “no one can be absolutely sure that a participating firm has not surreptitiously inserted backdoor devices and security vulnerabilities for malicious purposes.”
Hikvision says the Italian legislator’s concerns about security risk are “totally unfounded and absurd.”
Nathan Brubaker, an analyst at U.S. cybersecurity firm FireEye Inc., says the software vulnerabilities identified by the Department of Homeland Security could make those Hikvision cameras prone to a hacking attack similar to the “Mirai” denial-of-service attack on the internet last year.
“Camera security is often poor’’ across the industry, says Marco Herbst, chief executive of Dublin-based Evercam, which develops camera software. “You’re dealing with a device that in many cases is sloppily installed with default passwords that are publicly available on the internet.”
Security experts say backdoors that allow outsiders to bypass security protections are often difficult to identify. Such vulnerabilities can be accidental—the result of flaws in the software’s original design or in updates.