In British offices, shopping malls, and even government buildings are surveillance cameras made in China. Panorama has looked into security flaws involving the two leading brands. What does it mean for our security and how simple is it to hack them?
A man sits at his laptop and enters his password in a dimly lit studio located inside the BBC's Broadcasting House in London.
A hacker is monitoring everything he types from thousands of miles away.
The BBC worker then takes out his iPhone and enters the passcode. The hacker now also has that.
The surveillance camera on the ceiling, which was made by the Chinese company Hikvision, has a security flaw, making it susceptible to attack.
The hacker claims, "I own that device now; I can do whatever I want with that.". I could turn it off, or I could use it to watch BBC news. ".
For the benefit of the man being observed, the hacker is collaborating with the BBC. This is one of a number of tests conducted by Panorama to evaluate the security of some security cameras that were manufactured in China.
Two of the top manufacturers of surveillance cameras in the world are Hikvision and Dahua.
The UK's streets are lined with an unknown number of their units.
The privacy advocacy group Big Brother Watch made an attempt to investigate last year. It submitted 4,510 requests for information under the UK's Freedom of Information Act between August 2021 and January 2022. 806 of the 1,289 respondents who gave a response said they used Hikvision or Dahua cameras; Hikvision is used by 227 councils and 15 police forces, while Dahua is used by 35 councils. .
A single afternoon in central London, Panorama discovered Hikvision cameras outside the Department for International Trade, the Department of Health, the Health Security Agency, Defra, and an Army reserve facility.
Security professionals worry that the cameras could be used as a Trojan horse to disrupt computer networks, which in turn might cause a civil uprising.
The UK's surveillance camera commissioner, Prof. Fraser Sampson, issues a warning that the country's vital infrastructure, such as its power grid, transportation systems, and supply of clean water and food, is in danger.
"All those things rely very heavily on remote surveillance - so if you have an ability to interfere with that, you can create mayhem, cheaply and remotely," he says.
Charles Parton of the Royal United Services Institute (Rusi), a former diplomat who worked in Beijing, agrees: "We've all seen the Italian Job in our youth, where you bring the whole of Turin to a halt through the traffic light system. That was probably fiction back then, but not now. ".
According to Hikvision's statement to Panorama, the company is independent and poses no risk to UK national security.
According to the company, "Hikvision has never engaged in, and will never engage in, any espionage-related activities for any government anywhere in the world." It also stated that its "products are subject to strict security requirements and are compliant with the applicable laws and regulations in the UK, as well as any other country and region we operate in.".
In order to determine whether a Hikvision camera could be compromised, Panorama collaborated with US-based IPVM, one of the world's foremost authorities on surveillance technology. IPVM supplied the one that was installed in a BBC studio.
Panorama was forced to use a test network without a firewall and little security because it was unable to operate the camera on a BBC network for security reasons.
The camera Panorama tested contains a vulnerability discovered in 2017. This is "a back door that Hikvision built into its own products," according to Conor Healy, director of IPVM. " .
Hikvision claims that the flaw was not intentionally incorporated into its products, and it emphasizes that it promptly released a firmware update to fix it after becoming aware of the problem. The test conducted by Panorama, it continues, is not an accurate representation of the devices in use today. However, according to Conor Healy, there are still over 100,000 cameras online that are susceptible to this problem.
Conor and IPVM's research engineer John Scanlan are seated in front of laptops at their Pennsylvania headquarters as Panorama's hacking experiment gets underway.
Panorama withholds some information about how they do it because it is illegal to hack a computer system without authorization.
Prior to attacking Broadcasting House's security, Healy and Scanlan first locate the camera inside the building.
Healy calculates how long it takes to take control of it after that. Just 11 seconds later, Scanlan announces: "We have access to that camera now. " .
The employee working on his laptop for Panorama is now visible to them inside the studio.
Scanlan explains, "If we zoom in close on the keyboard, we can see clearly the keys that he's pressing to enter his password.".
This is comparable to a locksmith giving you a key to your house while secretly creating a master key for every lock in that neighborhood; in fact, that is what Hikvision engineers did. ".
Is China Watching You?
Panorama looks into China's extensive global surveillance system, including spy balloons, hidden police stations, and fugitive dissidents. We reveal new details about Beijing's fleet of spy balloons - and hack a Chinese-made security camera to show how similar devices that line our streets could be exploited.
Watch on BBC One at 20:00 (20:30 in Wales) on Monday 26 June - and afterwards . (UK only) on BBC iPlayer.
Hikvision says its "products do not have a 'backdoor'" and were not deliberately programmed with this flaw. It adds it believes that nearly all of the local authorities using their devices would have updated their cameras long before now.
Next, the hackers begin their second test - accessing Dahua's cameras by infiltrating the software that controls them.
Two test cameras have been set up in IPVM's headquarters. If the hackers are successful, they could take charge of an entire network of surveillance cameras.
Soon they find the software vulnerability. "There we go, we're in," says Healy.
Now they are inside the system, they can use a camera to eavesdrop.
"What a lot of people don't realise about these cameras is that a large majority of them have microphones," Healy explains, and while users often switch these off, it's easy for hackers to switch them back on again - in effect, "wiretapping" the room.
Dahua says when it was made aware of the vulnerability late last year it "immediately conducted a comprehensive investigation" and quickly fixed the problem through "firmware updates".
The company also says it is not state-backed and that its equipment could not interfere with the UK's critical infrastructure. It adds: "These allegations are untrue and paint a highly misleading picture of Dahua Technology and its products. ".
But experts say the UK needs to do more to protect itself from what Prof Sampson, the surveillance camera commissioner, describes as "digital asbestos".
"We have a previous generation that has installed this equipment, largely on the basis that it was cheap and got the job done," he says. "We've now realised that it has some serious and inherent risks - so what do we about it?".
Asked whether he trusts Hikvision and Dahua, he replies: "Not one bit. " .