Chinese cameras: More than meets the eye

The ensuing political debate also repeated the mistaken belief that Australia has no manufacturing capacity that delivers quality surveillance with no risk to data.

Let’s start with the government’s response of “remove the cameras” and “review their installation”.

Removing Chinese-made cameras will eliminate manufactured threats in those devices. 

It is not going far enough, however, when it comes to addressing the cyber risks inherent to connecting any camera or device to the internet. 

Raising the profile of these serious threats to business and government warrants endorsement, first, to prevent declines in public confidence, and second, to encourage local solutions.

Positive action to remediate or remove the cameras warrants applause. Replacing the cameras now is an important security action for Australia.   

However, for the purposes of long-term strategies, it is critical to understand that threats embedded at the time of manufacture are not the only risks to cameras and other devices exposed to the internet. For example, Chinese hackers exploit more zero-day threats in devices made outside China than any other group. 

VIEW ALL

Cyber security weaknesses inherent to machines plague device and equipment manufacturers and are being regularly exploited by bad actors. As we connect more and more devices to the internet in the name of productivity, efficiency, and mobility, we are witnessing an exponential increase in cyber threats and breaches that exploit device security irrelevant of the place of manufacture.  

It is well documented that many devices (machines and sensors) have little or insufficient security to protect against increasingly sophisticated crime.  

The Office of the Australian Information Commissioner reported last year that there were 853 notifiable data breaches in 2021–22. Around 20 per cent of those were in health service providers, followed by finance, legal and accounting, education and Australian government agencies. 

The list shows that data breaches have become ever-present with some jaw-dropping losses of data. 

The Australian Cyber Security Centre’s latest threat report shows the centre received more than 76,000 cyber crime reports in the 2022 financial year, up 13 per cent on the previous year. That’s one attack every seven minutes, on average.

The cost of dealing with cyber attacks, as Optus and Medibank have discovered, is huge. Video surveillance systems bring with them some extra challenges to cyber security including an additional layer of abstraction (the visual layer), however many of the cyber issues for machines are common to any device, machine, or sensor connecting with the internet. The possible risks embedded at the time of manufacture (intentional or not) can lead to and/or compound many other risks.   

The most common threats to devices exposed to online connections can be summarised as follows: 

1. Protection of passwords and credentials. 
2. Secure and timely updates and delivery of firmware and other patches to machines. 
3. Networks and protocols that don’t have robust, end-to-end hardware-based encryption.
4. The use of mobile apps to access data and control devices.
5. A lack of processing capacity in the device to perform effective encryption of communications.
6. Emerging capability by organisations to identify and track all devices connected to their network impacting deployment and management of cyber security to all endpoints. 

When cameras and other devices, along with their control systems, connect to the internet, they become a “weak link” that can allow hackers to take control of the device and its functions and/or infiltrate an entire IT system. 

Yet it is inevitable that cameras, surveillance systems, and other devices will be connected to the internet at some time. AI and BI will rely on data gathering and exchange to be effective. Cloud services are changing the economics and dynamics for IT and OT systems. 

One Australian company tackling these issues head-on is VeroGuard Systems, which has developed the world’s first identity and communications platform that utilises hardware security module (HSM) identity management and communications on open networks for any device or machine. 

The advanced, secure platform has been developed in Australia. Adding further to the company’s sovereign status is that it manufactures products at its Edinburgh, South Australia facility. One of the products, VeroMod, is an HSM that can connect with any camera, device, or machine. VeroMods, operating with the certified VeroGuard platform, provide any machine with an ultra-secure digital ID. The solution delivers military-grade protection of the ID and verified zero-trust access to or from the connected machine. VeroMod also takes on the cryptographic workload for devices communicating at “secret” and above levels. 

The company has also embedded an HSM into its Australian-built cameras. This eliminates any risks of breaches to the camera, its data, or systems, even when the connections are direct-to-the-internet. The company’s chairman and co-CEO, H Daniel Elbaum, says, “We have for the first time brought a technology to open networks that eliminates identity and security risks to any machine including surveillance systems”. The company’s VeroMod and cameras connect to the VeroGuard platform, which has been certified Common Criteria for access on open networks by the Australian Cyber Security Centre and is a global one-of-a-kind. 

Removing Chinese-made security cameras can eliminate their embedded threats, however, security vulnerabilities will continue to be uncovered in the peripheral connectivity, software VPNs, and even the devices themselves. 

These all represent significant attack surfaces for threat actors looking to exploit these systems and are urgently in need of actions to prevent the growing threats inherent to connecting machines to the internet. 

There is a solution, and it’s Australian made.

Nic Nuske is co-CEO of VeroGuard Systems Pty Ltd and has worked in the IT industry for more than 30 years.