CISA Warns of Vulnerabilities in Banned Chinese Surveillance Tech

The Cybersecurity and Infrastructure Security Agency is urging administrators to apply new fixes for a vulnerability that would allow an attacker to take control of devices made by the Chinese firm Hikvision.

“Hikvision has released updates to mitigate a command injection vulnerability—CVE-2021-36260—in Hikvision cameras that use a web server service. A remote attacker could exploit this vulnerability to take control of an affected device,” CISA said in a post to the National Cyber Awareness System Tuesday. “CISA encourages users and administrators to review Hikvision’s Security Advisory HSRC-202109-01 and apply the latest firmware updates. See security researcher Watchful IP’s technical blogpost for more information.”

Hikvision is among a host of Chinese companies banned for use by the federal government through the National Defense Authorization Act in 2018. Last October, the Commerce Department also added it to its list of entities requiring a special license for engagement by U.S. persons. But products from Hikvision and other banned entities remain largely in use across the country. The issue draws attention to efforts at multiple agencies to secure the supply chain for U.S. information and communications technology.

Hikvision—along with fifth-generation network suppliers Huawei and ZTE and others—is also part of a list of “covered items” at the Federal Communications Commission. Entities using any of those companies’ products will not be eligible to receive public funding for broadband deployment. But commissioners noted a need to tighten their security reviews of foreign products regardless of whether they are connected to public funds.  

“It’s the presence of this insecure equipment in our networks that’s the threat, not the source of funding used to purchase it,” FCC Commissioner Brandon Carr said during a commission meeting in June. “Yet the FCC through its equipment authorization process continues to approve for use in the U.S. thousands of applications by Huawei and others deemed national security threats.” The Commission will consider a second report and order on the issue during this Thursday’s open meeting.        

Commerce Secretary Gina Raimondo on Tuesday noted active enforcement based on the entities list.

We “know China, Iran, Russia and North Korea misuse American technologies and direct cyberattacks against our companies. These actions threaten our economic and national security,” she said in remarks to the Economic Club of Washington, D.C. “At Commerce, we use a range of tools to level the global playing field and advocate for American businesses. We enforce export controls, set cybersecurity standards, and protect [intellectual property].”

But on the broader topic of competing with China, she emphasized the importance of workforce development and collaborating with allies to ensure economic security. Raimondo is set to meet with international partners as part of the U.S.-EU Trade and Technology Council Wednesday in Pittsburgh. 

The administration has also entered into other emerging technology and cybersecurity collaborations, recently announcing security arrangements with Australia, the United Kingdom, India and Japan focussed on maintaining international rule of law in the Indo-Pacific region.

At the Defense Department, officials charged with submitting a report to the president on vulnerabilities in the supply chain for the defense industrial base, are also considering cybersecurity. DOD requested comment on the issue in a notice posted to the Federal Register Tuesday.