InfoSecBulletin Cybersecurity for mankind
Global makers of surveillance gear have clashed with Indian regulators in recent weeks over contentious new security rules that require manufacturers of CCTV cameras to submit hardware, software and source code for assessment in government labs, official documents and company emails show.
The security-testing policy has sparked industry warnings of supply disruptions, and added to a string of disputes between Prime Minister Narendra Modi’s administration and foreign companies over regulatory issues and what some perceive as protectionism.
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
New Delhi’s approach is driven in part by its alarm about China’s sophisticated surveillance capabilities, according to a top Indian official involved in the policymaking. In 2021, Modi’s then-junior IT minister told parliament that 1 million cameras in government institutions were from Chinese companies and that there were vulnerabilities, with video data transferred to servers abroad.
Under the new requirements, applicable from April, manufacturers such as China’s Hikvision, Xiaomi and Dahua, South Korea’s Hanwha, and Motorola Solutions of the U.S. must submit cameras for testing by Indian government labs before they can sell them in the world’s most populous nation. The policy applies to all internet-connected CCTV models made or imported since April 9.
“There’s always an espionage risk,” said Gulshan Rai, India’s cybersecurity chief from 2015 to 2019. “Anyone can operate and control internet-connected CCTV cameras sitting in an adverse location. They need to be robust and secure.”
Indian officials met on April 3 with executives of 17 foreign and domestic makers of surveillance gear, including Hanwha, Motorola, Bosch, Honeywell and Xiaomi, where many of the manufacturers said they weren’t ready to meet the certification rules and lobbied unsuccessfully for a delay, according to the official minutes.
In rejecting the request, the government said India’s policy “addresses a genuine security issue” and must be enforced, the minutes show.
India said in December the CCTV rules, which do not single out any country by name, aimed to “enhance the quality and cybersecurity of surveillance systems in the country.”
This report is based on a review of dozens of documents, including records of meetings and emails between manufacturers and Indian IT ministry officials, and interviews with six people familiar with India’s drive to scrutinize the technology. The interactions haven’t been previously reported.
Insufficient testing capacity, drawn-out factory inspections and government scrutiny of sensitive source code were among key issues camera-makers said had delayed approvals and risked disrupting unspecified infrastructure and commercial projects.
“Millions of dollars will be lost from the industry, sending tremors through the market,” Ajay Dubey, Hanwha’s director for South Asia, told India’s IT ministry in an email on April 9.
The IT ministry and most of the companies identified didn’t respond to requests for comment about the discussions and the impact of the testing policy. The ministry told the executives on April 3 that it may consider accrediting more testing labs.
Millions of CCTV cameras have been installed across Indian cities, offices and residential complexes in recent years to enhance security monitoring. New Delhi has more than 250,000 cameras, according to official data, mostly mounted on poles in key locations.
The rapid take-up is set to bolster India’s surveillance camera market to $7 billion by 2030, from $3.5 billion last year, Counterpoint Research analyst Varun Gupta said.
China’s Hikvision and Dahua account for 30% of the market, while India’s CP Plus has a 48% share, Gupta said, adding that some 80% of all CCTV components are from China.
Hanwha, Motorola Solutions and the U.K.’s Norden Communication told officials by email in April that just a fraction of the industry’s 6,000 camera models had approvals under the new rules.
China concern:
The U.S. in 2022 banned sales of Hikvision and Dahua equipment, citing national security risks. The U.K. and Australia have also restricted China-made devices.
Likewise, with CCTV cameras, India “has to ensure there are checks on what is used in these devices, what chips are going in,” the senior Indian official said. “China is part of the concern.”
China’s state security laws require organizations to cooperate with intelligence work. It was reported this month that unexplained communications equipment had been found in some Chinese solar power inverters by U.S. experts who examined the products.
Since 2020, when Indian and Chinese forces clashed at their border, India has banned dozens of Chinese-owned apps, including TikTok, on national security grounds. India also tightened foreign investment rules for countries with which it shares a land border. The remote detonation of pagers in Lebanon last year, which was executed by Israeli operatives targeting Hezbollah, further galvanized Indian concerns about the potential abuse of technology devices and the need to quickly enforce testing of CCTV equipment, the senior Indian official said.
The camera-testing rules don’t contain a clause about land borders.
But last month, China’s Xiaomi said that when it applied for testing of CCTV devices, Indian officials told the company the assessment couldn’t proceed because “internal guidelines” required Xiaomi to supply more registration details of two of its China-based contract manufacturers.
“The testing lab indicated that this requirement applies to applications originating from countries that share a land border with India,” the company wrote in an April 24 email to the Indian agency that oversees lab testing.
Xiaomi didn’t respond to queries, and the IT ministry didn’t address questions about the company’s account.
China’s foreign ministry said it opposes the “generalization of the concept of national security to smear and suppress Chinese companies,” and hoped India would provide a nondiscriminatory environment for Chinese firms.
Lab tests, factory visits:
While CCTV equipment supplied to India’s government has had to undergo testing since June 2024, the widening of the rules to all devices has raised the stakes.
The public sector accounts for 27% of CCTV demand in India, and enterprise clients, industry, hospitality firms and homes the remaining 73%, according to Counterpoint.
The rules require CCTV cameras to have tamper-proof enclosures, strong malware detection and encryption.
Companies need to run software tools to test source code and provide reports to government labs, two camera industry executives said.
The rules allow labs to ask for source code if companies are using proprietary communication protocols in devices, rather than standards like those used for Wi-Fi. They also enable Indian officials to visit device-makers abroad and inspect facilities for cyber vulnerabilities.
The Indian unit of China’s Infinova told IT ministry officials last month the requirements were creating challenges.
“Expectations such as source code sharing, retesting post firmware upgrades, and multiple factory audits significantly impact internal timelines,” Infinova sales executive Sumeet Chanana wrote in an email on April 10. Infinova didn’t respond to questions.
The same day, Sanjeev Gulati, India director for Taiwan-based Vivotek, warned Indian officials that “All ongoing projects will go on halt.” He said this month that Vivotek had submitted product applications and hoped “to get clearance soon.”
The body that examines surveillance gear is India’s Standardization Testing and Quality Certification Directorate, which comes under the IT ministry. The agency has 15 labs that can review 28 applications concurrently, according to data on its website that was removed after the agency was sent questions. Each application can include up to 10 models.
As of May 28, 342 applications for hundreds of models from various manufacturers were pending, official data showed. Of those, 237 were classified as new, with 142 lodged since the April 9 deadline.
Testing had been completed on 35 of those applications, including just one from a foreign company.
India’s CP Plus said it had received clearance for its flagship cameras but several more models were awaiting certification.
Bosch said it too had submitted devices for testing, but asked that Indian authorities “allow business continuity” for those products until the process is completed.
In New Delhi’s bustling Nehru Place electronics market last week, shelves were stacked with popular CCTV cameras from Hikvision, Dahua and CP Plus.
But Sagar Sharma said revenue at his CCTV retail shop had plunged about 50% this month from April because of the slow pace of government approvals for security cameras.
“It is not possible right now to cater to big orders,” he said. “We have to survive with the stock we have.”
Source: Japantimes
