The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently warned administrators about a vulnerability that would allow threat actors to take control of devices produced by Hikvision, a Chinese state-owned video surveillance company.
CISA recently posted this to the National Cyber Awareness System:
"Hikvision has released updates to mitigate a command injection vulnerability—CVE-2021-36260—in Hikvision cameras that use a web server service. A remote attacker could exploit this vulnerability to take control of an affected device.
CISA encourages users and administrators to review Hikvision's Security Advisory HSRC-202109-01 and apply the latest firmware updates. See security researcher Watchful IP's technical blogpost for more information."
While this vulnerability should be of concern to those who use Hikvision, it is only the latest challenge for U.S. agencies and organizations using Chinese technology.
U.S. still using banned Chinese tech
In 2018, the U.S. government passed the National Defense Authorization Act, banning a slew of Chinese companies from use by the federal government, Hikvision being one of them.
In 2020, the Commerce Department also added Hikvision to a list of entities requiring a special license for use in the U.S. However, such equipment remains in use by many U.S. organizations today, as well as other banned Chinese technologies.
Nextgov reports that Hikvision, as well as other tech companies such as Huawei and ZTE, are part of the Federal Communications Commission (FCC) "covered items" list. Organizations using products from any company on this list are not eligible to receive public funding for broadband deployment.
Here is FCC Commissioner Brandon Carr on the use of this technology:
"It's the presence of this insecure equipment in our networks that's the threat, not the source of funding used to purchase it. Yet the FCC through its equipment authorization process continues to approve for use in the U.S. thousands of applications by Huawei and others deemed national security threats."
There is more to come, certainly, around this issue.
Follow the SecureWorld News page and subscribe to our weekly newsletter for regular updates on cybersecurity developments.
