By Elitsa Simeonova
February 16, 2023
A Hikvision camera on the ceiling of a tram in Sofia
SOFIA -- During his regular afternoon commute in early January, something new caught Konstantin Delchev's attention while he was riding in a streetcar in the Bulgarian capital.
Mounted to the ceiling was the spherical lens of a CCTV camera and on the base of the platform was the brand name for a Chinese manufacturer that Delchev had increasingly heard about on the news, where it is often mired in controversy -- Hikvision.
"The first questions that came to mind are whether we need things like this and whether it's worth the cost for taxpayers like me," Delchev told RFE/RL. "The next question was, who chose to use this company and why not others?"
A mathematician by training with a PhD in informatics, Delchev is no stranger to Hikvision and the world of cybersecurity. Aware of a growing list of vulnerabilities raised by experts and some Western governments over Hikvision equipment -- as well as the often unregulated nature of surveillance around the world -- he raised his concerns on Facebook along with a photo of a Hikvision camera that quickly helped ignite a wider conversation in the Bulgarian parliament over the use of the cameras and why they were installed.
"[The cameras] come from a country that others don't trust enough to allow into their critical infrastructure," Delchev said. "So how come cameras have appeared without a clear understanding of the risks or without transparency over which security measures have been taken, [given this is] a company that has a reputation of not valuing the security of its customers?"
Hikvision is the world's largest manufacturer of video-surveillance equipment and has been the tip of the spear for a bundle of Chinese technology companies that have come to dominate the global market in recent decades. The company, however, has also become the target of U.S. sanctions over its links to the Chinese military and role in developing special technology to surveil and track Uyghurs and other minorities in Xinjiang.
Hikvision cameras have also faced scrutiny over lax data protection and glitches found by researchers that showed how hackers could remotely gain access to the system and control of the cameras.
U.S. regulators have banned the use of Hikvision cameras, along with a handful of other Chinese equipment and companies, over national security concerns, while the United Kingdom and Australia have all recently banned Chinese-made security cameras from government buildings. There are no restrictions against Hikvision in the European Union, but the European Parliament has removed equipment manufactured by the company from its locations.
It's for these reasons that Bozhidar Bojanov, a lawmaker from the opposition Democratic Bulgaria parliamentary bloc, says that after seeing Delchev's post he decided to push the State Agency for National Security for a review on what measures were taken in order to avoid breaches of the new surveillance cameras in Sofia's public-transit network.
"I'm not saying that the Russians [or] the Chinese will follow us," he wrote in a January blog post on the issue. "I am saying that through Chinese and Russian technology, which are potentially compromised, strategic activity -- public transport in the capital -- can be negatively affected [and put at risk]."
A Rollout In Sofia
The use of CCTV cameras on public transit is commonplace across much of the world, but the controversy in Bulgaria centers on the documented vulnerabilities surrounding the use of Hikvision cameras and concerns over a lack of oversight in their procurement.
a Hikvision camera in use on Sofia's public transport system
The video-surveillance system installed on Sofia's public-transit network dates to 2017, when a modernization project for the city's urban transport was issued. At the end of 2018, a contract was concluded with a consortium of companies to purchase the equipment and affiliated technology for $45 million, with the aim of installing a total of 4,300 cameras on buses, streetcars, and trolleybuses in the capital.
The video-surveillance system in Sofia's public-transport system began operating in late 2020 and a rollout of the cameras has continued. The website of Sofia's Urban Mobility Center, the city's transportation department, says that installing the cameras was done to provide "better security" for drivers and passengers and make it easier for the city to count the number of people traveling on public transit.
But questions remain over the vulnerabilities of Hikvision cameras as well as wider concerns by some Western governments about Chinese suppliers.
The Urban Mobility Center said in response to RFE/RL questions that it did not have "the right to set restrictions or requirements around the country of origin or specific brands for equipment manufacturers" for the contract. Similarly, the consortium formed to execute the public order for purchasing the cameras said that its choice of equipment was guided by "needs, reliability, and security" and not by country of origin or trademark.
Part of the appeal of Chinese companies in the surveillance industry like Hikvision to buyers around the world is that they offer a competitive price paired with a quality that has often allowed them to undercut their peers and win public contracts where the cost to taxpayers is often a leading factor in the selection process.
Major concerns about the vulnerability of Hikvision came in 2021, when an anonymous security researcher found a glitch in the Chinese company's products that "permits an attacker to gain full control of the device." In a post that spread widely among industry leaders, the researcher said the cameras had "the highest level of critical vulnerability."
Hikvision quickly acknowledged the vulnerability and instructed users to install new software on their devices which it said would patch the glitch.
According to IPVM, an industry research publication focused on video-surveillance products, the vulnerability impacted more than 100 million cameras globally.
In August 2022, the cybersecurity company CYFIRMA published a study in which it estimated that more than 80,000 Hikvision cameras were exposed after operators failed to install a firmware update released in 2021 or left default passwords in place when first setting up the devices.
The Urban Mobility Center, the consortium behind the Sofia contract, and Maxtel, the subtractor that installed the cameras, did not acknowledge any vulnerabilities and whether they had been patched.
The Urban Mobility Center did not respond to RFE/RL's inquiry about the glitch and Maxtel said that it had no information about it. The center did say it had referred the question to Hikvision, but that the company had not yet confirmed any details.
People exit a tram in downtown Sofia.
However, both entities told RFE/RL that such concerns were paramount to them and that the video-surveillance system was secure, as it remains on a closed computer network and that all software updates are regularly monitored and applied.
"All measures have been taken to protect the system and make it impossible for the information from it to be used for anything other than its intended purposes," the Urban Mobility Center said in a statement. "It's constantly being reviewed, especially in terms of cybersecurity."
Bojanov, the opposition lawmaker, says he will continue to press for answers about the remaining vulnerabilities in the Sofia network and for added information for security standards.
Before entering politics, Bojanov worked in IT and says he has a strong practical background to understand the risks involved, especially from both what he described as private and state-backed hackers. Just one vulnerability, he adds, could be a breach that leads to access of the entire network of cameras.
Monitoring for compliance on the network falls within the domain of the State Agency for National Security. RFE/RL asked it what was being done to monitor and fix vulnerabilities, but the agency said that information regarding how its duties are carried out is classified.
According to Yasen Tanev, a cybersecurity expert and chairman of the Bulgarian Association for Business Software Development, the biggest risk for networks arises from noncompliance with industry standards and that modern cameras, which are connected through a vast digital network, are a leading target "for attacks by hackers."
Tanev told RFE/RL that questions around trust in the manufacturing company are key for such camera networks and that the restrictions imposed on Hikvision abroad due to national security concerns should be a "red flag" for the State Agency for National Security.
"Are the users aware of the risks, are they managing them, and how do they ensure that the vulnerabilities cannot be used by someone to gain access to these devices or the entire network?" he said.