Here Be Dragons Eyes: Mapping Dahua and Hikvision Surveillance Equipment Across America

An internet scanning assessment of Chinese IoT usage in the U.S. in the age of the Secure Equipment Act

On November 28th 2022, the FCC took the extraordinary step of banning the sale and import of Chinese IoT devices from surveillance giants Hikvision and Dahua “deemed to pose an unacceptable risk to national security”. Concern about their products wasn’t new and had been addressed previously in a 2018 ban within the National Defense Authorization Act focused on the public sector. However, when the FCC extended this ban to the private sector by following through on 2021’s Secure Equipment Act it represented a new moment in U.S.-China technology decoupling. It’s also impactful from a risk management perspective. Devices that have already been imported and sold remain legal but this outright ban has the effect of calling their cybersecurity into question and by extension the physical security of the facilities they protect. So…where are these devices? Assuming concerns are well founded and the worst case scenarios play out, what would the attack surface of this exploit look like?

There is no public registry for surveillance equipment which would ordinarily make this an immensely challenging problem. Fortunately and unfortunately, both Dahua and Hikvision products have a habit of finding themselves facing the internet and thus being discoverable through internet scanning data like Shodan. Such a large sample of exposed assets may not represent a full accounting of these devices but is enough to give us (1) a rough sense of how many are in the U.S., (2) how this has changed over time, (3) how they are distributed geographically, and — most importantly — (4) the types of networks and organizations using them. It’s no secret that these products are widely deployed but a statistical breakdown can help give us a better sense of what’s really at risk. Additionally, we now have several months of data following the FCC’s action and can try and get a sense of how it has impacted the current installed base of Dahua and Hikvision within U.S. borders. Are we seeing a decline that might indicate efforts are underway to remove them?

A quick tool I put together with Streamlit to help aid in my analysis

When looking at Dahua and Hikvision devices in the U.S., it is important to keep in mind how dominant these companies are in the networked camera and video recording segments respectively. There are many ways to measure this but let’s keep this blog simple and stick with Shodan — Hikvision is the 10th most common server software product observed online in the world and Dahua’s various versions and OEMs cumulatively rank 31st with the two accounting for around 5 million IP addresses globally. To put this in further context, Shodan observes nearly as many IP addresses being used for Hikvision cameras as ones for Microsoft IIS or MySQL and more than RDP and VNC combined. These products are not only market leaders in their segments but also amount to significant portions of the global internet. So let’s get to it.

The 10 most common server software products observed on IP addresses globally per Shodan

Dahua

There are a few different methods that can be employed to identify Dahua systems deployed across the United States. As an example, an IP address with one of the two favicons in the screenshots below is typically a Dahua product and these often have an HTTP web server title of “WEB SERVICE” as well. While it is possible that some of these IPs aren’t Dahua-branded products, their use of the same combinations of favicon and website title indicate that they are using Dahua admin software and are likely Dahua OEM products which are also subject to the Secure Equipment Act’s FCC ban. Further investigation of screenshots of these suspected OEM admin interfaces using URLScan made me increasingly confident of this assessment.

Favicons and web server title associated with Dahua IP addresses

Observations

• ~110,000 Dahua devices in the U.S. split ~70/30 between Dahua and likely Dahua OEM
• There are at least 100 Dahua devices in all 50 states plus D.C. with distribution seeming to largely mirror standard patterns for internet-connected devices

Distribution of Dahua devices in the U.S. (OEM not included)

• Thousands of Dahua video recorders are using unencrypted streaming protocols like Real Time Streaming Protocol (RTSP) that are vulnerable to man-in-the-middle attacks — national security aside, there are plenty of cyber security pitfalls with these products and data from sources like GreyNoise reveals that they are currently being targeted with a total of 1,235 malicious IPs observed scanning for these assets
• State and local governments of all types are still using Dahua devices extensively, as are universities and K-12 schools with Shodan detecting a few hundred visible across 32 states
• Dahua video recording systems remain deployed across critical infrastructure such as hospitals, airports, power stations, and data centers
• Concentrations of Dahua deployment exist across brick and mortar establishments ranging from Starbucks to Arby’s, car dealerships to dental offices, motels and banks, and even the Western Beef supermarket a few blocks from my apartment in Brooklyn!
• A handful of Starlink users have their Dahua video recorders exposed to the internet via satellite which takes this already cyber-physical attack surface to another dimension…
• With the exception of a spike during the summer of 2021, the number of Dahua servers observed in the U.S. has declined over time — down 21% from an August 2021 peak — and this may be accelerating following enactment of the Secure Equipment Act although further follow-up is needed once more data is available

Trend in deployment of all Dahua products (left) and trend split out across top 5 Dahua products (right)

Hikvision

As noted previously, Hikvision is among the most widely used internet-connected products in the world. It is no surprise then that it remains widely deployed across the U.S. with usage patterns appearing to be quite similar to what I saw with Dahua. Identifying IPs with Hikvision using both Shodan and its competitor Censys was straightforward with a clear indication in banners returned by Hikvision as can be seen below and a common favicon as well.

One of the nearly half million Hikvision cameras in the U,S, observable via Shodan

Observations

• There were 433,827 Hikvision devices in the U.S. in February of 2023 compared to a peak observed detection of 461,328 in August of 2022, representing a 6% decline — as with Dahua, we need more time to get a clearer sense of this trend
• For some context and corroboration I checked Shodan competitor Censys and it found more hosts in the U.S. with Hikvision than Shodan at 497,608 but is within the same range and reveals similar exposure patterns overall
• Whereas Hikvision is the 10th most common product globally, it only ranks 23rd within the United States but still is a widely deployed market leader
• Hikvision is deployed in every state and there are greater than 1,000 devices observable in all but 6 of them

Hikvision observations in the U.S. over time (left) and by location (right) per Shodan

• As with Dahua, Hikvision usage is widespread with cameras observable in establishments including police departments, jails, museums, and even major international airports
• Hikvision admin interfaces are often on unencrypted HTTP port 80 which could make them susceptible to compromise by a motivated threat actor
• Shodan allows us to get a sense of which versions of Hikvision are most commonly observed and on what ports:

Most common versions and ports for observed Hikvision within U.S.

Conclusion

I’ve aimed to focus on the attack surface question first by largely steering clear of the security of these devices but you can expect me to follow up in the future with thoughts on operational and network security challenges related to IoT and OT. Like AI, cyber-physical convergence is an inevitability. This manifestation of it is one I’m particularly drawn to, though, as I devoted my graduate studies at American and Chinese universities to researching the internet’s fragmentation along policy and technical lines and have been living it as a practitioner ever since while leading the development of Dataminr’s real-time event detection for cybersecurity. Expect me to continue to track this story and the broader issue of U.S.-China technology decoupling going forward.

Lastly, I want to make it clear that my goal with this post isn’t to spark fear but rather to encourage data-driven approaches to understanding how the shape of the internet continues to evolve and the implications of an increasingly connected world. To this end, expect me to make heavy use of internet scanning data from favorite tools like Shodan, Censys, GreyNoise, URLScan, and IODA in this blog going forward. I’m also preparing a GitHub repository where I’ll be sharing code for Streamlit dashboards I develop to track cybersecurity risks like this one on an ongoing basis. Stay tuned for more Tales From Decrypt!