Posts Tagged cybersecurity

Vatican’s Security Dilemma: Dahua Cameras and the Potential Risks

The Vatican City, the spiritual and administrative headquarters of the Roman Catholic Church, is an iconic destination visited by millions of tourists and worshipers each year. With its priceless artworks, historic buildings, and religious significance, protecting the Vatican’s security is of paramount importance. During a recent tour, we noted that the Vatican has implemented a security system featuring Dahua cameras, a leading Chinese manufacturer, for their VMS platform. However, the adoption of Dahua cameras has raised concerns regarding potential security risks. In this article, we explore the utilization of Dahua cameras in the Vatican and the associated challenges.

A Dahua PTZ camera installed on the exterior wall of the Vatican City.

A Dahua PTZ camera installed on the exterior wall of the Vatican City.

Dahua Cameras: Advanced Surveillance Technology

Dahua Technology is a well-known Chinese company specializing in the production of surveillance equipment, including security cameras, recorders, and software. Their products are widely used around the world, known for their affordability. Dahua cameras incorporate cutting-edge technologies like facial recognition, high-resolution imaging, and intelligent analytics, enabling comprehensive monitoring and analysis of security footage.

The Vatican’s Decision to Deploy Dahua Cameras

Given the Vatican’s stature as a symbolic and historical landmark, ensuring security is a complex undertaking. In an effort to enhance their surveillance capabilities, the Vatican opted to implement Dahua cameras in various locations, including public areas, museums, and the St. Peter’s Square. The decision to deploy Dahua cameras was likely driven by their advanced features, wide product range, and competitive pricing (The only other dominant international CCTV brand evident around Rome was Avigilon).

Security Risks Associated with Dahua Cameras

The following are at least some of the obvious identified risks associated with the Vatican’s choice to deploy Dahua hardware:

  1. Data Security Concerns: One of the major concerns with the use of Dahua cameras is the potential for data breaches and unauthorized access. There have been reports suggesting that Dahua cameras may have security vulnerabilities (perhaps government sponsored or otherwise) that could be exploited by malicious actors.  Any vulnerabilities in the software or firmware of the camera system could potentially expose sensitive footage and compromise the safety of the Vatican and its visitors.  There are many examples of previous breaches easily found on the internet to demonstrate the potential damage for this kind of exposure.
  2. Surveillance Backdoors: There have been allegations that certain Chinese-made surveillance equipment, including Dahua cameras, may have built-in “backdoors.” These backdoors could potentially allow unauthorized access or remote control of the cameras, leading to a breach of privacy and security. Although Dahua has addressed some of these concerns by releasing firmware updates, the risk remains a significant consideration and there is some uncertainty in the industry if ALL of the backdoors have actually been removed.
  3. Geopolitical Implications: The utilization of Chinese-made surveillance technology raises geopolitical concerns. The Vatican’s decision to rely on Dahua cameras might inadvertently involve the Vatican in geopolitical controversies, considering the Chinese government’s influence over its technology companies. This situation could have diplomatic implications and potentially impact the Vatican’s relationship with other countries.  While the Vatican is a sovereign country and is not subject to the US NDAA as some  entities may be in this country, there well may be implications and consequences in foreign relations with NATO or EU countries that do have these types of protective legislative measures in place.
  4. Installation methods:  During our tour of the Vatican interior we noted that the cameras were installed using surface mount brackets and then plugged into a CAT5 jack located near the
    Interior Dahua camera plugged into data jack noted during tour of Vatican

    Interior Dahua camera plugged into data jack noted during tour of Vatican

    camera location.  In at least two cases, it would have been trivial for a (tall) person to simply unplug the camera from the jack or even cut the category cable to disable the camera.

Mitigating the Risks

So what should the Vatican do, if anything, to mitigate the risks of having Chinese government backed security equipment with history of known flaws in the firmware and architecture?  Given the resources available to the Vatican, our recommendation would be to hire a professional consulting firm to do a risk assessment on the installed VMS platform and recommend a replacement with a brand manufactured by a reputable company with a good performance record and advanced features needed by a prestigious venue such as the Vatican.   Short of that, other additional measures that should be considered are as follows:

  1. Rigorous Cybersecurity Measures: The Vatican should implement robust cybersecurity protocols, including regular firmware updates, network segregation, and encryption. Conducting regular security audits and penetration testing can help identify and address vulnerabilities promptly.  All security cameras should be on a separate physical network or VLAN that is not routable to the internet, with network intrusion detection systems IDS features implemented on the network switches and routers.
  2. Diversification of Suppliers: The Vatican could explore diversifying its camera suppliers to reduce the risks associated with dependence on a single manufacturer. Adopting a multi-vendor approach would provide more options and potentially enhance security by selecting cameras from different sources.  This can have implications itself in terms of spare parts inventory, and camera configuration and firmware management headaches by having multiple vendors with multiple models.  Using a major brand manufacturer such as Axis, Hanwha, Avigilon, or Bosch would ensure there are enterprise class tools available to manage these aspects.
  3. Enhanced Collaboration: Collaborating with cybersecurity experts, both internally and externally, would help the Vatican stay informed about potential threats and implement appropriate countermeasures. Engaging with experts in the field can ensure the continuous monitoring and evaluation of the security system.
  4. Installation Standards:  The Vatican should develop and apply security equipment and installation standards that should be implemented for all existing and new security devices.  All devices should be vandal resistant where possible, and all cabling should be protected in conduit or other protected raceway to prevent vandalism or sabotage.  Camera devices should have a minimum mounting height and standard for field of view and focal length based upon the objective and purpose.   Advanced analytic methods should be implemented for object detection and classification, facial recognition, license plate recognition, and other intelligent video analytic technologies such as people counting, loitering, object removal, object identification, line crossing, etc.

Conclusion

The Vatican’s decision to adopt Dahua cameras reflects its commitment to improving security and safeguarding its treasures. However, it is important to acknowledge the potential security risks associated with using this technology. The Vatican should diligently address these risks by implementing robust cybersecurity measures, considering alternative suppliers, and maintaining an ongoing dialogue with cybersecurity experts. By doing so, the Vatican can strive to strike a balance between utilizing advanced surveillance technology and mitigating potential security vulnerabilities, ensuring the protection of its spiritual and historical significance for generations to come.

Posted in: CPTED, IP Video, New Equipment and Gadgets, Premises Liability, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

Another installment of (in)secure Cloud storage

Chinchero Airport, Peru | EJAtlas

We know we sound like a broken record when we tell our clients “If you don’t own your server, you don’t own your data. Don’t put anything in the cloud you don’t want potentially exposed to the public.”, but time after time we show examples of why we keep repeating this mantra.

What Happened:

A major data leak by Securitas that affected several Latin American airports and other related companies was discovered by a cybersecurity firm called SafetyDetectives. In late January a team discovered that an Amazon S3 bucket had been left unsecured and exposed to public access, and contained over 1 million files relating to airport and security personnel.

Securitas, a large, well known multinational security company that has been in business for almost a century, has not made any public statements around the incident as of this posting. This isn’t the first time Securitas has had cybersecurity issues. In 2017 the Securitas CEO Alf Göransson had his personal identification stolen at the end of March, when someone applied for a loan in his name. The Stockholm District Court then declared Göransson bankrupt without informing the CEO prior to its decision.

The Breach (From SafetyDetectives briefing):

Securitas left its Amazon S3 bucket open and accessible, without any authentication procedures in place. The misconfigured bucket has therefore exposed almost 1.5 million files, equating to about 3TB of data.

The bucket’s exposed information included employee Personally Identifying Information and sensitive company data of at least four airports in Colombia and Peru: El Dorado International Airport (Bogota D.C, COL), Alfonso Bonilla Aragón International Airport (Valle del Cauca, COL), José María Córdova International Airport (Antioquia, COL), and Aeropuerto Internacional Jorge Chávez (Lima, PE). As mentioned, unobserved files may have exposed other airports and places throughout Colombia, the rest of Latin America, or even the rest of the world.

They observed two main datasets containing the information of Securitas employees and airport employees: photos of ID cards and other unmarked photos.

Photos of ID cards featured on the bucket. There were an estimated 1 million files of this type on the Securitas misconfigured bucket. These files revealed the personal information of employees at the four aforementioned airports that are using Securitas’ services.

Photos of ID cards reveal several forms of employee Personally Identifying Information, including:

  • Full names, incl. first names and surnames
  • Photos of employees
  • Occupations
  • National ID Number

What Was Leaked?

Other unmarked photos featured among the bucket’s content too. There were about 300,000 files of this type. These photos leaked the data of airports, airport employees, and associated companies.

Specifically, these files exposed employees’ personal data, sensitive client data (airports), and the sensitive data of associated companies, such as airlines. Exposed data includes:

  • Photos of employees
  • Photos of planes
  • Photos of fueling lines
  • Photos of luggage being loaded/unloaded

What Was Leaked?

 In addition to the information mentioned above, the two primary datasets analyzed on the bucket (photos of ID cards and other unmarked photos) contained Exchangeable Image File Format (EXIF) data that exposed specific information related to each photo.   Exposed EXIF data includes:

  • Device models (of the cameras used)
  • GPS locations of photos, incl. coordinates and GPS maps
  • Time & date of photos

What Was Leaked?

What it Means to Us

It may be some time before there is any assessment of the extent of damage the data breach, but this obviously serves as an example of how careless data management can cause serious security implications for your firm or those of your clients.   In evaluating software application strategies for our clients, we always ask these simple questions:

  1. What is the criticality if this information if it is leaked to the public?
  2. Can the solution be self-hosted on the Client’s own private network?
  3. Does it really NEED to be a cloud application?
  4. If so, how can we mitigate the potential damage if there is a breach?

Additional measures like a Type I or Type II SOC report are helpful, but likely wouldn’t have prevented the Securitas data breach discussed above.  Regular and ongoing security audits, along with well defined and enforced data management and security policies and procedures are the only real defense against these kinds of mishaps.

This won’t be the last time we see this either, as the Cloud becomes more and more integrated into corporate IT strategies, it will happen again, and again, and again.

 

 

 

Posted in: Security Consulting, Security Technology

Leave a Comment (0) →