Bosnian judiciary uses cameras from Chinese companies sanctioned for security risks

 

These cameras were mostly purchased before the sanctions were imposed, when the US and China began a trade war. Some of the equipment was purchased with US or EU funds, and now cities and institutions on both continents are replacing them due to concerns about privacy and human rights.

Protecting national interests should be the obligation of every state and its citizens, says engineer Damir Avdić.

“Institutions must be careful when purchasing any equipment through which sensitive information and data are sent and received,” he explains.

The High Judicial and Prosecutorial Council (HJPC), the cantonal courts in Tuzla and Mostar, the prosecutors' offices in Orašje, Tuzla, Bihać and Trebinje, and the Constitutional Court of Republika Srpska use cameras manufactured by Hikvision or Dahua, which the US has imposed sanctions on because they believe they act against its foreign policy interests.

In 2022, the US Federal Communications Commission adopted new rules that prohibit the import of communications equipment that it considers an unacceptable risk to national security.

In addition to Hangzhou Hikvision Digital Technology and Dahua Technology, the list also includes communications equipment manufactured by Huawei Technologies, ZTE Corporation, and Hytera Communications, whose uniform cameras are used by police officers of the Ministry of Internal Affairs of the Sarajevo Canton.

The Cantonal Court in Mostar, in whose courtrooms Hikvision cameras are installed, states that the US Agency for International Development (USAID) financed the purchase of this equipment in 2020. The cameras in this court are not connected to the internet, they confirmed to Detektor.

“All stored videos are located on a local or court server, which is not connected to the global internet network, so there is no possibility of misuse of the videos by an authorized person,” they claim.

The premises of the HJPC are equipped with cameras from the German manufacturer Bosch, as well as Hikvision – one of the largest camera manufacturers in the world, along with Dahua. Most of the surveillance cameras in the premises of this highest judicial body are under the control and jurisdiction of the Department for Information and Communication Technology.

In its response to Detektor, the HJPC states that some of the cameras from the Hikvision manufacturer, installed in 2017, were financed by donor funds from the European Union (EU), while the procurement of some of the cameras from the same manufacturer, installed in 2023, was carried out with the help of the EU4Justice project.

Judicial institutions using cameras from sanctioned manufacturers. Illustration: Vanja Lazić, Detektor

The HJPC explains that they apply best practices and security standards, and that video surveillance systems operate exclusively in a closed, strictly controlled network environment, without internet access.

“This configuration prevents any access to cameras and video surveillance systems from the external environment, i.e. from the internet,” explains the HJPC.

They are aware of the US sanctions, but have not received any signals from international partners that they need to replace them.

“Replacing Hikvision cameras with cameras from any other manufacturer was not considered. In the current setup, the activity of replacing fully functional cameras would create unnecessary costs for the budget of BiH institutions, and unnecessarily take up human resources necessary for the reconfiguration of video surveillance systems,” says the HJPC.

Any connection to the internet can increase the risk, explains software engineer Avdić. He explains that part of the security community believes that the backdoor in Hikvision and Dahua cameras was intentionally left in. Another part of the community believes that it is just "sloppy work."

He explains that a backdoor is a permanent way to access a device that bypasses security settings. According to Avdić, Hikvision had such access, which, with a certain code, gave the ability to change the user and password, which further enabled access control and opened up possibilities for new types of attacks.

“It should be noted that Hikvision issued a patch for this problem, thus reducing the risk of the reported threat, but even today there are companies that have not patched their devices and they are still vulnerable,” says Avdić.

With Dahua cameras, there was a slightly different problem, he explains, so it was possible to download a small internal database where user data was saved, and access the cameras without restrictions. He adds that Dahua also issued a fix, thus reducing the threat, but that not everyone takes threats seriously and does not secure their devices.

The detector has sent inquiries to courts and prosecutors' offices with a request for the data that the cameras use. The Federation Judicial Police has such data for judicial institutions in this entity, but they did not provide it to Detector, citing the security and protection of property of judicial institutions, judges and prosecutors, and the protection of evidentiary materials.

Chief Inspector General of the Judicial Police, Dženad Grošo, explained that they cannot provide such information on the exact location of these cameras, “due to the security protocols used by each camera manufacturer, including Dahua and Hikvision, in order to protect information on technical solutions and systems, which is essential for preventing unauthorized access to the video surveillance system in the buildings of judicial institutions and preventing security threats.”

 

The Posavina Cantonal Prosecutor’s Office has no information that the camera manufacturer Hikvision has been sanctioned. Chief Cantonal Prosecutor Ivanka Stanić says that they have not discussed replacing the equipment.

 

Dahua cameras have been installed in the premises of the Cantonal Court in Tuzla, says spokesperson Adisa Alić, and this court did not participate in the procurement process in any way because the video surveillance equipment was donated by the EU Delegation through the IPA project.

“So far, there have been no suggestions from international partners, and therefore no talk of changing the equipment and removing these cameras,” says Alić.

The European Union Delegation to BiH did not directly respond to questions about whether the Union had advised member states on the procurement of security equipment from China, and whether judicial institutions in BiH should replace such equipment. In a brief response, they only state that “the right to privacy is guaranteed by the European Convention on Human Rights,” and that BiH is expected to align its norms with the European data protection regulation during the accession process.

“We expect all equipment purchased with EU funds to be used for legitimate purposes, in full compliance with relevant European legislation and standards in the field of human rights and data protection,” said Ferdinand Koenig, spokesperson for the Delegation and Office of the EU Special Representative to BiH.

The European Union has not yet imposed sanctions on Chinese technology companies, as the US authorities have done. European countries are trying to mitigate the negative effects of the US-China trade war and maintain good relations with Chinese partners.

But there are also concerns on the continent about the impact of this equipment on critical infrastructure. In June 2023, Reuters reported that the UK had committed to removing surveillance equipment from Chinese manufacturers from sensitive government buildings as part of its plan to address security concerns related to China.

The agency stated that Britain planned to stop purchasing from companies linked to China. There have previously been calls in this country to ban the sale and use of security cameras from Hikvision and Dahua – two companies partly owned by the Chinese authorities, due to concerns about privacy and human rights abuses in China, particularly the Uyghur minority community.

When the Lithuanian city of Kaunas announced it was replacing Hikvision cameras, the head of the Ministry of Defense’s cybersecurity team, Antanas Aleknavičius, explained the decision.

 

“It’s about the threat of intrusion into systems, especially critical infrastructure, the possibility of them being taken over through updates and the data being transmitted being seen,” Aleknavičius said.

 

Earlier this year, the city of Amsterdam announced that it would remove more than 1,200 Chinese-made surveillance and traffic cameras over the next five years due to concerns about espionage and human rights, following a similar move by the United Kingdom. Australian authorities have made similar announcements.

 

“When you look at Chinese laws, things are very clear,” Antonia Hmaidi, a researcher at the Mercator Institute for China Studies in Berlin, told Deutsche Welle.

“Every Chinese company must cooperate with the authorities and provide data if they ask for it. This includes data that is collected abroad,” she added.

Chinese companies and authorities have rejected Western claims that data is at risk.

The US Embassy in BiH believes that there are inherent risks to national security, sovereignty and operational efficiency in dealing with unreliable suppliers and companies operating in countries without adequate legal protection for customers and consumers.

“We appeal to the authorities in BiH to take this into account when making procurement decisions,” the Embassy told Detektor.

Distributors of Hikvision or Dahua cameras in BiH – including Antenal from Banja Luka, Alarm Automatika Sarajevo, AFP Široki Brijeg and Master B.C. Banja Luka – had not responded to Detektor’s requests for comment by the time of publication.

Engineer Avdić considers it ungrateful to comment on the procurement of equipment that the US has blacklisted, because this country has its own policy for cyber threats and national security.

“But surely this could be taken as a guideline when purchasing and, for example, buying a small part of the equipment and testing it in its own secure environments,” Avdić added.

He says that in this global geopolitical and economic situation, protecting the interests of the state and its citizens in the domain of cybersecurity should be an important topic, and explains that a set of laws on equipment procurement should also be passed, as well as many other domains in cybersecurity.

 

 

 

While most Western countries are seriously considering the security threat posed by IT equipment purchased from Chinese companies, in light of Chinese law that obliges local companies to cooperate and provide data to state institutions, this problem is not understood and is not being considered seriously in the Western Balkan countries.

The fact that a significant number of judicial institutions in BiH use IT equipment purchased from Chinese companies that the US has sanctioned, and a significant number of European countries are implementing or considering replacing equipment from Chinese companies with equipment from manufacturers from other countries, should be a clear signal that institutions in BiH and other Western Balkan countries should also address this issue.

However, this issue is not being considered or  not legislative efforts are being made to strengthen data security and protection. The existing legal framework in BiH does not provide sufficient protection against the possibility of data being taken over and misused by government institutions, which makes the state and citizens an easy target for possible cyber attacks that could misuse data.