Archive for IP Video

Vatican’s Security Dilemma: Dahua Cameras and the Potential Risks

The Vatican City, the spiritual and administrative headquarters of the Roman Catholic Church, is an iconic destination visited by millions of tourists and worshipers each year. With its priceless artworks, historic buildings, and religious significance, protecting the Vatican’s security is of paramount importance. During a recent tour, we noted that the Vatican has implemented a security system featuring Dahua cameras, a leading Chinese manufacturer, for their VMS platform. However, the adoption of Dahua cameras has raised concerns regarding potential security risks. In this article, we explore the utilization of Dahua cameras in the Vatican and the associated challenges.

A Dahua PTZ camera installed on the exterior wall of the Vatican City.

A Dahua PTZ camera installed on the exterior wall of the Vatican City.

Dahua Cameras: Advanced Surveillance Technology

Dahua Technology is a well-known Chinese company specializing in the production of surveillance equipment, including security cameras, recorders, and software. Their products are widely used around the world, known for their affordability. Dahua cameras incorporate cutting-edge technologies like facial recognition, high-resolution imaging, and intelligent analytics, enabling comprehensive monitoring and analysis of security footage.

The Vatican’s Decision to Deploy Dahua Cameras

Given the Vatican’s stature as a symbolic and historical landmark, ensuring security is a complex undertaking. In an effort to enhance their surveillance capabilities, the Vatican opted to implement Dahua cameras in various locations, including public areas, museums, and the St. Peter’s Square. The decision to deploy Dahua cameras was likely driven by their advanced features, wide product range, and competitive pricing (The only other dominant international CCTV brand evident around Rome was Avigilon).

Security Risks Associated with Dahua Cameras

The following are at least some of the obvious identified risks associated with the Vatican’s choice to deploy Dahua hardware:

  1. Data Security Concerns: One of the major concerns with the use of Dahua cameras is the potential for data breaches and unauthorized access. There have been reports suggesting that Dahua cameras may have security vulnerabilities (perhaps government sponsored or otherwise) that could be exploited by malicious actors.  Any vulnerabilities in the software or firmware of the camera system could potentially expose sensitive footage and compromise the safety of the Vatican and its visitors.  There are many examples of previous breaches easily found on the internet to demonstrate the potential damage for this kind of exposure.
  2. Surveillance Backdoors: There have been allegations that certain Chinese-made surveillance equipment, including Dahua cameras, may have built-in “backdoors.” These backdoors could potentially allow unauthorized access or remote control of the cameras, leading to a breach of privacy and security. Although Dahua has addressed some of these concerns by releasing firmware updates, the risk remains a significant consideration and there is some uncertainty in the industry if ALL of the backdoors have actually been removed.
  3. Geopolitical Implications: The utilization of Chinese-made surveillance technology raises geopolitical concerns. The Vatican’s decision to rely on Dahua cameras might inadvertently involve the Vatican in geopolitical controversies, considering the Chinese government’s influence over its technology companies. This situation could have diplomatic implications and potentially impact the Vatican’s relationship with other countries.  While the Vatican is a sovereign country and is not subject to the US NDAA as some  entities may be in this country, there well may be implications and consequences in foreign relations with NATO or EU countries that do have these types of protective legislative measures in place.
  4. Installation methods:  During our tour of the Vatican interior we noted that the cameras were installed using surface mount brackets and then plugged into a CAT5 jack located near the
    Interior Dahua camera plugged into data jack noted during tour of Vatican

    Interior Dahua camera plugged into data jack noted during tour of Vatican

    camera location.  In at least two cases, it would have been trivial for a (tall) person to simply unplug the camera from the jack or even cut the category cable to disable the camera.

Mitigating the Risks

So what should the Vatican do, if anything, to mitigate the risks of having Chinese government backed security equipment with history of known flaws in the firmware and architecture?  Given the resources available to the Vatican, our recommendation would be to hire a professional consulting firm to do a risk assessment on the installed VMS platform and recommend a replacement with a brand manufactured by a reputable company with a good performance record and advanced features needed by a prestigious venue such as the Vatican.   Short of that, other additional measures that should be considered are as follows:

  1. Rigorous Cybersecurity Measures: The Vatican should implement robust cybersecurity protocols, including regular firmware updates, network segregation, and encryption. Conducting regular security audits and penetration testing can help identify and address vulnerabilities promptly.  All security cameras should be on a separate physical network or VLAN that is not routable to the internet, with network intrusion detection systems IDS features implemented on the network switches and routers.
  2. Diversification of Suppliers: The Vatican could explore diversifying its camera suppliers to reduce the risks associated with dependence on a single manufacturer. Adopting a multi-vendor approach would provide more options and potentially enhance security by selecting cameras from different sources.  This can have implications itself in terms of spare parts inventory, and camera configuration and firmware management headaches by having multiple vendors with multiple models.  Using a major brand manufacturer such as Axis, Hanwha, Avigilon, or Bosch would ensure there are enterprise class tools available to manage these aspects.
  3. Enhanced Collaboration: Collaborating with cybersecurity experts, both internally and externally, would help the Vatican stay informed about potential threats and implement appropriate countermeasures. Engaging with experts in the field can ensure the continuous monitoring and evaluation of the security system.
  4. Installation Standards:  The Vatican should develop and apply security equipment and installation standards that should be implemented for all existing and new security devices.  All devices should be vandal resistant where possible, and all cabling should be protected in conduit or other protected raceway to prevent vandalism or sabotage.  Camera devices should have a minimum mounting height and standard for field of view and focal length based upon the objective and purpose.   Advanced analytic methods should be implemented for object detection and classification, facial recognition, license plate recognition, and other intelligent video analytic technologies such as people counting, loitering, object removal, object identification, line crossing, etc.

Conclusion

The Vatican’s decision to adopt Dahua cameras reflects its commitment to improving security and safeguarding its treasures. However, it is important to acknowledge the potential security risks associated with using this technology. The Vatican should diligently address these risks by implementing robust cybersecurity measures, considering alternative suppliers, and maintaining an ongoing dialogue with cybersecurity experts. By doing so, the Vatican can strive to strike a balance between utilizing advanced surveillance technology and mitigating potential security vulnerabilities, ensuring the protection of its spiritual and historical significance for generations to come.

Posted in: CPTED, IP Video, New Equipment and Gadgets, Premises Liability, Security Technology, Vulnerability Analysis

Leave a Comment (0) →

The use of shielded category Ethernet cable for IP Video

It comes up from time to time from customers and vendors when and where to use shielded category twisted pair cable for Ethernet.   Most vendors hate it.  It’s hard to terminate, doesn’t flex well and nobody ever seems to agree on how it should be grounded.    For the most part, it wasn’t much of a problem for CAT3 or even CAT5 cable.  But with higher and higher bandwidth (and thus frequency) demands on the cable, using CAT6A cable in certain environments for network applications becomes important.   And while there’s a decent argument for why you may not need CAT6A cable for IP video (see this article for more information), many of our clients are using it as a corporate standard, regardless of the application.

Although CAT6 cables have improved the cable twist to handle gigabit Ethernet and reject noise, this by itself is not enough for environments that have high electromagnetic interference (EMI).  What is EMI?  Think of EMI as gremlins that are trying to attack the signal of your network cable.  EMI is generated as electromagnetic waves in the radio frequency (RF) spectrum, and can come from many sources.  The most logical is an RF transmitter, like a radio station tower or even HAM radio antenna; but other sources can be harder to spot, such as a nearby computer, high voltage power lines, a leaky transformer, or fluorescent light fixture that’s going bad.   Running network cables in your ceiling or plenum space could potentially put these cables near those kinds of sources, and thus introducing the gremlins to degrade or even interrupt communications over the Ethernet network cable.   Since Ethernet is a collision based network strategy, this usually looks like a slow connection, as the network repeatedly keeps re-transmitting packets that were found to be in error.  Result, poor network performance and potentially bad video.

Most people are familiar with UTP cable (Unshielded Twisted Pair), versus STP (Shielded Twisted Pair), and UTP is commonly used in CAT5e cabling that is predominant for gigabit Ethernet networking in most commercial and residential applications.  STP cables have an additional metallic braid that forms a sort of shield (google “Faraday shield” for how it works) around the conductors, and reduces the amount of interference that can be injected into the cable.   Still, both types of conductors (STP and UTP) have one thing in common, the twisted pair, that by itself reduces interference by its inherent design.

Photo courtesy of Axis Communications.

The drawback of STP cables is that they increase the total cost of the installation. STP cables are more expensive due to the shielding (and usually are higher quality), which is an additional material that goes into every foot of the cable.  The shielding also makes the cable heavier and stiffer. Thus, it is more difficult to handle during installation (pulling cable over long distances through a conduit is hard enough with flexible cable).

While most installations can be done effectively using UTP cable, we recommend using STP cable for high EMI environments like manufacturing, laboratory, or research facilities where other high energy or RF generating devices may be in use.  Also, if you’re forced to run category cable in a cable tray that’s shared with power conductors (low or medium voltage), use STP cable even though the cable tray is separated and may have it’s own shielding for the power conductors.   It is also highly recommended to use an STP cable where the camera is installed outdoors or where the network cable is routed outdoors.

Oh, and what to do with that drain wire?  Our suggestion is to use some of the pre-fabricated shielded keystone jacks like this one.

Posted in: IP Video

Leave a Comment (0) →