BUCHAREST -- A seemingly mundane purchase by the Romanian military on January 16 for Chinese-made surveillance equipment could have far-reaching national-security implications.
For less than $1,000, a Romanian Defense Ministry employee ordered an eight-port switch and two surveillance cameras for the security network at a military base in the sleepy southern village of Deveselu that is home to NATO's Aegis Ashore, land-based, missile-defense system.
The cameras were made by Hikvision, a partly state-owned Chinese company with alleged links to the country's military whose equipment has been blacklisted by the United States and Britain due to data and security vulnerabilities.
While there's no evidence the cameras at Deveselu have resulted in any breaches, a monthslong investigation by RFE/RL's Romanian Service shows that surveillance equipment made by Hikvision and Dahua -- another company that is partly owned by the Chinese government -- is used by at least 28 military facilities in the country. The equipment is also used by hundreds of other public institutions involved in national security, ranging from the coast guard to sites operated by the intelligence service.
Unlike the United States, Britain, or some other NATO partners, there is no prohibition on the use of Hikvision or Dahua equipment in Romania and the country's Defense Ministry and other national-security institutions using the brands told RFE/RL they were on closed-circuit systems that do not have cloud or Internet connections and that strict security protocols are followed.
But experts say their use in Romania raises critical questions about national security and the potential compromise of sensitive information. Vulnerabilities in firmware could allow remote access, control of cameras, data interception, and network attacks by state and nonstate groups alike. While these concerns are not unique to Hikvision and Dahua, questions over how both companies store their data, their connections to the Chinese government, and a growing catalogue of security vulnerabilities make both companies higher-risk.
"There's still a risk, even if something isn't connected to the Internet," Conor Healy, the director of government research at IPVM, a surveillance-industry research firm, told RFE/RL. "There are examples of closed-camera systems being hacked through other systems connected to the Internet."
Hikvision and Dahua are among the world's leading providers for closed-circuit television and surveillance systems and their products remain popular across Europe. There are no EU restrictions against them, but the European Parliament has removed equipment manufactured by the company from its premises. Both companies have denied allegations that their Chinese state links make them a security risk and say they regularly patch any glitches that can lead to vulnerabilities.
SEE ALSO: 'The Network Wars Have Begun': China's Digital Silk Road Ignites Hi-Tech CompetitionDahua did not respond to RFE/RL's request for comment, but Hikvision said the bulk of its devices are sold by third-party distributors and that it cannot access any of its cameras after they are sold to customers, and that the company has "a robust process to quickly address suspected vulnerabilities."
"Hikvision cameras comply with the laws and regulations applicable in Romania and the EU and are subject to strict security requirements," a Hikvision spokesperson told RFE/RL.
There is no specific prohibition in Romania against purchasing Hikvision or Dahua equipment, although politicians like Catalin Tenita, a Romanian parliament member and critic of the use of the companies by Romanian security services, says a legal basis for a ban already exists but has not been fully enforced.
Tenita told RFE/RL that existing legislation could "open up the possibility of eliminating offers that do not comply with established security standards," but that the government has decided not to apply this to Hikvision and Dahua, despite precedents set by partners such as the United States.
Eyes On Deveselu
The Romanian Defense Ministry said that due to the equipment being on closed systems that are not connected to the Internet, they can't be infiltrated from the outside and only operate on secure internal networks.
"All video-surveillance systems installed in military units, including the hardware part -- including video cameras and network and storage equipment, as well as the software applications through which they are operated -- go through strict testing, evaluation, and approval procedures," a ministry spokesperson told RFE/RL.
A spokesperson for the Deveselu Naval Facility, which is operated by U.S. forces responsible for the missile-defense system, told RFE/RL that it would be "inappropriate" to comment on Romanian military purchases but that they are "committed to a strong partnership" with their Romanian counterparts and will "continue to work together to support and promote security throughout the region and in NATO's collective defense."
In response to questions about concerns over the use of Hikvision and Dahua equipment at the Romanian base, a NATO official told RFE/RL that the military alliance followed "robust measures to ensure the security of our staff and facilities throughout the Euro-Atlantic area."
"We do not provide specific details on security infrastructure, but NATO continues to count on allies to ensure that products used at military sites do not pose a potential risk to security," the official said.
The alliance has not issued any formal ban on the use of third-country equipment, but NATO Secretary-General Jens Stoltenberg warned in September 2023 against the use of Chinese technology in critical infrastructure.
"We have seen the results of relying on Russia for our energy supply. We should not repeat this mistake by relying on China to provide the technology for our critical networks," he said.
While the Romanian Defense Ministry insists that keeping the equipment disconnected from the Internet will prevent any security risks, a similar situation was enough to help launch the ban against Hikvision in the United States.
As Hikvision first came under intense public scrutiny in the United States in early 2018, a military base in Missouri removed cameras on a closed network made by the company as a preventive measure.
A year later, U.S. lawmakers put Hikvision on a sanctions list, effectively blocking American companies from selling to it due to security concerns and human rights issues over its role in developing special technology to surveil and track Uyghurs and other minorities in China's Xinjiang Province.
The Lithuanian Defense Ministry scrutinized Hikvision and Dahua in 2021 and reported nearly 100 vulnerabilities in Hikvsion's firmware and concluded that the equipment posed "a chance [of] cyberattacks...or malicious code insertion [being] carried out."
No specific "direct cybersecurity vulnerabilities" were found in Dahua, the report concluded, but testing did show that cameras from the company periodically sent packets to servers in five different countries, including China.
Healy, the expert from IPVM, said that while keeping cameras on a closed network may provide extra security, "the extensive list of vulnerabilities" documented in Hikvision and Dahua makes them more susceptible to hacks by organized crime groups, nonstate actors, and groups associated with rival governments.
He notes that cameras disconnected from the Internet can still be accessed, as shown in an FBI report released in January that said it had shut down a China-backed hacking group called Volt Typhoon. The group was targeting critical infrastructure and, according to a report released by the U.S. Cybersecurity and Infrastructure Security Agency, it was able to gain access to closed camera systems by hacking into a computer's operating system online and then being able to infiltrate into offline networks.
Dahua, Hikvision Spread In Romania
Romania is the EU's largest market for Hikvision equipment, but neither Hikvision nor Dahua directly participate in public procurements. Instead, local security firms act as intermediaries, acquiring and redistributing these technologies to the country's public institutions.
RFE/RL's investigation shows the companies' equipment in prevalent use across both national and local levels by Romanian police, the General Inspectorate for Emergency Situations, the border police, and the country's gendarmerie, which is tasked with high-risk and specialized law enforcement duties.
Procurement records seen by RFE/RL also show that Hikvision and Dahua equipment is ubiquitous in courts, town halls, and universities across Romania, as well as at the national parliament in Bucharest.
Romanian police, the General Inspectorate for Emergency Situations, the border police, and the gendarmerie all told RFE/RL that their Hikvision and Dahua equipment was purchased legally on the basis of national legislation on public procurement and that it "fully meets the required technical specifications."
The institutions added that equipment from the two Chinese firms was not connected to the Internet or computer programs and cloud networks provided by Hikvision or Dahua.
RFE/RL also found that the Romanian Intelligence Service's headquarters in the northeastern city of Iasi, near the border with Moldova, also uses Hikvision and Dahua equipment.
"The video-surveillance systems at the level of our institution are part of a larger system that is protected, secured on a closed-circuit network, and is permanently subject to technical risk analyses that ensure an optimal degree of operational security and prevent risks to any stored data," a Romanian Intelligence Service spokesman told RFE/RL.
Marian Ghenescu, a video-systems specialist and security-systems engineer at Softrust Vision Analytics, a Romanian company specializing in the security of video-surveillance systems, told RFE/RL that keeping networks offline and regularly conducting cybersecurity maintenance can limit any possible vulnerabilities. He says that in Romania, Hikvison and Dahua are often chosen because they are the most affordable option available for budget-conscious local institutions and may not always be installed with the maximum security settings in place.
Alexandru Anghelus, a cybersecurity expert and founder of the consultancy Pro Defense, told RFE/RL that all surveillance equipment is subject to security risks, not just Chinese brands. He adds that Hikvision and Dahua's history of vulnerabilities could warrant additional scrutiny, pointing to a Hikvision security glitch in 2021 that is believed to have affected more than 100 million cameras globally.
In the meantime, some Romanian lawmakers are calling for further investigation.
Adrian Trifan, a senator who serves as the deputy chairman of the Communications, Information Technology, and Artificial Intelligence Committee, says that he wants the cameras removed from parliament and wants to know why Hikvision and Dahua equipment is being used so prevalently at national-security sites.
"It's a serious situation that should be clarified immediately by the relevant institutions," he told RFE/RL. "And it still needs to be clarified how these purchases passed the [Romanian Supreme Council of National Defense's] screening procedures."