Concerns from more than 800,000 exposed surveillance cameras in Vietnam

Returning to his hometown after a long time working away from home, Tuan Hung (Hanoi) was surprised to see a camera installed in every room of his house. His father, who is new to shopping on e-commerce sites, said he bought nearly ten cameras because they were "so cheap" and allowed him to monitor the whole house from one place. Nearly 10 cameras were purchased for 200-500 thousand VND each, installed from the yard, living room to bedroom.

Supporting his father's caution, but when he asked for the login password, Hung was shocked: All the cameras still had the default passwords from the manufacturer. "My father thought no one would be able to access his home cameras, and also because changing the password was too complicated for him," Hung said. "What worries me most is that the family's images could be leaked if someone accidentally logs in."

In fact, the situation of photos and videos from surveillance cameras being shared online has appeared for a long time and has been warned many times, but it still exists on a large scale.

When announcing the draft National Technical Regulation on Basic Information Security Requirements for IP Cameras in Vietnam this week, the Ministry of Information and Communications said its system detected that more than 800,000 surveillance cameras in Vietnam were having their image data shared publicly, according to figures as of May.

Previously, since 2014, there has been a website that allows access to more than 700,000 surveillance cameras around the world, including thousands in Vietnam. Image data is even a commodity that is bought and sold, especially cameras installed in sensitive places such as bedrooms, changing rooms, and spa shops. On Facebook and Telegram, many groups sell access to active cameras for a few hundred thousand dong.

For example, a service that costs 800,000 VND allows buyers to access 15 cameras in sensitive areas like the above. The provider claims that "there are hundreds of thousands of options for buyers", showing that the number of cameras being controlled is not small.

According to Mr. Vu Ngoc Son from the National Cyber ​​Security Association (NCA), there are many reasons for camera hacking, the most common of which are that users do not change the password when installing, use weak passwords or share the same password with other accounts, similar to the case of Tuan Hung's family.

In addition, technically, many cameras have security holes but are not updated, the manufacturer's server has errors that allow hackers to attack and penetrate. Some units install cameras for many people to manage, but do not have strict authorization, leading to outsiders being able to access with high privileges.

Why do we need information security standards for cameras?

In the past five years, Vietnam imported about 16 million surveillance cameras of various types, 96.3% of which were from China, according to statistics from the General Department of Customs.

According to experts, surveillance cameras can be considered as computers, with a full processor, Internet connection and the ability to listen, see, and analyze if integrated with AI, while there are no standards or high technical requirements like computers when operating in Vietnam. This device often operates 24/7, in areas that humans cannot access but are equipped with cameras. This makes an attacked camera even more dangerous than other devices, as it can collect information about an individual, family, agency, or organization.

However, unlike computers, cameras are rarely patched and almost never updated with patches or anti-virus software. Vietnam also does not have safety standards for this type of device.

According to Mr. Vu Ngoc Son, hacked cameras can easily have serious consequences. "That is, privacy is violated, being monitored remotely, blackmailing for private images, making deepfake scams, or becoming a springboard for hackers to attack other systems within the network," he said. "Camera standards are very necessary to have a corridor for manufacturers and service providers in Vietnam to follow."

According to the assessment of the Ministry of Information and Communications, the issue of safety and security related to surveillance cameras is becoming a pressing issue when many cases of personal information being leaked, private camera image data being illegally collected and posted on social networks "cause insecurity for users and affect social safety and security".

In addition, of the more than 800,000 cameras compromised on the Internet, the ministry said that about 360,000 cameras (45%) have weaknesses, security holes and are vulnerable to attacks and hijacking. The latest statistics show that 5% of IP addresses are in dangerous botnets from cameras infected with malware.

In the trend of building smart cities in Vietnam, smart surveillance camera evaluation system is one of the basic devices, accounting for the majority of deployment items and in the coming time, tens of millions of surveillance cameras will be put into use.

From experience in some countries such as Singapore, the US, and the UK, the Ministry of Information and Communications has issued a draft National Technical Regulation on basic information security requirements for IP cameras, which is being consulted until October 23.

According to the draft, cameras circulated, researched and developed in Vietnam need to meet regulations on passwords, security vulnerability management, updates, communication channel management, user data protection, and data deletion.

Some of the detailed requirements mentioned include: default passwords must be initialized uniquely on each device and must meet the complexity to prevent automated attacks; manufacturers must have an online system to allow receiving and publishing information about vulnerabilities; personal data collected and processed by camera devices transmitted between the device and related services must use a secure encrypted connection channel.

According to the ministry's assessment, the introduction of standards may cause some impacts such as increased costs, reduced production efficiency and reduced flexibility in use. In return, users will feel more secure when using, protect privacy and personal data, and minimize the risk of losing important data and sensitive information.