Many cameras sold on the market these days are unbranded or fake at extremely cheap prices. Others come from China with unstable quality. They are available on popular e-commerce websites and small retail stores. Meanwhile, prestigious products from renowned brands like FPT, Viettel, and VNPT are more expensive, and thus not preferable.
Nguyen Tuan Anh, security expert from Viettel Cyber Security, said that it is cheap and outdated cameras that are the lucrative victims of hackers, causing much concern over cyber security and user privacy.
In February 2024, a group of hackers offered to sell sensitive video clips stolen from thousands of monitoring cameras installed in Vietnam on a dark website infamous for selling such confidential information. In April 2024, several monitoring cameras set up at different schools in Vietnam were attacked, and clips of students stored in their memories were spread directly on social network sites.
Before this, in June 2023, millions of surveillance cameras of Hikvision (China) had been attacked globally, including in Vietnam. The vulnerability named CVE-2021-36260, found on various models of this company, allows hackers to remotely control the device. At present, Hikvision offers a patch to fix this firmware weakness.
Attacks against monitoring cameras to steal data can cause severe damages, particularly to user privacy. Ill-intention people might use these sensitive data to harass users or carry out other illegal acts like blackmailing, while businesses may face serious financial loss due to information leak.
To protect themselves from such attacks, users are advised to choose products of prestigious companies, frequently update corresponding software, create a strong password, and disconnect their cameras when not in use. People should pay extra attention to cheap cameras with unclear origin or security policies.
The Ministry of Information and Communications has just released a set of basic network information security requirements for surveillance cameras applicable to all organizations and individuals regardless of their nationality. This involves research, development, manufacturing, evaluation, selection, and use of cameras. The set comes into effect from May 7, 2024.
Accordingly, cameras and connected services must at least have features to configurate a location in Vietnam for data processing, storing, and exploiting. Possible locations include a memory card, a peripheral device, a cloud computing service sited in Vietnam.
During the process to configurate the device, there must be a notice to inform users of the specific location (nation) to store and process data collected by the camera and its linked services. All cameras must have a function for users to erase collected data that are stored on the device or on connected services.
Article 289 of the 2018 Penal Code mentions ‘Illegal intrusion into a computer network, telecoms network, or an electronic device of other people’. The act of taking data from other people’s cameras without permission can be prosecuted for criminal liability with fines ranging from VND50 – 300 million (US$1,965 – 11,791) or imprisonment from one to seven years.
Decree No.14/2022/ND-CP about sanctions for administrative violations in the field of post and telecoms stipulates that any acts violating a person’s privacy in post and telecoms activities can be fined from VND40 – 60 million ($1,572 – 2,358).