Showing posts with label Section 889. Show all posts
Showing posts with label Section 889. Show all posts

Saturday, October 1, 2022

Electronic Surveillance Threats

Electronic Surveillance Threats 

In 2017 the Supreme Court ruled in a landmark judgment that privacy is a fundamental right. From sophisticated spyware attacks to mass phishing via smartphones and the rise of facial recognition technology, the range and reach of surveillance threats to human rights defenders is growing.

For security teams trying to keep activists safe, it is a cat-and-mouse game as attackers rapidly adapt to developments aimed at protection.

“When cyber-attackers see people are switching to using (messaging app) Signal, for example, then they will try to target Signal. If people start changing to VPN technology, they will start blocking VPN technology. If people are using Tor browser, they will target Tor traffic,” says Ramy Raoof, tactical technologist with Amnesty Tech.

Automated surveillance equipment has become increasingly common and connected, making the technique more covert and pervasive.  Mobile hacking, social engineering, network monitoring, face recognition technologies, GPS tracking, and various other methods commonly employed to catch and prevent crime and terrorism can also be used against civilians.

Electronic surveillance threats – defending a facility against electronic surveillance is a serious challenge and one that hasn’t been made any easier by the proliferation of computer networks and wireless. Not only are businesses under threat from phone tapping, and video and audio surveillance, wired and wireless computer networks offer attackers a new dimension of intrusion.

Even the simplest electronic surveillance devices are diverse, with room transmitters being among the most common. Their role is to detect all the environmental noise emanating from the location in which they’re planted.

Primary variations with room transmitters relate to differences in power sources. In this case, either battery or mains power and it’s the battery powered devices that are most diverse. Such devices can be secreted inside almost any object allowing for their minimal space requirements. Examples include the inside of pens, calculators, clocks, photo frames, under carpet, behind curtains and underneath or inside furniture.

The types of battery used to power these devices varies too, depending on the design, size and planned use of the device. Self-contained transmitters designed for surreptitious surveillance favour small button batteries or higher performance hearing aid batteries. When size is less of a concern and length of transmission a higher priority, larger and longer lasting batteries can be used, including the latest lithium types.

Average transmission devices typically have dimensions around 19mm x 12mm x 9mm. Should a small transmitter be built into a pen or a calculator, transmission range will be limited, around 15-20m, though the use of lithium batteries will increase the range.

Mains-powered room transmitters draw current either directly from the mains voltage or trickle charge a battery that’s also used to power the device. The advantages of this technique where electronic intruders are concerned include the fact there will be less impact on main power sources that could be monitored for fluctuations. Should mains power be lost the device will continue to operate.

The key technical issue for mains powered transmitters is to reduce 240V of alternating current to a direct current, low voltage output of 6-18V. Designers are required to combine transmission circuitry along with a voltage dropper, rectification, smoothing and voltage stabilization circuits.

As a rule, the most popular way to get the small current and voltage requirements is to use a high voltage capacitor to act as resistance at the 50/60Hz mains supply frequency. Low power can be partially offset by injecting some radio power into the mains.

Should there be enough room and a sufficiently low risk of detection, it’s sometimes possible for a stepdown transformer to be used – this is inherently more reliable that capacitor leakage or dropper resistance techniques. It’s also possible for a transformer to supply a far greater level of power to a strong transmitter.

AC units can be located inside walls, ceilings, under floors, inside office equipment, in mains-powered clocks and within lamps and lamp holders to name just a few possibilities. One of the favoured methods of installing an AC bug is to simply plug in a dummy double adaptor to a power point in the room you wish monitor. Despite the simplicity of this technique, only the most observant would notice and even then, would be most unlikely to consider the appearance of the unit a threat to security.

Electronic intruders wishing to secure a standalone mains-powered transmitter are usually supplied with a square plastic box about 50mm x 50mm x 18mm, or an encapsulating board. There will be a pair of trailing leads coming from these units for connection to the live and neutral lines of domestic AC.

There are still PSTN telephone transmitters. These are connected to target telephone systems and transmit information to a receiving station located nearby. The 2 basic models are the series-connected transmitter and the parallel-connected transmitter. Both types either draw their operating voltage from the PSTN phone line itself, or carry their own batteries that may be trickle-charged from the phone line.

Series connected transmitters are connected between a telephone socket and a telephone. In this configuration, only that extension will be accessed by the listener. But in the event a series transmitter is used and located on the incoming wires of a 2-pair cable on the other side of a telephone socket, all extensions of the line can be accessed.

Muliplex telephone systems make life extremely hard for electronic intruders trying to record communications. Because these systems multiplex more than one signal onto a 2-pair cable, an intruder would need to employ a de-multiplexer to access phones.

Partially connected transmitters are different. Both incoming feed wires are connected to the parallel connected device, and this means the information will be transmitted if either phone is used. With a series device, the wiring of the telephone must be disconnected to allow insertion of the transmitter. But installation doesn’t mean cutting and stripping of feed wires. Instead, the device can be installed in a junction box that offers sufficient room, or even in a telephone.

Series devices are easiest for security managers to detect using one of the counter surveillance devices on the market that alert security staff to temporary disconnection of phone lines. It’s possible for alarm panels monitoring alarm systems to also monitor phone lines for integrity, with any breaches then reported.

Parallel series devices, however, can be installed without temporary line breaks and without effect on resistance. This makes them harder to detect, though if the unit is drawing power from its host, this will cause a voltage drop. Parallel devices are often equipped with alligator clips requiring no more than a few millimetres of cable to be stripped or a pair of bare terminals.

Battery-powered types are harder to detect and more effective in their operation. With their greater operating current, they can achieve greater operating ranges than bugs, giving 500-1000m ranges instead of 25-50m. Even harder to detect are small rain-proof telephone transmitters that can be connected to any point of the exterior wiring as it leaves a building or joins a telephone pole. Such a device might never be detected.

Mobile phones are usually tapped using spyware. This is a whole other science – it’s possible for experts to search for spyware and users might notice quirks like rapid battery drain, though it can be difficult to know whether this is caused by an illicit piece of software, too many open apps, or simply an aging battery.

There are 2 primary groups of microphones available to an individual or organization seeking illicit access to communications. These are omnidirectional and unidirectional. Unidirectional microphones are portable and can be aimed at a target. They’re a parabolic dish-mount device that can be hand-held or tripod mounted. Such units offer excellent results for the electronic intruder. Using a 45cm reflector, high quality sound can be obtained at 250m. This performance increases fourfold if the reflector size is doubled but the unit becomes much more visible.

Omnidirectional units pick up audio signals coming from any point of the compass and in surveillance devices they usually have a diameter of about 6mm. As a rule, these devices will be more effective towards the front. Another type of microphone, the spike mike, is mounted on the end of a spike or probe. Microphones can be connected to the audio input of a miniature transmitter, allowing remote monitoring of conversations.

Like any other internet-connected device, surveillance systems can be vulnerable to attacks without the right cyber-security measures in place. Hackers can easily gain access to poorly configured devices with design flaws or faulty firmware and manipulate or steal data. With cyber-attacks accelerating, surveillance systems need to be protected from vulnerabilities, and require the same vigilance provided to IT systems.

Closed-circuit video cameras to transmit a signal to a specific place, on a limited set of monitors. It differs from broadcast television in that the signal is not openly transmitted, though it may employ point-to-point (P2P), point-to-multipoint (P2MP), or mesh wired or wireless links but transmit a signal to a specific place only. Not for open to all.

Cities in at least 56 countries worldwide have deployed surveillance technologies powered by automatic data mining, facial recognition, and other forms of artificial intelligence.

The ban that prohibits the purchase and installation of video surveillance equipment from HikVision, Dahua and Hytera Communications in federal installations – passed on year 2018 National Defense Authorization Act (NDAA). In conjunction with the ban’s implementation, the government has also published a Federal Acquisition Regulation (FAR) that outlines interim rules for how it will be applied moving forward. Like NFPA, now NDAA law accept globally.

Rules outlined in this FAR include:

·        A “solicitation provision” that requires government contractors to declare whether a bid includes covered equipment under the act;

·        Defines covered equipment to include commercial items, including commercially available off-the-shelf (COTS) items, which the rule says, “may have a significant economic impact on a substantial number of small entities;”

·        Requires government procurement officers to modify indefinite delivery contracts to include the FAR clause for future orders;

·        Extends the ban to contracts at or below both the Micro-Purchase Threshold ($10,000) and Simplified Acquisition Threshold ($250,000), which typically gives agencies the ability to make purchases without federal acquisition rules applying.

·        Prohibits the purchase and installation of equipment from Chinese telecom giants Huawei and ZTE Corporation. This would also presumably extend to Huawei subsidiary Hisilicon, whose chips are found in many network cameras;

·        And, gives executive agency heads the ability grant a one-time waiver on a case-by-case basis for up to a two-year period.

Specifically, NDAA Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates):

·        Huawei Technologies Company; or

·        ZTE Corporation

It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates):

·        Hytera Communications Corporation;

·        Hangzhou HikVision Digital Technology Company; or

·        Dahua Technology Company

While the prohibitions are initially limited to the five named companies, Section 889 authorizes the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the FBI, to extend these restrictions to additional companies based on their relationships to the Chinese Government. The prohibitions will take effect for executive-branch agencies on August 13, 2019, one year after the date of the enactment of the 2019 NDAA, and will extend to beneficiaries of any grants, loans, or subsidies from such agencies after an additional year.

The provisions of Section 889 are quite broad, and key concepts are left undefined, such as how the Secretary of Defense is to determine what constitutes an entity that is “owned or controlled by, or otherwise connected to” a covered foreign country, or how the head of an agency should determine whether a component is “substantial,” “essential,” or “critical” to the system of which it is part. The statute also fails to address the application of the prohibitions to equipment produced by U.S. manufacturers that incorporate elements supplied by the covered entities as original equipment manufacturers (“OEMs”) or other kinds of supplier relationships.

Section 889 contains two exceptions under which its prohibitions do not apply:

(1) It allows Executive agencies to procure services that connect to the facilities of a third party, “such as backhaul, roaming, or interconnection arrangements.” This likely means telecommunications providers are permitted to maintain common network arrangements with the covered entities.

(2) It permits covered telecommunications equipment that is unable to “route or redirect user data traffic or permit visibility into any user data or packets” it might handle, meaning a contractor may still be able to provide services to the Government so long as any covered equipment provided is unable to interact or access the data it handles.

The Constitution of India guarantees every citizen the right to life and personal liberty under Article 21. The Supreme Court, in Justice K.S. Puttaswamy v. Union of India (2017), ruled that privacy is a fundamental right. But this right is not unbridled or absolute. The Central government, under Section 69 of the Information Technology (IT) Act, 2000, has the power to impose reasonable restrictions on this right and intercept, decrypt or monitor Internet traffic or electronic data whenever there is a threat to national security, national integrity, security of the state, and friendly relations with other countries, or in the interest of public order and decency, or to prevent incitement to commission of an offence.

Only in such exceptional circumstances, however, can an individual’s right to privacy be superseded to protect national interest. The Central government passed the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, that allow the Secretary in the Home Ministry/Home Departments to authorise agencies to intercept, decrypt or monitor Internet traffic or electronic data. In emergency situations, such approval can be given by a person not below the Joint Secretary in the Indian government. In today’s times, when fake news and illegal activities such as cyber terrorism on the dark web are on the rise, the importance of reserving such powers to conduct surveillance cannot be undermined.

Risk of Electronic Security Threats to EHR/HIS is a critical issue because as per the privacy and security rule of The Health Insurance Portability and Accountability Act (HIPAA) the patient’s medical records are to be secured and private which can be accessible only the hospital authorities and the doctors in charge of the patient and the patient himself.

More advanced techniques now no longer require a target to actively click on a link in order to infect a device, explains Amnesty Tech security researcher Etienne Maynier. An attack using NSO spyware on an activist in Morocco covertly intercepted the activist’s web browsing to infect their phone with spyware. “Instead of waiting for you to click on a link, they instead hijack your web browser’s traffic and redirect you to a malicious website which tries to secretly install spyware,” says Maynier.

Successful targeting of well-protected phones is becoming more common and security teams are under added pressure from a burgeoning industry in so-called ‘zero-day’ exploits, in which unscrupulous hackers seek to find unknown vulnerabilities in software to sell. In May 2019, NSO Group exploited a zero-day vulnerability in WhatsApp that was used to target more than 100 human rights activists across the world with spyware.

How to keep your communications safe:

Using public Wi-Fi and VPNs: When you connect to Wi-Fi in a cafe or airport your internet activities are routed through that network. If attackers are on the network, they could capture your personal data. By using a VPN app on your devices, you protect your online activities when accessing public connections, preventing your internet activities from being seen by others on the same network. If you want to explore options, try NordVPN and TunnelBear.

Password management: Using a password manager means you don’t have to worry about forgetting passwords and can avoid using the same ones. It’s a tool that creates and safely stores strong passwords for you, so you can use many different passwords on different sites and services. There are various password managers such as KeePassXC , 1Password or Lastpass. Remember to back up your password manager database. Do not use password like password, ddmmyyyy, admin@123, administrator, administrator1, Super@1234 etc.

Messaging apps: When we advise human rights defenders about messaging apps, we assess each app on its policies (such as terms of service, privacy agreement), its technology (if it’s open source, available for review, has been audited, security) and finally the situation (if the app provides the features and functionality that fits the need and threat model). Generally speaking, Signal and Wire are two apps with strong privacy features.  Remember: Signal requires a SIM card to register, and for Wire you can sign up with a username/email.

Phone basics for iPhone or Android: Only download apps from the official app store to prevent your personal information from being accessed without your consent and to minimise the risk of attacks. Update your system and apps frequently to ensure they have the latest security patches. Enable ‘account recovery’ in case you lose access to your phone. Finally, choose a mobile screen lock that is not easily guessed, such as an 8-digit pin or an alphanumeric code.


Sunday, July 5, 2020

NDAA & Video Surveillance

NDAA & Video Surveillance

Closed-circuit television (CCTV), also known as video surveillance, is the use of video cameras to transmit a signal to a specific place, on a limited set of monitors. It differs from broadcast television in that the signal is not openly transmitted, though it may employ point-to-point (P2P), point-to-multipoint (P2MP), or mesh wired or wireless links but transmit a signal to a specific place only. Not for open to all. 

An early mechanical CCTV system was developed in June 1927 by Russian physicist Léon Theremin. Originally requested by the Soviet of Labour and Défense, the system consisted of a manually-operated scanning-transmitting camera and wireless shortwave transmitter and receiver, with a resolution of a hundred lines.
One of the first recorded application for closed circuit television system (CCTV) was back in 1942.  It was used to view the launch of V2 rockets in Germany.   In the US, commercial surveillance applications began around 1947.
The goal of this history is to help professionals newer to the industry understand the important business and technology shifts that impact the market today, including:
1950 - Colour cameras became available.
1957 – 1969: a number of companies such as General Precision Labs (GPL division), provided CCTV camera systems
1970 – 1999: Videocassette recorders (VCR) era.
2000 – 2005: DVR Era
2001 - 9/11 Impact
2006 - Infancy IP and VMS (Axis introduced the first IP cameras in 1996)
2008 – 2012: MP Cameras Go H.264, Main player are PELCO, Hanwha (Samsung), Axis, Infinova, Flir, Indigo Vision, AVTECH etc.
2009 – 2013: Cloud Hype / Bursts
2010 – 2018: Struggles for Video Analytics, WDR and Low Light Improvements
2012 – 2014: Rise and Fall of Edge Storage
2015 Smart CODECs Rise
2018 H.265 Mainstream
Storage No Longer Major Problem
Slowing of Camera Resolution Increases
HD Analog Rises 2014, Niche Now
Rise Cybersecurity 2015 - Current
2013 – 2017: Rise of The Chinese
2015 – 2017: Race to The Bottom
2018 - Now US vs China.
2019 - Rise AI and Cloud Startups
2020 - Coronavirus Impact - Elevated skin temperatures camera & globally reject China factory made product.
Source: IPVM
Day by Day increase hacking of video surveillance camera. Now cyberattacks on CCTV systems making news headlines on a weekly basis of late, there is a good deal of concern and uncertainty about how at risk these systems are, as well as why they are being attacked.

In 2014, a US ally observed a malicious actor attacking the US State Department computer systems. In response the NSA traced the attacker’s source and infiltrated their computer systems gaining access to their CCTV cameras from where they were able to observe the hackers’ comings and goings.

In October 2016, 600,000 internet connected cameras, DVR’s, routers and other IoT devices were compromised and used to for a massive Bot Net to launch what was the largest Denial of Service (DOS) attack the internet had experienced to date.

In the lead up to the 2017 US Presidential inauguration, 65% of the recording servers for the city of Washington CCTV system were infected with ransomware. How did the attack take place? Whilst unknown, it most likely occurred by the same means as other common PC hacks such as infected USB keys, malicious web sites, or phishing attacks.

May, 2018, over 60 Canon cameras in Japan were hacked with “I’m Hacked. bye2” appearing in the camera display text. How did the attack take place? Simple. IP cameras were connected to the internet and were left on default credentials. It appears that the hackers logged into the cameras and changed the on-screen display. What was the impact? Other the defacement of the camera displays and some reputational damage, there doesn’t seem to have been much impact from these attacks.

On Aug 13, 2018, The US President has signed the 2019 NDAA into law, banning the use of Dahua and HikVision (and their OEMs) for the US government, for US government-funded contracts and possibly for 'critical infrastructure' and 'national Security’ usage.
US government is effectively blacklisting Dahua and HikVision products, this will have a severe branding and consequentially purchasing impact. Many buyers will be concerned about:
What security risks those products pose for them
What problems might occur if they want to integrate with public / government systems
What future legislation at the state or local level might ban usage of such systems

On Jun 06, 2019 Hanwha Techwin is dropping Huawei Hisilicon from all of their products. Its belongs to China’s origin. Backdoor entry is open on product.

China's Wuhan Institute of Virology, the lab at the core of coronavirus. The institute is home to the China Centre for Virus Culture Collection, the largest virus bank in Asia which preserves more than 1,500 strains ( https://www.livemint.com/news/world/china-s-wuhan-institute-of-virology-the-lab-at-the-core-of-a-virus-controversy-11587266870143.html ). Result Corona has infected people in 185 countries. Its spread has left businesses around the world counting the costs. Global economy impact. Recession increase. Now people avoid to get china factory made product, electronics goods importing has stopped from china to other country. People looking for product except china. Now come to Video surveillance, access control equipment.
The ban that prohibits the purchase and installation of video surveillance equipment from Hikvision, Dahua and Hytera Communications in federal installations – passed on year 2018 National Defense Authorization Act (NDAA). In conjunction with the ban’s implementation, the government has also published a Federal Acquisition Regulation (FAR) that outlines interim rules for how it will be applied moving forward. Like NFPA, now NDAA law accept globally.
Rules outlined in this FAR include:
·        A “solicitation provision” that requires government contractors to declare whether a bid includes covered equipment under the act;
·        Defines covered equipment to include commercial items, including commercially available off-the-shelf (COTS) items, which the rule says, “may have a significant economic impact on a substantial number of small entities;”
·        Requires government procurement officers to modify indefinite delivery contracts to include the FAR clause for future orders;
·        Extends the ban to contracts at or below both the Micro-Purchase Threshold ($10,000) and Simplified Acquisition Threshold ($250,000), which typically gives agencies the ability to make purchases without federal acquisition rules applying.
·        Prohibits the purchase and installation of equipment from Chinese telecom giants Huawei and ZTE Corporation. This would also presumably extend to Huawei subsidiary Hisilicon, whose chips are found in many network cameras;
·        And, gives executive agency heads the ability grant a one-time waiver on a case-by-case basis for up to a two-year period.

Specifically, NDAA Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates):
·        Huawei Technologies Company; or
·        ZTE Corporation
It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates):
·        Hytera Communications Corporation;
·        Hangzhou Hikvision Digital Technology Company; or
·        Dahua Technology Company
While the prohibitions are initially limited to the five named companies, Section 889 authorizes the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the FBI, to extend these restrictions to additional companies based on their relationships to the Chinese Government. The prohibitions will take effect for executive-branch agencies on August 13, 2019, one year after the date of the enactment of the 2019 NDAA, and will extend to beneficiaries of any grants, loans, or subsidies from such agencies after an additional year.
The provisions of Section 889 are quite broad, and key concepts are left undefined, such as how the Secretary of Defense is to determine what constitutes an entity that is “owned or controlled by, or otherwise connected to” a covered foreign country, or how the head of an agency should determine whether a component is “substantial,” “essential,” or “critical” to the system of which it is part. The statute also fails to address the application of the prohibitions to equipment produced by U.S. manufacturers that incorporate elements supplied by the covered entities as original equipment manufacturers (OEMs) or other kinds of supplier relationships.

Section 889 contains two exceptions under which its prohibitions do not apply:
(1) It allows Executive agencies to procure services that connect to the facilities of a third party, “such as backhaul, roaming, or interconnection arrangements.” This likely means telecommunications providers are permitted to maintain common network arrangements with the covered entities.
(2) It permits covered telecommunications equipment that is unable to “route or redirect user data traffic or permit visibility into any user data or packets” it might handle, meaning a contractor may still be able to provide services to the Government so long as any covered equipment provided is unable to interact or access the data it handles.
 
Update on 2018; IPVM Source
Hikvision is one of the world’s largest video surveillance companies producing both hardware and software tools. It is central to China’s ambitions to become the world’s leading supplier of surveillance systems. Hikvision sells cameras and unmanned aerial vehicles (UAVs) allowing security agencies to monitor railway stations, roads, etc. It is a darling of the Communist Party of China (CPC), having been heralded as a ‘national AI Champion” in 2019.
As per a 2019 report, around 42 per cent of the company is controlled by state enterprises, with China Electronics Technology HIK Group owning nearly 40 per cent. Hikvision controlled 21 per cent of the world’s CCTV market in 2017.
Hikvision exists in India under the name Prama Hikvision Indian Private Limited. As per reports, Hikvision enjoys over 35 per cent market share in India. Its 2019 annual report said it has established a local factory in India — its first overseas production base. It is 58 per cent owned by the parent Chinese company. The Indian partner is Ashish P. Dhakan, who started the collaboration in 2005. It has declared serious investment plans for India.

In 2018, it won a tender from the Delhi government to install 1.5 lakh CCTV cameras in the national capital. It is also listed as a vendor by Bharat Electronics (BEL), which works on highly sensitive and classified defence projects for the government of India. More worryingly, Hikvision has allegedly also supplied solutions to Delhi Metro Rail Corporation (DMRC), Defence Research and Development Organisation (DRDO), and the Special Protection Group (SPG), which is responsible for the security of the prime minister. Link https://www.indiatoday.in/mail-today/story/installation-of-1-4-lakh-chinese-cctv-cameras-by-delhi-govt-sparks-row-1696032-2020-07-02
Clearly, the security and privacy risks at play here are best left to one’s imagination.
This leaves India with a tricky situation. Admittedly such companies do create secondary economic benefits for India with the local assembly and selling units creating jobs at home. However, there is arguably a bigger price India pays in terms of handing its CCTV grid to a country that is in no mood to offer any concessions to us.
Update on 2018; IPVM Source

Update on 2018; IPVM Source
For starters, the Modi government needs to make a clear list or database of all its current installations. Second, it needs to review all installations that would be considered critical or with a national security implication, and then  seriously consider replacing them with a local alternative. If that is not feasible, the government needs to wrap such installations with third party (non-Chinese) encryption tools, which would disable any back doors that may exist. Third, India must prohibit Hikvision from participating in any ongoing or future government tenders. Fourth, the government needs to contemplate increasing local ownership and control of the Indian subsidiary. An innovative solution would be to purchase the 58 per cent stake in Hikvision — either the government could be an investor or it could be enabled by other Indian businesses or funds. Fifth, the Modi government needs to impose a legal obligation for regular audits to check for any security vulnerabilities with serious penalties for non-compliance or negligence.

Lastly, like the Chinese, India too needs to create local champions. In India, this is always the hardest part — less access to capital, poor procurement processes, etc. Most of the technology and subcomponents for Hikvision come from the United States. It is important to remind ourselves that with enough government support, India too can build local champions of technology. Link https://theprint.in/opinion/chinas-hikvision-controls-indias-surveillance-market-modi-needs-to-do-more-than-ban-apps/452014/

Often those on the government procurement side use price as an excuse to prefer Chinese over Indian vendors. But it’s a lazy argument. Yes, Chinese vendors and their products are often cheaper, but it is because they have worked on these things for decades. Cheap is also not always better and certainly not more secure.

As India considers the next steps, it is important to not penalise and demonise the Indian entrepreneur behind the local subsidiary. They are not to blame. It shouldn’t take a border stand-off and loss of lives for such issues to be tackled head-on.

Now question how we design a CCTV project respect to product selection. Many institutional purchaser want to stop such camouflaged OEM from their procurement activities. Yeah this is very hard to say this company are not tie-up with china-based company. As we are belonging to India, Atmanirbhar Bharat (self-reliant India) is the vision of the Prime Minister of India Narendra Modi of making India a self-reliant nation. The first mention of this came in the form of the 'Atmanirbhar Bharat Abhiyan' or 'Self-Reliant India Mission' during the announcement of the coronavirus pandemic related economic package on 12 May 2020. Known china CCTV OEM are thrown out. Yes, it’s true, India don’t have much infrastructure to generate Camera manufacturing plant, it will take time at list 5 year. Within this time, we can follow BIS website to get information about selected camera / NVR model are china factory make or not. Low cost and high cost both option camera you can found. If you found that model belongs to china factory immediately change with Closest or Alternative Substitute.
Another way to design selection your camera / storage via NDAA compliance. For example, few models of Pelco, Axis, LILIN, Honeywell get NDAA compliance. Some OEM giving good effort, based on Hikvision or Dahua camera which is current compatible camera. Example:
Dahua Model: IPC-HFW8630E-ZE is Closest to Pelco model: IBP521-1R & Alternative Substitute is IBP521-1R.
Dahua Model: SD10A248V-HNI is Closest to Pelco model: P2230-ESR & Alternative Substitute is S6230-EGL1.
Hikvision Model: DS-2CD4025FWD-AP is Closest to Pelco model: IXE22 or IXE32.
Hikvision Model: DS-2CD2125FWD-I 4MM is Closest to Pelco model: IMP221-1RS Or IWP221-1ES/IJP223-1RS.
Yes PELCO is 1st OEM who get NDAA & share compatible camera with respect HikVision & dahua model number.

NDAA Compliance Product List.

Brands
Dome Camera
Bullet Camera
180° / Panoramic Cameras
360° Cameras / PTZ
NVR
Video Server
VIVOTEK
CD8371-HNTV, CD8371-HNVF2, MD8531H, MD8563-DEH, IT9360-H, IT9380-H, IT9388-HT
FD816CA-HF2, FD8166A, FD8166A-N, FD8177-HT, FD8366-V, FD8377-EHTV, FD8377-HTV, FD9165-HT-A
IB8377-EHT,  IB8377-HT, IB9360-H, IB9365-EHT-A, IB9365-HT-A, IB9368-HT, IB9380-H, IB9387-EHT-A, IB9387-HT-A, IB9388-HT, IP9164-HT, IP9164-LPC
CC8160, CC8370-HV, CC9381-HV
FE8182, FE9380-EHV
NR9581, NR9581-v2, NR9681, NR9681-v2, NR9682, NR9682-v2, NR9782 , NR9782-v2,
NS9521
VS8100-v2
Honeywell
HC60W35R2, HC60W35R4, HC60W45R2, HC30W42R3, HC30W45R3,
HC60WB5R2, HC60WB5R5, HC30WB2R1, HC30WB5R1, HC30WB5R2
HC30WF5R1
HC60WZ2E30,
HN30080200, HN30160200, HNMXE08C02T, HNMXE16C02T, HNMSE16C02T, HNMSE32C02T, HNMSE48C04T, HNMPE32C16T4R5
HERN30T5, HERN40T5, HERN64T8, HERN72T12, HERN96T16, HERN128T16, HERN144T24, HERN192T24
PELCO
MP221-1RS, IWP221-1ES, IJP222-1RS, IMP221-1RS, IWP221-1ES, IMP321-1RS, IMP521-1RS, IBP221-1R, IMP521-1RS, IBP321-1R, IBP521-1R,
IBE222-1R, IBE322-1R, IBE229-1R, IBE329-1R, IME329-1ES, IMP321-1ES, IBP522-1R, IME229-1ES, IMP221-1ES, IBP521-1R, IBP221-1R, IBE329-1R, IBP221-1R
EVO-12NMD, EVO-05LID, EVO-05LMD, EVO-05LID, EVO-05LMD, EVO-180-WED-P, IMM12018-1EP, EVO-05NMD.
IMP521-1RS, IME329-1IS, IWP221-1ES, IME322-1ES, IME229-1ES, MP122-1ES, IMP221-1ES, S6230-FWL1, P1220-FWH1, S6230-EGL1, P1220-ESR1, S6230-EGL1, P2230-ESR,


AV Costar
AV5456PMIR-S, AV02CLD-100, AV05CLD-100, AV5456PMIR-S
AV5426PMIR-S, AV02CLB-100, AV05CLB-100, AV5426PMIR-S, AV02CMB-100, AV05CMB-100
AV12CPD-236, AV08CPD-118, AV20CPD-118
AV8476DN-NL, AV8476DN-28, AV20476DN-NL, AV20476RS, AV20476DN-28, AV8476DN-NL, AV8476RS,  AV20476DN-NL
AV-CN1600-20T, AV-CN800-8T, AV-CN1600-8T, AV-CN1600-6T, AV-CN1600-12T, AV-CSCX40TR, AV-CSHPX12TR,

IDIS
DC-D4236RX
DC-D4236X
DC-D4236HRX
DC-D4236WRX
DC-D4216RX
DC-D4216X
DC-D4216WRX
DC-T4236HRX
DC-T4236WRX
DC-E4216WRX


IR-100
IR-300A
IR-1100

AcTi
Z94, Z95, Z83
Z33, Z34, Z41




LILIN
P3R6322E2, P3R6522E2, Z3R6522X, Z3R6422X3, P5R6322E2, P5R6552E2, Z5R6452X, P5R6522E2
Z2R8122X-P, Z2R8022EX25, Z2R8822AX, Z2R8152X-P, Z5R8952X3, Z5R8922X3, P2R8852E2, P2R8822E4, P3R8822E2
F2R3682IM, F2R36C2IM
PSR5520EX25, PSR5024EX30, IPS4184E, PSD4624EX20, IPS5180E, IPS4204EA, IPS5208A, IPS5308A, IPS5200EA, IPS5300EA
NVR3416R, NVR100L, NVR1400, NVR3416, NVR5416E, NVR5832S, NVR5104E, NVR5208E
NVR404C, VS212, VD022
3s Vision
N9071M-BE, N9079-BE, N9049-BE, N9099-BE, N9019-B, N3031-C, N9072-A
N6091-BE, N6041-BE, N6071-BE, N601A-EL, N6012-C

N5012H-BE, N5049-BE,
R40244-B, R10124-B, R10064-B, F20321, H40321, IB1281
S8072-B, SG072-B, S4072-B
For SOHO industry or small medium company, do start with making video data policy, its very important, due to using Chinese owned product every country data is now with hacker. Basically, china product is low price due to no standard quality. Other country like Taiwan or Korea product not low price, due to they maintain minimum quality of product. Now time to change, due to corona virus people change lifestyle. Indian govt need to general prohibition on telecommunications or video surveillance equipment or services produced. 
Below I share some Indian factory-made product model based on Brand. BIS not necessarily certify the quality and source of components. Very important for customers to understand.
Brand Name
BIS approved Model Number
Factory Located
INFINOVA
VS220-A60B-A022,VS220-A60B-A062,VT240-A222-A3,VS221-A20B-B022,VS210-P2
Pune, Maharashtra, India
VT-231-A230-C061, VT231-A230-A061, VT231-A230-A061, VH121-A20E-A022-32G,
VT221-A20B-B022, VT221-A20B-U062, VT220-A20B-S022, VH221-A40B-A022,
VS220-A20BB062,VS220-A20B-C022,VS220-A20B-C062, VT230-A230-D061,
VT231-B230-D061,VS211-A20B-D0,VS211-A20E-C0,VS211-A20E-D0,VS211-A60B-A0
VH221-B402-A012, VH221-B403-A012, VH221-B406-A012, VH221-B408-A012
VH221-B412-A012,VH211-B402, VH211-B403-A0, VH211-B406-A0, VH211-B408-A0,
V3073-08J02; V3073-16J02; V3073-24J02; V3073-64J16; V3073-128J16
Honeywell
HEICC-2301T; HEIPTZ-2201W-IR; HABC-2305PIV; HADC-2005PI
Gurgaon Haryana, India
WBOX TECHNOLOGIES
0E-CVHD5R2FPNA28; 0E-CVHD5R2FPNA6; 0E-CVHB2R2FPNA6
Noida, Uttar pradesh, India
D-LINK
DCS-F3611-L1, DCS-F3711-L1, DCS-F3711-L1P
Haridwar, Uttarakhand, India
TENTRONIX
TI-QX4-NVR-8432-JN; TI-QX4-NVR-8432-H8; TI-QX4-NVR-8404-JN
Ludhiana, punjab, India
OZONE WallCam
OWC-DV-03-CH016S1H8E; OWC-MD-01-CH04SD2G; OWC-DV01-CH08M5S1H8-5
Gurugram, Haryana, India
XPIA-I
XP-DV-5004 ECO; XP-NV-4016 PRO; XP-NV-4036 PRO; XP-NV-4032 PRO
Delhi, India
HAWK'S EYE
BIS-NVR-4CH; BIS-NVR-32CH; BIS-DVR-8CH
Mohali, Punjab, India
COVERT SECURE
CO-NV4242NH-K2; CO-NV4442NH-K4; CO-NV6142NH-K1; CO-NV6242NH-K2
Okhla, New delhi, India
ZEBRONICS
ZEB-16F1DA2H1-5MPL; ZEB-32F1DA12H8-8MPL; ZEB-4F1DA1H1-5MPL
South delhi, India
AVAZONIC
AVZ-RN32, AVZ-RN16, AVZ-RD32, AVZ-RD16, AVZ-RN08, AVZ-RN04,
Ajmer, Rajasthan, India
CVG
CV-N7-8104SH, CV-N9-8232SH, CV-N9-24EX-R, CV-N8-8224S, CV-N8-8116SH
Ghatlodia, Gujarat, India
HasHTVS
MDVR-404S, HSD-7032D, HSD-6308D, HSN-6464N
Gurgaon Haryana, India
SECUREYE
S-NVR-3, S-NVR-4, S-NVR-5, S-NVR-6, S-XVR-1, S-XVR-10, S-NVR-1
Delhi, India
E-VISION
EVNVR16, EV NVR 6000-25EX, EVNVR6001-36 EX, EVNVR6001-64 EX,
Faridabad, Haryana, India
Ambicam
VM-72XVR,VM-72XVR128,VM-72XVR16, VM-72XVR32, VM-72XVR8,VM-72XVRB
Ahmedabad, India
PLEXONICS
PL-7416ENVR, PL-7208ENVR, PL-7204ENVR, PL-6224D-NSR-R, PL-7436ENVR,
Chandigarh, India
SPARSH
SR-NV16F601-HP; SR-NV08F601-H; SRNL04F601-HP; SR-NV16F608-HE; NVR16
Haridwar, Uttarakhand, India
SR-NP3232F5H-H(D)(E)(P), SR-NP3232F5H-H(D)(E)(P)-32, SR-NV32F608-HE
HIFOCUS
HD-XVR-4161H1-H, HD-XVR-4401H1-H, HD-XVR-4801H1-H
Andhra pradesh, India
EYEFOCUS
EF-0204NR,EF-0208NR,EF-0216NR, EF-0404QD-U,EF-0408HDR,EF-0416HDR
Kolkata, west bengal, India
SECURICO
SEC-N04 FH7; SEC - N16 GH7, SEC-N08 FH7, SEC-M04 FH7,
Haridwar, Uttarakhand, India
iSecure IT
ISEC5MPFIDO, ISEC5MPFIBU, ISEC5MPVADO, ISEC5MPVABU,
Thane, Maharashtra, India
Some OEM with Out of India factory-based BIS approved Model number
Brand Name
BIS approved Model Number
Factory Located
PELCO
IXP13, IXP23, IXP33, IXP53, IMP131-1ERS, IMP131-1IRS, IBP231-1ER, IBP232-1ER,
TAOYUAN CITY, TAIWAN
IWP133-1ERS, IWP232-1ERS, IWP233-1ERS, S7822L-EBO, D7818L, P2820-ESR
IME238-1ERS, IME332-1ERS, IBE338-1ER, IBE238-1ER, IXE33, IXE23, IXE53, IXE83
NEW TAIPEI CITY, TAIWAN
AXIS
AXIS Q6074-E 50Hz, AXIS Q6075-E 50Hz, AXIS Q8685-E 24V AC/DC,
Poland
AXIS P3367-V, AXIS P3225-LV, AXIS P3717-PLE, AXIS P3245-LV, AXIS M3075-V
AGUASCALIENTES, MEXICO
AXIS P3915-R, AXIS P3915-R, AXIS M1125, AXIS P3905-R
NAGASAKI, JAPAN
Q8741-LE, Q8742-LE, Q6215-LE, Q8742-E, Q8742-E, Q2901-E,
LUND, Sweden
P1435-LE, P1425-LE, P1448-LE, M3045-V, P1367-E, P1368-E, M2026-LE, P1367,
PATHUMTHANI, THAILAND
AXIS Q6155-E 50Hz, AXIS V5914 50Hz, AXIS V5915 50Hz
JIRNY, Czech Republic
P3374-V, P3375-LV, P3375-V, M1124, M1124, M1125, M1125, M3104-LVE, P1364
KWIDZYN, POLAND
BOSCH
DIP-5044EZ-1HD, DIP-5044EZ-4HD, DIP-5042EZ-2HD,  DIP-5042EZ-0HD
NEW TAIPEI CITY, TAIWAN
DIP-6188-8HD, DIP-6184-8HD, DIP-6183-4HD, DIP-6180-00N, DIP-7183-8HD,
TAOYUAN CITY, TAIWAN
NIN-73013-A10A, NHT-8001-F17VS, NHT-8001-F35VF, MIC-9502-Z30BVS
OVAR, PORTUGAL
AVIGILON
AIRPD1
NEW TAIPEI CITY, TAIWAN
APTZC1, ASLBD1, APROD1, ADOMS1, ADOMC1, BDOMC1, BDOMP1, BBULD1
RICHMOND, BC, CANADA
VIVOTEK
ND9441P, ND9541P, ND9424P, ND9424P-v2, ND9541P, ND9441P, ND9312
NEW TAIPEI CITY, TAIWAN
FD9367-HTV, FD9167-H, FD9167-HT, FD9171-HT, IB9371-HT, IB9381-HT, IP9181-H,
WISENET (HANWHA)
XNO-6120R, QNO-7020R, QNO-7030R, QNO-7010R, PNP-9200RH, LNO-6010R,
BAC NINH CITY, Vietnam
XND-6080, PNF-9010RV, HCD-6070R, QNV-6070R, QNV-7080R, QNP-6230H
HRD-1642P, HRD-842P, XRN-3010, HRX-1620, XRN-2010, XRN-2010A, XRN-2011,
GANZ
ZN1A-B4DZF56U, ZN1A-B4DZF69U, ZN-P2X30-DL, ZN-VD8F28-DL, ZN-VD8M310-DLP
South Korea
IDIS
DC-D4212R, DC-D4213RX, DC-D4213WRX, DC-D4223RX, DR-1308P, DR-1304P,
South Korea
LILIN
PSR5024EX30, MR832, MR302, MG1022, UHG1122, SR7428X, SG1122, ZR8022X10
TAIPEI CITY, TAIWAN
Illustra (TYCO)
IPS12FFOCWIY, IPS12FFOCWIYA, IPS12FFOCWIYA-IN, ISS04B1ONWIT
TAIPEI CITY, TAIWAN
ADCi600F-D021a, IFS03B1BNWIT, ADCi600F-D111a, IPS02-D12-OI03, IPS02-D17-OI03.
ADCi610-M111, ADCi600-M111, IQS02MFONWTY, IQS02CFICWSN, IQS020CFICW
South Korea

Indian companies trusted surveillance software
Location
COM-SUR (Hayagriva Software)
Mumbai, Maharastra, India
AllGoVision
Bengaluru, India
i2V (Intelligent Integrated Video)
Gurugram, Haryana, India
Silversparro
Gurugram, Haryana, India
Videonetics
Kolkata, West Bengal, India


Out of India trusted surveillance software
Location
Milestone Systems
Denmark
Mirasys Ltd
Helsinki, Finland
AxxonSoft
North America
Genetec Inc.
Quebec, Canada
IntelliVision
San Jose, CA, USA


Source:
https://ipvm.com/reports/ban-law