Embedded Files
GOVT. POLICIES CCTV -VSS-SURVELLANCE RELATED
CCTV systems are no longer standalone recording devices. Today’s surveillance infrastructure consists of network-connected cameras, video management platforms, cloud integrations, and remote monitoring systems. While these advancements have significantly improved surveillance capabilities, they have also expanded the cybersecurity attack surface.
The shift from legacy analog systems to the Internet of Surveillance Things (IoST) has fundamentally altered the attack surface of modern organisations. Legacy systems relied on proprietary Digital Video Recorders (DVRs) and coaxial cabling, which required physical proximity for interception. In contrast, modern IP cameras operate on Linux-based kernels (uClinux, OpenWrt variants, BusyBox), possessing dedicated System-on-Chip processors (HiSilicon, Ambarella, Novatek, Allwinner — many running unpatched kernels), NAND/NOR flash memory, network interface cards, UART/JTAG debug ports frequently left enabled in production, and in modern models, an AI inference engine. This transition means that a vulnerability in a camera's firmware is a risk to the entire network.
A network-connected video camera is not merely an imaging device. From a threat actor's perspective, a compromised camera provides persistent physical surveillance of facilities, boardrooms, data centers, and perimeters; a network pivot point enabling lateral movement to core IT infrastructure; an exfiltration channel camouflaged within legitimate video traffic; a covert listening post via microphone access; a botnet node for DDoS campaigns; and a credential harvesting platform with access to network credentials in camera memory or transmitted in cleartext.
The 'Insecurity by Design' Paradigm
The 'Insecurity by Design' paradigm characterises the majority of IP surveillance products. Manufacturers routinely prioritise ease of deployment over security, leading to the systematic inclusion of P2P 'easy connect' features and hardcoded debug accounts. P2P features (e.g., iLnkP2P, Shenzhen Yunni Technology's UID-based tunneling) allow cameras to 'punch holes' through corporate firewalls to maintain persistent outbound connections to manufacturer-managed cloud servers, frequently in jurisdictions with variable security standards. When these cloud environments are compromised, attackers gain a direct, unmonitored tunnel into the internal network, bypassing traditional perimeter defenses entirely. These P2P tunnels have been demonstrated to enable unauthenticated access when UID enumeration attacks are applied.
Unsecured surveillance devices potentially become entry points for unauthorized network access, data breaches, or system manipulation. In sensitive environments such as transportation hubs, government facilities, or enterprise campuses, such vulnerabilities can pose serious risks.
GENERAL- Ghaziabad Incident
1. There is some confusion that Govt/MHA/MeitY/Cert-in/MOD has ordered audit of CCTV all over India subsequent to Ghaziabad incident who discovered CCTV & Solar installed outside Cantt areas and sending data to Pakistan.
2. This news is wrong. Ther is no official orders form MeitY/Cert-in/MHA/Govt/MOD in this behalf.
3. The only news in media is MHA asked: “Police departments have been asked to map all installations, verify them with official records and flag any camera that cannot be accounted for,”. This is stated to be for sensitive zones, railway stations, cantonment areas, highways and routes with known military movement.
But no official orders available in this behalf. In any case even if this is true, this is just to identify non accounted CCTV. And not to go for their security certifications.
4. This was fall out of Ghaziabad Police busting of espionage module of Pakistan ISI and Babbar Khalsa International (BKI) spy ring that had recruited locals—including CCTV operators, mobile repairmen, and even minors—via social media. The operatives installed covert solar-powered, SIM-enabled standalone CCTV cameras linked to EseeCloud -- a widely used Chinese software platform for CCTV and surveillance equipment. These were installed at sensitive sites (e.g. Central Armed Police Forces installations across including Delhi Cantonment Railway Station, Sonipat Railway Station, Kapurthala, Jalandhar, Pathankot, Patiala and Moga in Punjab, as well as Ambala in Haryana, Kathua in Jammu and Kashmir, and Bikaner and Alwar in Rajasthan etc.) to monitor army movements, troop trains, and other critical infrastructure. These cameras streamed live round-the-clock, uninterrupted footage directly to handlers (ISI) in Pakistan for about three months. The ring also exploited unsecured existing CCTV feeds. Over 20 people (including juveniles) were arrested. This exposed real-world national security risks from vulnerable/foreign-origin surveillance systems. The probe revealed that the network had tasked and funded plans to install more such panels in different cities.
The SO-CALLED BAN OF Chinese CCTV w.e.f. 1.4.2026
5. There are media reports that w.e.f. 1.4.2026 Chinese CCTV Companies like Hikvision, Dahua, and TP-Link are banned from selling in India. This is misleading version. The fact is that earlier orders issued by Meity on 9.4.2024 and implemented from 9.4.2025. By OM dated 21.5.2025, Meity granted a temporary relaxation allowing the sale of CCTV cameras, imported or domestically manufactured, without ER compliance, specifically to help companies clear existing inventory that predated April 9, 2025. These relaxations have been withdrawn by Meity OM dated 16.1.2026, which says all exemptions withdrawn from 1.4.2026. Details are given below in Meity Orders. There are no fresh orders banning any Chinese CCTV.
IRAN & Venezuela Cyber CCTV Incidences
6. Iran: During present day conflicts (2025-2026), Israeli/US intelligence heavily compromised Iran’s street/traffic camera networks, which were hacked for several years. This provided real-time tracking of officials, enabled targeted strikes/assassinations (including Leader Khamenei), and disrupted communications. Iran had built a vast camera system for internal control/dissent suppression, but adversaries turned it against the regime. Iran-linked hackers also targeted similar cameras elsewhere.
7. Venezuela: Early 2026, during operations linked to Maduro’s capture, US Cyber Command exploited pre-positioned malware and “shadow administrators” in extensive Hikvision/Dahua camera networks in Caracas. This allowed real-time monitoring while evading detection.
8. The above two breaches led to later China detaining 300+ Hikvision executives/R&D Chiefs/technical staff for investigation over security breaches-linked to backdoors exploited by US-Israel intelligence, enabling Maduro's capture in Venezuela and Khamenei's elimination in Iran. As per media reports across China every Hikvision Camera is now being ripped and replaced including street surveillance cameras.
OVDERALL POLICY PROVISIONS
9. Supreme Court’s K.S. Puttaswamy v. Union of India (2017) judgment affirmed privacy as a fundamental right under Article 21. Any surveillance by the state must clear four bars: it must be legally sanctioned, serve a legitimate state aim, remain proportionate to that aim, and carry procedural safeguards. Surveillance that cannot satisfy all four is unconstitutional.
10. Paramvir Singh Saini v. Baljit Singh (2020), the Supreme Court issued binding directives specifically for CCTV systems inside all police stations and central investigative agencies. Cameras must have night vision and audio recording capabilities, cover all lock-ups, entry and exit points, and corridors, and retain recordings for a minimum of 18 months. Independent oversight bodies, a Committee of Oversight at the district level and a State Level Oversight Committee, must be established to enforce compliance.
11. Indian Evidence Act mandates that secondary evidence such as a copy of footage on a USB or DVD is inadmissible in court without a Section 65B(4) certificate. If the original DVR or NVR is seized directly, the certificate is not required. To prevent tampering challenges, operators must maintain an unbroken chain of custody by preparing a seizure memo, generating SHA-256 cryptographic hashes of digital files at the point of copying, and maintaining detailed custody logs thereafter.
12. The penalties for violations attract different provisions such as:
MEITY/DPIIT/DOT ORDERS FOR CCTV
13. Meity is Administrative Ministry for CCTV. It has issued two orders in this behalf:
i) PPO- Public procurement Order dated 6.3.2024(Copy on link below) mandating for all Government procurements National Security parameters as Essential Requirements and STQC Certification. This has become effective w.e.f. 7.06.2024
Public Procurement (Preference to Make in India) Order 2017-Notifying CCTV/ Video Surveillance System for Security in furtherance of the Order 6th March 2024.
ii) CRO- Compulsory Registration Order dated 9.4.2024 (Copy on link below) mandating BIS registration based on STQC certifications. This is applicable to all persons, companies, enterprises whether Govt or private. This has become effective from 9.04.2025. However certain relaxations were given initially. These exemptions have been withdrawn vide Meity Order dated 16.1.2026 (Copy at link below) and STQC/BIS has been made mandatory w.e.f. 1st April, 2026. Under this only CCTV cameras that are compliant with MeitY’s Essential Requirements, certified by STQC, and registered under the BIS Compulsory Registration Order can be legally sold in India.
Copy available at: Meity Order 9.4.2024 for CCTV BIS CRO for all users
16.1.2026 Meity Withdrawing all exemptions on CCTV we.f. 1.4.2026
iii) The MHA also issued orders of Meity PPO/CRO vide its order dated 26.4.2026(Copy on link below)
26.4.2024 MHA Order on CCTV for Meity PPO/CRO
iv) STQC, the Standardisation Testing and Quality Certification directorate under MeitY, devices against a control set that mandates secure boot, digitally signed firmware, disabled physical debug interfaces, no default credentials, encrypted data in transit and at rest, and a published Software Bill of Materials detailing the origin of critical components.
v) Meity Order 11.3.2024 Advisory for all for VSS
CMAI/CSAI Research Papers
14. The TEMA/CMAI/CSAI research paper on VSS available at: National Council for CCTV-VSS - CCTV-VSS Report Released by CMAI giving technical inputs
15. A research report on DEFENDING SURVEILLANCE VIDEO CAMERAS & RELATED DIGITAL INFRASTRUCTUREC- covert Cyber-Physical Attack Vectors, Supply Chain Integrity, APT Countermeasures- by Mr Balaji Venketeshwar, Director CSAI with Research partners- CyberVidyapeeth Foundation, Zeronsec and Pivot is available at: National Council for CCTV-VSS - CCTV-VSS Report Released by CMAI/CSAI with Technical Inputs
DPDP Provisions
16. Camera Operators Are Data Fiduciaries
Under DPDP, CCTV operators are as Data Fiduciary, with video footage legally treated as personal data. Operators must display physical signage at entry points and publish a detailed notice specifying what is collected, why, and who handles grievances.
High-risk activities such as large-scale public surveillance can trigger Significant Data Fiduciary status, requiring a dedicated Data Protection Officer and periodic Data Protection Impact Assessments.
17. MHA Office Memorandum dated April 30, 2024, mandated that footage from CCTVs installed at government establishments and public places must be stored within India, even on cloud platforms. International data residency for sensitive surveillance feeds is not permissible.
18. Facial Recognition is governed by the DPDP Act, which treats biometric data as sensitive personal data. NITI Aayog classifies FRT as high-risk technology given its potential for inaccuracy, systemic bias, and mass surveillance misuse. Deployment requires mandatory Data Protection Impact Assessments, independent bias audits, and public grievance mechanisms. Large-scale FRT use triggers Significant Data Fiduciary obligations under the DPDP Act, including a mandatory Data Protection Officer.
19. There are some direct CCTV orders:
- 28.3.2022 Clarifying that for ULCE not to be used CCTV. Use only BIS
- DPIIT Order 28.3.2022 not to have in CCTV restrictive condntiions of turnoevr, spects, tests etc.
- 7.8.2025 Meity Orders on CRO/PPO Testing clarifications
- 4.2.2026 Meity Order on CCTV BIS/PPO/CRO Clarificationo
- 3.12.2025 Meity Procurement agency to verify supplies
CERT-IN Guidelines for data storage and reporting
20. CERT-In directions dated 28.4.2022 provides cybersecurity incidents, including unauthorised camera access, to be reported to CERT-In within six hours of detection, and a detailed follow-up report must be submitted to the Data Protection Board within 72 hours.
All system logs, covering VMS, access, and network activity, must be stored within Indian jurisdiction for a rolling 180-day period.
Every DVR, NVR, and server must synchronise its clock to the National Physical Laboratory’s NTP server for forensically valid timestamps.
State Policies for CCTV
21. Certain State mandates the minimum retention and technical requirements for CCTV Operators:
Industry wise requirements
22. Some industry sectors mandate their own policies for retention periods (generally 30 days) such as:
23. Compliance in brief:
- CCTV Operators to procure only STQC/BIS approved cameras
- Change default passwords
- Encryption enabled at rest and in transit
- Clocks synced to NTP.
- A written surveillance policy with clear signage and local police registration, where required
- A 30-day minimum retention policy must be automated with scheduled deletion.
- Access must be role-based with immutable audit logs maintained for 180 days.
- Every third-party vendor must sign a Data Processing Agreement confirming India data residency.
24. HISTORICAL BREACHES AND FORENSIC ANALYSIS
i) The Verkada Platform Breach (2021)
The Verkada incident involved the compromise of a super-administrative account on the vendor's cloud platform, granting attackers access to 150,000 live camera feeds including those in sensitive medical and correctional facilities. Forensics revealed the vendor failed to enforce unique complex passwords, lacked centralised logging for administrative actions, and a build server had been compromised months earlier by the Mirai botnet. The FTC subsequently took action against Verkada for failures to secure videos and personal data, resulting in a $2.95 million settlement. This incident established the vendor cloud platform as a critical attack surface requiring the same security controls applied to on-premises infrastructure.
ii) Mirai and the Botnet Cannon
The Mirai botnet remains a seminal example of the risk posed by surveillance devices at scale. By scanning for devices with default credentials (admin/admin, root/password), Mirai compromised hundreds of thousands of cameras and DVRs to launch the Dyn DNS DDoS attack, taking down major internet services globally. For financial or retail organisations, such a compromise doesn't just result in a data breach — it can lead to regulatory fines under GDPR and mandatory facility closures due to insurance requirements for functional surveillance.
iii) Dahua & Hikvision Manufacturing Backdoors
Multiple documented manufacturing backdoors have been identified in major commercial camera brands: Dahua cameras were found to contain an undocumented admin account (2017) providing full administrative access; Hikvision cameras contained a 'magic string' bypass (CVE-2017-7921) allowing unauthenticated full configuration access. These discoveries led to NDAA Section 889 prohibiting procurement of these brands for US federal systems, and the UK NCSC issuing guidance against their use in sensitive government environments.
iv) Contec CMS8000 Reverse Backdoor Pattern
While primarily a medical device incident, the Contec CMS8000 patient monitors — confirmed by CISA to contain a hardcoded IP address that the device automatically calls out to — establish an important precedent directly applicable to surveillance. In a camera context, a device with a hidden cellular module could be configured to periodically 'wake up' and transmit sensitive frames or network-discovered credentials to a remote server, remaining completely invisible to the local Security Operations Center.
Page updated
Google Sites
Report abuse