04/03/2023
Bulgarian Mass Surveillance, Hidden in Plain Sight.
The use of CCTV cameras on public transit is commonplace across much of the world, but the controversy in Bulgaria centers on the documented vulnerabilities surrounding the use of Hikvision cameras and concerns over a lack of oversight in their procurement.
A Hikvision camera in use on Sofia's public transport system
The video-surveillance system installed on Sofia's public-transit network dates to 2017, when a modernization project for the city's urban transport was issued. At the end of 2018, a contract was concluded with a consortium of companies to purchase the equipment and affiliated technology for $45 million, with the aim of installing a total of 4,300 cameras on buses, streetcars, and trolleybuses in the capital.
The video-surveillance system in Sofia's public-transport system began operating in late 2020 and a rollout of the cameras has continued. The website of Sofia's Urban Mobility Center, the city's transportation department, says that installing the cameras was done to provide "better security" for drivers and passengers and make it easier for the city to count the number of people traveling on public transit.
But questions remain over the vulnerabilities of Hikvision cameras as well as wider concerns by some Western governments about Chinese suppliers.
The Urban Mobility Center said in response to RFE/RL questions that it did not have "the right to set restrictions or requirements around the country of origin or specific brands for equipment manufacturers" for the contract. Similarly, the consortium formed to execute the public order for purchasing the cameras said that its choice of equipment was guided by "needs, reliability, and security" and not by country of origin or trademark.
Part of the appeal of Chinese companies in the surveillance industry like Hikvision to buyers around the world is that they offer a competitive price paired with a quality that has often allowed them to undercut their peers and win public contracts where the cost to taxpayers is often a leading factor in the selection process.
Major concerns about the vulnerability of Hikvision came in 2021, when an anonymous security researcher found a glitch in the Chinese company's products that "permits an attacker to gain full control of the device." In a post that spread widely among industry leaders, the researcher said the cameras had "the highest level of critical vulnerability."
Hikvision quickly acknowledged the vulnerability and instructed users to install new software on their devices which it said would patch the glitch.
According to IPVM, an industry research publication focused on video-surveillance products, the vulnerability impacted more than 100 million cameras globally.
In August 2022, the cybersecurity company CYFIRMA published a study in which it estimated that more than 80,000 Hikvision cameras were exposed after operators failed to install a firmware update released in 2021 or left default passwords in place when first setting up the devices.
The Urban Mobility Center, the consortium behind the Sofia contract, and Maxtel, the subtractor that installed the cameras, did not acknowledge any vulnerabilities and whether they had been patched.
The Urban Mobility Center did not respond to RFE/RL's inquiry about the glitch and Maxtel said that it had no information about it. The center did say it had referred the question to Hikvision, but that the company had not yet confirmed any details.
People exit a tram in downtown Sofia.
People exit a tram in downtown Sofia.
However, both entities told RFE/RL that such concerns were paramount to them and that the video-surveillance system was secure, as it remains on a closed computer network and that all software updates are regularly monitored and applied.
"All measures have been taken to protect the system and make it impossible for the information from it to be used for anything other than its intended purposes," the Urban Mobility Center said in a statement. "It's constantly being reviewed, especially in terms of cybersecurity."
Article 32 of the Bulgarian Constitution guarantees the inviolability of personal privacy, including the privacy of correspondence, telephone conversations, and other communications. However, this protection is subject to limitations that are deemed necessary in a democratic society, such as for national security or criminal investigations.
In addition to constitutional protections, Bulgaria has legislation that regulates the collection and use of personal data, including the Personal Data Protection Act and the Electronic Communications Act. These laws require that personal data be collected and processed only for specific and lawful purposes, and that individuals be informed of any data processing that affects them.
However, there have been concerns about mass surveillance practices in Bulgaria, particularly in relation to the use of surveillance technologies by law enforcement agencies. In 2018, for example, a Bulgarian court ruled that the use of IMSI-catchers (devices that intercept mobile phone signals) by the police was unconstitutional, as it violated the right to privacy.
An IMSI catcher, also known as a "Stingray," is a type of surveillance technology used to intercept mobile phone signals. The acronym "IMSI" stands for International Mobile Subscriber Identity, which is a unique identifier assigned to each mobile device.
