The war on snooping eyes | India's CCTV security crisis

For years, security experts have cried themselves hoarse over the rapid proliferation of surveillance cameras. Adversaries hacking internet-connected CCTVs (Closed Circuit Televisions) to gather caches of sensitive information is bad enough, but the ongoing war in the Middle East has revealed the more sinister uses such hacking can enable. Cameras—at traffic junctions, buildings and city streets—are being repurposed for target tracking and precision strikes. Advances in artificial intelligence (AI) allow militaries to rapidly analyse vast caches of footage, enabling precise identification of targets. Israel hacked Tehran’s surveillance camera grid to track—every face and vehicle was tabulated over days to create a mosaic of daily routines—and then assassinate Iranian supreme leader Ayatollah Ali Khamenei and other senior officials on February 28.

In India, the threat from CCTVs was brought home in late March, when police in Ghaziabad, Uttar Pradesh, dismantled a Pakistan-linked espionage ring that did more than hack existing cameras. Instead, operatives installed solar-powered CCTV units at sensitive locations in Delhi-NCR. These devices transmitted live footage to Pakistan’s Inter Services Intelligence (ISI) handlers across the border. Investigators revealed that the network was tasked to expand the covert network in other Indian cities.

Indeed, there are over three million CCTVs with weak technical features installed across the country—around half of them in government premises, including military compounds and high-security infrastructure—a massive security risk. Ninety per cent are made by Chinese firms like Hikvision and Dahua, which means there is but one beneficiary of alleged electronic espionage—Beijing.

With India’s apprehension turning into reality in the Middle East, New Delhi has finally made a decisive move. The government has banned CCTV cameras and associated hardware from Chinese manufacturers. From April 1, new certification requirements under the Union ministry of electronics and information technology’s (MeitY) Standardisation Testing and Quality Certification (STQC) framework come into force, mandating that all CCTV products undergo testing and approval before they can be sold or deployed. The rules require devices to have tamper-proof enclosures and strong malware detection encryption so that they are free of vulnerabilities that could lead to remote access. The new rules stem from the requirements first issued by MeitY in April 2024. Manufacturers were given a two-year period to adapt, and over 500 CCTV models have already been certified and some installed.

SECURING VITAL ASSETS

At a review meeting chaired by Prime Minister Narendra Modi in February, serious concerns were also raised about alleged Chinese attempts to snoop on India’s national telecommunications infrastructure. The government is now establishing a mechanism to safeguard the country’s telecom backbone, with quarterly coordination meetings mandated between the Department of Telecommunications, the Ministry of Defence and intelligence agencies.

The perceived threat to vital national infrastructure stems from a large cyber-espionage campaign in 2021 by Chinese state-linked groups. The operation targeted at least seven State Load Dispatch Centres (SLDCs) —facilities responsible for electricity dispatch and grid control—located close to the Line of Actual Control (LAC) with China in Ladakh. The attackers likely compromised Internet Protocol (IP) cameras commonly used in CCTV networks, along with internet-connected Digital Video Recorder (DVR) systems. The objective, it was assessed, was to gather intelligence on India’s power infrastructure. Two separate Chinese hacking attempts on electricity distribution centres in Ladakh in 2021 were successfully thwarted too.

Close on the heels of the central directive, the Delhi government in April decided to remove around 140,000 Chinese-origin CCTV cameras installed by its public works department, as potential threats to national security. “Surveillance infrastructure is not about just about visibility, it is about control over sensitive data,” said Parvesh Verma, Delhi’s PWD minister. He added that the government would replace these cameras in a phased manner with secure, trusted and updated systems.

CHINESE DESIGNS

Indian experts who for years have suspected that many Chinese CCTVs leak sensitive information aren’t solitary voices. In 2022, the UK, US and Australia all decided to ban Chinese CCTVs from government departments and sensitive installations, citing security concerns. One main worry is the fact that these companies, often partly/ wholly owned by the Chinese government, are required by the 2017 National Intelligence Law to cooperate with Beijing’s security services. In October 2025, the US Federal Communications Commission tightened the ban on Chinese firms like Hikvision, Dahua and Huawei, blocking any new import approvals from devices that use parts from these companies.

Lt Gen. Rajesh Pant, former National Cybersecurity Coordinator, believes that all electronic devices with software can be weaponised by adversaries. “CCTV cameras connected through the internet and can be used for surveillance, damage assessment and denial of service attacks. The government move is a good step towards national security,” he says.

India is rapidly expanding its network of AI-enabled CCTV cameras, positioning them as essential tools for safety, policing and smart infrastructure. However, experts point out that critical components inside these cameras—chipsets, firmware (a microcode/ software attached to the hardware system-on-chip or SoC) and analytics—largely originate from China-linked supply chains, raising questions about the true sovereignty over the surveillance grid.

An Indian intelligence official further adds that modern surveillance cameras come with capabilities that can be switched on remotely—for example, the ability to pick up sounds or read vehicle number plates. This is enabled by the SoC of a CCTV camera which has applications with functions like motion and facial recognition.

Also, as an expert points out, a Video Security Surveillance (VSS) system or CCTV is more than just a camera device. These systems also contain video network recorders, through which all images, stored for later analysis, are connected to a network that can be linked to remote web servers. Large amounts of disparate visual data transmitted back to China can be integrated through AI and, like in Tehran, be used to create composite intelligence pictures. That is where the national security risks crop up.

NEED FOR AN AUDIT

While welcoming the stricter parameters, experts are worried about the existing web of cameras. “The rules are for new surveillance cameras to be procured, but there is no solution to millions of existing cameras. The vulnerabilities continue,” says N.K. Goel, president of the Telecom Equipment Manufacturers Association of India. He calls for a comprehensive audit of such existing CCTVs.

As with defence platforms, a way out of foreign dependence, and the dangers therein, is indigenous production. However, an insider in the sector highlighted a blind spot in Make in India policies. While procurement rules reward local content, this metric alone does not guarantee control over the intelligence-bearing layers. “Cameras may be assembled, packaged and invoiced in India, yet the SoC microchip is 100 per cent imported—usually of Chinese origin but routed through Taiwan, Hong Kong, or the UAE—and the firmware is often Chinese but masked to appear indigenous,” he says. He adds that units certified by MeitY’s STQC are not always the same as those deployed at sensitive sites, creating a dangerous gap between tested samples and field installations. He cited an example of Indian Railways’ 2024 plan to instal about 75,000 AI-powered CCTV cameras in all coaches and locomotives at an estimated cost of Rs 15,000 crore. While the company’s invoice listed Taiwan as the origin, the customs invoice from Mumbai’s Air Cargo Complex suggested that it came from China.

To address these susceptibilities, some experts call for treating CCTV in sensitive sectors as strategic infrastructure. They propose a harder national doctrine based on five principles: verifying the exact units deployed (and not just submitted samples), full disclosure of chipsets, firmware and update provenance, re-testing replacements and firmware changes, creating a restricted or negative list for VSS technologies in critical sectors and applying stricter standards to high-importance areas like ports, airports and defence facilities.

Apart from just verifying new machines, only a full check of all existing CCTVs in sensitive areas can rid India of the grave security risk they pose.