India has made the decision to prohibit internet-connected CCTV cameras and associated hardware from Chinese manufacturers such as Hikvision, Dahua Technology, and TP-Link starting April 1. This ban follows the implementation of new certification requirements under the Standardisation Testing and Quality Certification (STQC) framework. The regulations mandate that all CCTV products must obtain necessary approval before being marketed in India.
This action is part of a broader governmental effort to enhance security standards for interconnected devices, given their susceptibility to potential surveillance and hacking risks. Indian authorities are reportedly withholding certification for products from the mentioned Chinese companies and devices utilizing Chinese-origin chipsets. Without the requisite STQC clearance, these products are effectively blocked from the Indian market.
The updated security requirements aim to safeguard users’ networks from cyber threats posed by CCTV cameras. They demand that devices do not contain hardcoded credentials or concealed backdoors, incorporate secure firmware and update mechanisms, utilize strong encryption for communications, and prevent tampering at the hardware and software levels.
In a parliamentary disclosure in 2021, it was revealed that approximately one million cameras installed in government facilities were from Chinese brands, sparking concerns about vulnerabilities and potential data transfers to foreign servers. Recent research by Tel Aviv-based security firm Check Point highlighted numerous hacking attempts targeting consumer-grade security cameras across the Middle East during the Iran–US conflict.
Allegedly, Iran’s military sought to exploit civilian surveillance cameras for target acquisition, attack planning, and damage assessment during retaliatory actions against US and Israeli strikes in the region. Reports have also surfaced indicating that the Israeli military, in collaboration with the Central Intelligence Agency, accessed Tehran’s traffic cameras to pinpoint an airstrike that led to the demise of Iran’s supreme leader, Ali Khamenei.
Furthermore, Russia and Ukraine have accused each other of hacking consumer surveillance cameras to monitor troop movements and facilitate strikes. These security threats are seen as genuine concerns that could pose challenges for India, as evidenced by recent arrests of individuals accused of spying on critical installations in the country.
India is not alone in imposing stricter regulations on CCTV devices, with the United States, United Kingdom, and Australia already implementing restrictions on Chinese-manufactured surveillance equipment. The Indian government has mandated testing for CCTV equipment supplied to government entities since June 2024, requiring features like tamper-proof enclosures, robust malware detection systems, and encryption.
Manufacturers must conduct source code testing using software tools and furnish reports to government labs. If proprietary communication protocols are used instead of standard technologies like Wi-Fi, authorities can demand access to the source code. The updated regulations authorize Indian officials to visit overseas manufacturers and inspect facilities for potential cyber vulnerabilities.
These measures, affecting all such devices sold in the country, do not impact local manufacturers. The government’s goal with these amendments is to extend the security requirements to cover all interconnected devices marketed in India, emphasizing the importance of enhancing cybersecurity standards in the burgeoning IoT landscape.