There will be a lot of that around here…we LOVE *Made in America*, unfortunately not a lot of electronics are made in the U.S.A. We do have some experience in *aftermarket upgrades* here at home, maybe this is what clued us in that we need to be extra careful with goods made overseas. It is safe to say that most countries engage in this behavior so it does make sense for us to be careful.
At the same time, it is a free country and you will undoubtedly find better pricing in non-NDAA compliant equipment. The two biggest manufacturers of these products are Hikvision and Dahua both of which are non-compliant and have enormous brands with huge market penetration. Beyond that they have even bigger OEM divisions providing chips and internals as well as complete generic systems with blank face plates just waiting for logo from a reseller/partner.
There are big lists here and here of the OEM dealer names, but it is unlikely complete. It is imperative if this is important to you that you get assurances from your distributor that the goods are indeed NDAA compliant. This will undoubtedly cost at least a little extra as manufacturing in China is notoriously inexpensive and those costs get passed down. However, if there is even a remote chance your surveillance system (or components thereof) will need to certify compliance you ought to give some thought to that risk.
My gut says, that if there is back door accessibility or a remote access tool is hidden Trojan horse style in the software or firmware, what does the perpetrator get? Certainly in the case of any kind of government building or area where a bad actor or government might want to peek into what is going on, ok, sure, makes sense…But when I think about the surveillance systems installed in Burger Kings, 7-Elevens, Grocery Stores and Krispy Kreme locations, I wonder, uh, really?
Of course having the ability to create a botnet or just having a back door into all of these locations may be useful, I am thinking data wise…how busy are the cameras, what is the average amount of video data stored based on X settings under Y conditions…eh…who has the time and more importantly the bandwidth? I remember our security team at the beginning of the century noticing large data movements off of our network. We had 40 locations, and 10 mb fiber at HQ at the time. If you take what the US did with regards to installing a Trojan horse on Cisco equipment bound for specific targets, that makes a lot of sense. Discreet access, selective data ex-filtration, and most importantly control *over the routing equipment* meaning the actor (not necessarily bad if the actor is on your team) can masque the logs and tracking to an off network location.
Now lets think about *stealing video data* on a system that has an assumed back door to an endpoint in China, or a jump point in the US. In any case, the data has to ride over the networking equipment at the location where it is installed in order for the Trojan horse to be a Trojan at all. These days, networking equipment is pretty sophisticated and this sort of transgression is, well, pretty easy to spot….assuming you are looking for it. Supposing for a moment that the system is installed on a network here in the US where bandwidth is at such a premium. Sorry, this is one of my pet peeves. The US put deregulation in place in 1996, I worked for an independent ISP in that era. Deregulation was supposed to spawn competition and a marketplace. It did, for a little while, but the big boys bought everyone up and now we have monopolies.