{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,27]],"date-time":"2025-11-27T08:56:28Z","timestamp":1764233788060,"version":"3.46.0"},"reference-count":54,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,11,27]],"date-time":"2025-11-27T00:00:00Z","timestamp":1764201600000},"content-version":"vor","delay-in-days":330,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Artificial Intelligence and Cyber Futures Center"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Internet of Things (IoT) devices used on a wide scale are currently underregulated in Australia. Installing IoT devices on private property can lead to data security issues if targeted. In key locations like government buildings, the risk of surveillance increases. This research article addresses the recent national security concerns regarding China-made IoT CCTVs in Australia that had few technical evaluations of the cameras before their removal. This two-stage interdisciplinary research article proceeds in the following steps: first, by using the Common Vulnerability Scoring System (CVSS) framework, we assess the vulnerabilities of three IoT CCTV providers\u2014Hikvision, Dahua, and Avigilon\u2014that have been installed on Commonwealth government buildings and, second, we evaluate those findings against Australia\u2019s existing IoT CCTV regulation frameworks. We detect vulnerabilities in all three systems, although there are no High or Critical vulnerabilities in Avigilon devices when compared to Hikvision and Dahua. We also find that the current Australian regulations simultaneously overlap and do not sufficiently cover the existing cyber-vulnerabilities. The overlapping security frameworks, guidelines, and regulations address organizational cyber-hygiene and environmental security. Technical cybersecurity frameworks, however, are currently available only for select Commonwealth Government agencies on demand and are classified, excluding guidance for industry actors and state governments. We conclude that unified and mandatory cybersecurity guidelines would benefit the clarity of IoT CCTV systems and support the consumer benefit.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf039","type":"journal-article","created":{"date-parts":[[2025,11,10]],"date-time":"2025-11-10T12:32:03Z","timestamp":1762777923000},"source":"Crossref","is-referenced-by-count":0,"title":["Cyber vulnerabilities and technical regulation of China-made CCTV IoT surveillance cameras in Australia"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2663-1834","authenticated-orcid":false,"given":"Ausma","family":"Bernot","sequence":"first","affiliation":[{"name":"School of Criminology and Criminal Justice, Griffith University , Southport, QLD 4215 ,","place":["Australia"]}]},{"given":"Muhammad Arif","family":"Khan","sequence":"additional","affiliation":[{"name":"School of Computing and Mathematics, Charles Sturt University , Wagga Wagga, NSW 2678 ,","place":["Australia"]}]},{"given":"Khurram","family":"Shahzad","sequence":"additional","affiliation":[{"name":"School of Computing and Mathematics, Charles Sturt University , Wagga Wagga, NSW 2678 ,","place":["Australia"]}]},{"given":"Mert","family":"Karakaya","sequence":"additional","affiliation":[{"name":"IPVM , 3713 Linden St, Suite B, Bethlehem, PA 18020 ,","place":["United States"]}]},{"given":"Conor","family":"Healy","sequence":"additional","affiliation":[{"name":"IPVM , 3713 Linden St, Suite B, Bethlehem, PA 18020 ,","place":["United States"]}]}],"member":"286","published-online":{"date-parts":[[2025,11,27]]},"reference":[{"key":"2025112703524913300_bib1","doi-asserted-by":"publisher","first-page":"96","DOI":"10.1002\/poi3.285","article-title":"Consumer IoT and its under- regulation: findings from an Australian study","volume":"14","author":"Harkin","year":"2022","journal-title":"Pol Internet"},{"key":"2025112703524913300_bib2","doi-asserted-by":"publisher","first-page":"1039","DOI":"10.1177\/10778012231222486","article-title":"Considering the \u2018Internet of Things\u2019 for victim-survivors of domestic and family violence: anticipating exploitative use and encouraging safety-by-design","volume":"31","author":"Brown","year":"2024","journal-title":"Viol Against Wom"},{"key":"2025112703524913300_bib3","doi-asserted-by":"publisher","first-page":"380","DOI":"10.1080\/10357718.2023.2248915","article-title":"Understanding the risks of China-made CCTV surveillance cameras in Australia","volume":"77","author":"Smith","year":"2023","journal-title":"Austr J Int Aff"},{"key":"2025112703524913300_bib4","doi-asserted-by":"publisher","first-page":"121975","DOI":"10.1109\/ACCESS.2021.3109886","article-title":"A review of security standards and frameworks for IoT-based smart environments","volume":"9","author":"Karie","year":"2021","journal-title":"IEEE Access"},{"key":"2025112703524913300_bib5","doi-asserted-by":"publisher","first-page":"152351","DOI":"10.1109\/ACCESS.2020.3016937","article-title":"Security and privacy in the industrial internet of things: current standards and future challenges","volume":"8","author":"Gebremichael","year":"2020","journal-title":"IEEE Access"},{"key":"2025112703524913300_bib6","doi-asserted-by":"publisher","first-page":"39295","DOI":"10.1109\/ACCESS.2023.3268064","article-title":"Security and privacy for low power IoT devices on 5G and beyond networks: challenges and future directions","volume":"11","author":"Cook","year":"2023","journal-title":"IEEE Access"},{"key":"2025112703524913300_bib7","doi-asserted-by":"publisher","first-page":"102669","DOI":"10.1016\/j.cose.2022.102669","article-title":"IoT security certifications: challenges and potential approaches","volume":"116","author":"Cirne","year":"2022","journal-title":"Comput Secur"},{"key":"2025112703524913300_bib8","article-title":"Child pornography on sale from hacked Hikvision cameras using current Hik-Connect app","author":"IPVM","year":"2023"},{"key":"2025112703524913300_bib9","article-title":"List of equipment and services covered by Section 2 of the Secure Networks Act","author":"Federal Communication Commission","year":"2024"},{"key":"2025112703524913300_bib10","article-title":"Implementing the Secure Networks Act, Declaratory Ruling","author":"Federal Communications Commission","year":"2024"},{"key":"2025112703524913300_bib11","article-title":"Audit: Commonwealth Riddled by CCP Spyware","author":"Senator James Paterson website","year":"2023"},{"key":"2025112703524913300_bib12","article-title":"Cyber Security Incident Analysis and Reports","author":"National Cyber Security Centre","year":"2024"},{"key":"2025112703524913300_bib13","article-title":"Global locations report","author":"Hikvision and Dahua surveillance cameras","year":"2021"},{"key":"2025112703524913300_bib14","author":"Standards Australia"},{"key":"2025112703524913300_bib15","article-title":"Essential Eight","author":"Australian Cyber Security Centre"},{"key":"2025112703524913300_bib16","author":"Forum of Incident Response and Security Teams. CVSS\u2014Common Vulnerability Scoring System"},{"key":"2025112703524913300_bib17","doi-asserted-by":"publisher","first-page":"1176","DOI":"10.3390\/electronics12051176","article-title":"Analysis of consumer IoT device vulnerability quantification frameworks","volume":"12","author":"Baho","year":"2023","journal-title":"Electronics"},{"key":"2025112703524913300_bib18","article-title":"Mitre ATT&CK: Design and Philosophy","author":"Strom","year":"2018"},{"key":"2025112703524913300_bib19","author":"T. N. Security\u2014Nessus","year":"2024"},{"key":"2025112703524913300_bib20","doi-asserted-by":"publisher","first-page":"43586","DOI":"10.1109\/ACCESS.2018.2863244","article-title":"A graph-based security framework for securing industrial IoT networks from vulnerability exploitations","volume":"6","author":"George","year":"2018","journal-title":"IEEE Access"},{"key":"2025112703524913300_bib21","doi-asserted-by":"publisher","first-page":"8599","DOI":"10.1109\/ACCESS.2018.2805690","article-title":"A vulnerability assessment method in industrial internet of things based on attack graph and maximum flow","volume":"6","author":"Wang","year":"2018","journal-title":"IEEE Access"},{"key":"2025112703524913300_bib22","doi-asserted-by":"publisher","first-page":"101068","DOI":"10.1016\/j.pmcj.2019.101068","article-title":"Vulnerability-based risk assessment and mitigation strategies for edge devices in the Internet of Things","volume":"59","author":"George","year":"2019","journal-title":"Pervas Mob Comput"},{"key":"2025112703524913300_bib23","doi-asserted-by":"publisher","first-page":"2333","DOI":"10.1109\/TDSC.2021.3055559","article-title":"A game-theoretical approach for mitigating edge DDoS attack","volume":"19","author":"He","year":"2021","journal-title":"IEEE Trans Depend Secure Comput"},{"key":"2025112703524913300_bib24","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3381038","article-title":"A survey of IIoT protocols: a measure of vulnerability risk analysis based on CVSS","volume":"53","author":"Figueroa-Lorenzo","year":"2020","journal-title":"ACM Comput Surv"},{"key":"2025112703524913300_bib25","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/NTMS.2011.5720656","article-title":"Vulnerability discrimination using CVSS framework","volume-title":"Proceedings of the 2011 4th IFIP International Conference on New Technologies, Mobility and Security","author":"Gallon","year":"2011"},{"key":"2025112703524913300_bib26","article-title":"Chinese-made security cameras to be removed from Australian government buildings","author":"The Guardian","year":"2023"},{"key":"2025112703524913300_bib27","article-title":"Australia to remove Chinese surveillance cameras amid security fears","author":"BBC","year":"2023"},{"key":"2025112703524913300_bib28","author":"National Vulnerability Database"},{"key":"2025112703524913300_bib29","doi-asserted-by":"publisher","first-page":"1","DOI":"10.14722\/ndss.2017.23160","article-title":"Wireguard: next generation kernel network tunnel","author":"Donenfeld","year":"2017","journal-title":"Proceedings of the Network and Distributed System Security Symposium, NDSS 2017"},{"key":"2025112703524913300_bib30","author":"Kali Linux","year":"2024"},{"key":"2025112703524913300_bib31","author":"Wireshark","year":"2024"},{"key":"2025112703524913300_bib32","author":"Bettercap","year":"2024"},{"key":"2025112703524913300_bib33","author":"Real time streaming protocol (RTSP)","year":"2024"},{"key":"2025112703524913300_bib34","first-page":"163","article-title":"Vulnerability analysis of IP cameras using ARP poisoning","volume-title":"Proceedings of the\u00a08th International Conference on Soft Computing, Artificial Intelligence and Applications (SAI 2019)","author":"Doughty","year":"2019"},{"key":"2025112703524913300_bib35","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ISC255366.2022.9922377","article-title":"Deploying man-in-the-middle attack on IoT devices connected to long range wide area networks (LoRaWAN)","volume-title":"Proceedings of the\u00a02022 IEEE International Smart Cities Conference (ISC2)","author":"Olazabal","year":"2022"},{"key":"2025112703524913300_bib36","article-title":"Criteria for IP camera cybersecurity shootout explained","author":"Internet Protocol Video Market","year":"2024"},{"key":"2025112703524913300_bib37","article-title":"IP Camera cybersecurity rankings","author":"Internet Protocol Video Market","year":"2024"},{"key":"2025112703524913300_bib38","article-title":"NVD Database","author":"National Institute of Standards and Technology"},{"key":"2025112703524913300_bib39","article-title":"2023-2030 Australian Cybersecurity Strategy: legislative reforms; Engineers Australia\u2019s submission","author":"Engineers Australia","year":"2024"},{"key":"2025112703524913300_bib40","article-title":"Mandatory security standards and industry-led voluntary cyber","author":"Office of the National Cyber Security Adviser","year":"2023"},{"key":"2025112703524913300_bib41","author":"Australian Government Information Security Manual","year":"2024"},{"key":"2025112703524913300_bib42","article-title":"ASIO T4 protective security","author":"Australian Security Intelligence Organisation","year":"2024"},{"key":"2025112703524913300_bib43","author":"Protective Security Policy Framework","year":"2024"},{"key":"2025112703524913300_bib44","article-title":"IoT secure-by-design guidance for manufacturers","author":"Australian Signals Directorate","year":"2024"},{"key":"2025112703524913300_bib45","article-title":"Voluntary Code of Practice","author":"Home Affairs","year":"2025"},{"key":"2025112703524913300_bib46","article-title":"Cyber Resilience Act","author":"European Commission","year":"2024"},{"key":"2025112703524913300_bib47","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1093\/cybsec\/tyz005","article-title":"What security features and crime prevention advice is communicated in consumer IoT device manuals and support pages?","volume":"5","author":"Blythe","year":"2019","journal-title":"J Cybersecur"},{"key":"2025112703524913300_bib48","article-title":"Dahua backdoor uncovered","author":"IPVM","year":"2017"},{"key":"2025112703524913300_bib49","article-title":"Hikvision backdoor exploit","author":"IPVM","year":"2017"},{"key":"2025112703524913300_bib50","article-title":"News Coverage from Security Affairs: Over 80,000 Hikvision cameras can be easily hacked","author":"CYFIRMA","year":"2024"},{"key":"2025112703524913300_bib51","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1093\/cybsec\/tyab011","article-title":"Cybersecurity of consumer products against the background of the EU model of cyberspace protection","volume":"7","author":"Banasi\u0144ski","year":"2021","journal-title":"J Cybersecur"},{"key":"2025112703524913300_bib52","doi-asserted-by":"crossref","first-page":"362","DOI":"10.1007\/978-3-030-34339-2_20","article-title":"Defining a new composite cybersecurity rating scheme for SMEs in the U.K","volume-title":"Information Security Practice and Experience","author":"Rae","year":"2019"},{"key":"2025112703524913300_bib53","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3139937.3139938","article-title":"Systematically evaluating security and privacy for consumer IoT devices","volume-title":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","author":"Loi","year":"2017"},{"key":"2025112703524913300_bib54","article-title":"FCC to consider implementing a voluntary cybersecurity labeling program for smart products","author":"DLA Piper","year":"2024"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf039\/65562745\/tyaf039.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf039\/65562745\/tyaf039.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,27]],"date-time":"2025-11-27T08:52:53Z","timestamp":1764233573000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf039\/8345066"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":54,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf039","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf039"}}