4 Factors Ensuring Information Security for IP Cameras in Vietnam

On December 31, 2024, the Ministry of Information and Communications (now under the Ministry of Science and Technology) promulgated QCVN 135:2024/BTTTT – Basic information security requirements for Internet Protocol surveillance cameras. The regulation was developed to establish a solid protective barrier, minimizing risks and inherent security vulnerabilities in IP cameras, thereby protecting cyber safety and security for users and contributing to the reinforcement of national cyberspace.

See more: Capacity Profile Of Phuc Gia Laboratory Corporation

Table of contents

The following article has been organized by Phuc Gia® into 4 factors ensuring Information Security for IP Cameras in Vietnam to clarify the impact and significance of each group of regulations within QCVN 135:2024/BTTTT.

I. The Importance of Promulgating QCVN 135:2024/BTTTT

History has witnessed large-scale attacks such as the Mirai botnet, which exploited hundreds of thousands of IoT devices, including cameras, by using manufacturer default passwords. Such incidents demonstrate risks ranging from hackers gaining control, unauthorized surveillance, and the theft of sensitive data to being exploited as part of large-scale attack networks.

In that context, the promulgation of QCVN 135:2024/BTTTT aims to establish a specific legal framework, protecting the interests of users, businesses, critical infrastructure, and cyberspace safety. This regulation serves as a quality filter, creating a legal and technical foundation to enhance the safety of camera products manufactured, imported, and as Goods Circulating on Vietnamese Market.

II. 4 Factors Ensuring Information Security for IP Cameras in Vietnam

Phuc Gia® has systematically organized the 11 groups of technical requirements of QCVN 135:2024/BTTTT into 4 factors ensuring Information Security for IP Cameras in Vietnam to clarify the content, impact, and significance of each group of regulations.

1. Authentication and Access Management

This is the first layer of protection, aiming to ensure that only valid users have the right to access and configure the device. The main technical requirements in this section include:

Initialization of Unique Passwords (Sections 2.1.1 & 2.1.2): One of the most fundamental regulations is the requirement that each camera device must have a unique initial password or force the user to set a password upon first use. This regulation directly addresses the critical vulnerability of using default passwords (e.g., admin/admin) across a range of devices, which has been the “gateway” for botnets like Mirai.
Secure Authentication Mechanisms (Section 2.1.3): Devices must use secure cryptographic mechanisms appropriate for current technology to protect the authentication process. This prevents risks of eavesdropping or theft of login credentials during transmission.
Credential Change Management (Section 2.1.4): The standard mandates that devices must provide a simple, easy-to-use interface so that users or administrators can change passwords and other credentials at any time, granting control to the user.
Anti-Brute Force Protection (Section 2.1.5): Devices must be equipped with mechanisms to resist brute-force attacks, such as temporarily locking the account after a certain number of failed login attempts. This mechanism helps protect user accounts from automated password-guessing software.

Authentication and access management is the first and most basic defense layer for any network-connected device. This factor ensures that only legitimate users have the right to access, view data, and change the camera’s configuration. Tightening access management according to the above requirements creates a solid security foundation, thereby paving the way for deeper layers of protection during the device’s operation.

2. Operational Security Management

The operational security management factor focuses on ensuring that the device maintains a secure state throughout its operation through vulnerability management mechanisms, software updates, and attack surface control. The central technical requirements include:

Vulnerability Management and Disclosure (Section 2.2): Manufacturers must publicly disclose their vulnerability handling policy, including contact information so that users or researchers can report issues, and commitments regarding response and remediation times. This promotes transparency and responsibility, ensuring vulnerabilities are fixed promptly.
Software Update Management (Section 2.3): Devices must have a mechanism that allows users to update software simply and securely, which may include automatic update features. Updates are vital for patching newly discovered security flaws, and simplifying this process encourages users to perform them more frequently.
Disclosure of Support Period (Section 2.3.6): QCVN 135:2024/BTTTT requires manufacturers to “disclose the warranty support period for each type of camera device.” This is a critical regulation, forcing manufacturers to be transparent about the product support lifecycle and ensuring users know exactly how long their devices will receive security patches. This regulation helps prevent the market from being flooded with devices that are quickly “abandoned” by manufacturers, becoming permanent security risks.
Secure Communication Channel Management (Section 2.5): All communication channels, especially when used to change important security-related configurations (such as changing passwords or network configurations), must be established securely using appropriate cryptographic mechanisms.
Anti-Attack via Interfaces (Section 2.6): The standard requires disabling all interfaces unnecessary for normal user operation, including network ports, logical, and physical interfaces (debug ports). This helps narrow the “attack surface,” giving hackers fewer options to infiltrate the device.
Input Data Validation (Section 2.10): The camera software must check and validate all data received from users or from Application Programming Interfaces (APIs). This helps prevent a range of common attacks such as SQL injection or command injection, which exploit invalid input data to execute malicious code.

Strictly ensuring operational security helps camera devices remain secure not only at the time of manufacture but also maintain that secure state against constantly evolving threats in cyberspace.

3. Data Protection and Privacy

Image and audio data collected by cameras belong to the sensitive data group, which can directly impact the privacy of individuals and organizations. Therefore, QCVN 135:2024/BTTTT has set strict requirements to ensure that data is encrypted, stored safely, and that users have full control over their personal information. The main technical requirements include:

Secure Storage of Sensitive Parameters (Section 2.4): Important information such as cryptographic keys and unique device identifiers must be stored securely and protected against unauthorized access or modification.
User Data Protection (Section 2.7): Sensitive user data, when transmitted between the camera and linked services (such as cloud servers), must be protected by appropriate encryption mechanisms to prevent eavesdropping.
Data Deletion on Device (Section 2.9): The device must provide a function that allows users to securely wipe personal data stored on the camera, ensuring that the data cannot be recovered.
On-Device Data Protection (Section 2.11): Manufacturers must be completely transparent about the purpose and methods of collecting and processing personal data. More importantly, the device must have a mechanism to obtain explicit consent from the user before proceeding with the collection and processing of their data.
Requirements for Data Storage in Vietnam (Section 2.11.5): This is one of the most strategic requirements of the standard. Section 2.11.5 stipulates: “Camera devices must have a function allowing the configuration for data storage in Vietnam.” This requirement is of particular importance to national data security, helping to ensure that the sensitive data of Vietnamese users, organizations, and state agencies is managed and protected within the territory, complying with Vietnamese law and creating favorable conditions for the management and inspection work of functional agencies when necessary.

Data protection is not only a technical requirement but also a commitment to respecting the privacy rights of citizens—a core element in building trust in the digital age.

4. Security Enhancement and Resilience

In addition to the requirements for security and data protection, QCVN 135:2024/BTTTT also sets requirements to ensure that devices operate stably and have the ability to recover after incidents. This is an important factor for maintaining the continuity of the surveillance system in actual operation. The main technical requirements include:

Automatic Recovery After Incidents (Section 2.8.1): The device must have a mechanism to automatically restore normal operation after a power outage or temporary loss of network connection.
Maintenance of Internal Functions During Network Loss (Section 2.8.2): When the Internet connection is lost, the internal functions of the camera (e.g., recording to a memory card) must still operate normally, ensuring no loss of important surveillance data.
Stable Connection Restoration (Section 2.8.3): When the network connection is re-established, the device must be able to restore the connection stably and sequentially, avoiding instability for the network system.

These requirements ensure that the camera surveillance system is not only secure but also highly reliable, meeting the requirements for continuous operation in various environments.

III. Implementation Roadmap for QCVN 135:2024/BTTTT

To ensure that the regulation is implemented effectively and synchronously, Circular No. 21/2024/TT-BTTTT, which took effect on February 15, 2025, stipulates the implementation roadmap for QCVN 135:2024/BTTTT regarding IP Cameras as follows:

From February 15, 2025: QCVN 135:2024/BTTTT is applied voluntarily for measurement, testing, certification of conformity, and declaration of conformity activities for camera devices.
From January 01, 2026: All Internet Protocol surveillance camera devices manufactured domestically or imported into Vietnam are mandatory required to fully meet the requirements of this regulation before being permitted to be Goods Circulating on Vietnamese Market.

Vietnamese and foreign organizations and individuals involved in the production, importation, and trading of surveillance camera devices are responsible for strictly complying with the provided roadmap. Compliance is not only a legal obligation but also a condition to ensure consistency in management, contributing to the control of information security risks and maintaining a transparent and stable business environment.

QCVN 135:2024/BTTTT marks a significant step forward in building a solid legal corridor for managing the information security quality of surveillance camera devices. The regulation sets specific requirements ranging from risk control at the design stage and protecting user data to ensuring stable operation when incidents occur. Full compliance with the standard not only helps businesses reduce legal and technical risks but also contributes to building a safer, more transparent, and sustainable IP camera market.

RELATED POSTS