AT&T has cancelled its deal with Huawei over US government concerns that the Chinese company’s Mate 10 smart phone might be used to spy on Americans. American lawmakers wrote to the FTC expressing alarm about the deal due to Huawei’s alleged ties to the Chinese government.
This is a welcome step for those who take cybersecurity seriously. The move should also prompt an important question: What about the security risks potentially borne by hundreds of millions of other Chinese-made electronic devices in the United States?
It’s likely that every major Chinese electronics manufacturer has close ties to the Chinese government and, by extension, its espionage service. It’s time to take a hard look at our vulnerability to possible cyberthreats built into technology manufactured by one of our global strategic adversaries.
Assessing cyberthreats is an exercise in informed speculation and scenario building. While it’s impossible to state with certainty that all electronics built in China contain security threats, there’s evidence to suggest the risks are real. We know that China is behind many serious data breaches and suspect them of such brazen acts as stealing the digital plans for the F-35 fighter jet and making an identical copy.
Chinese manufacturers make the vast majority of electronic devices and sub-components used in American homes, businesses and government agencies. Given their ambiguous relationship with the US, why wouldn’t the Chinese government try to infiltrate American life after having been invited in by our electronics firms?
Potential cyberthreats could be lurking in both the hardware and software of Chinese-made devices. Processor chips are suspected of containing malware embedded into the “firmware,” or silicon itself. Malware locked into the silicon is extremely difficult to detect. However, it can be configured to grant “root” access to a malicious actor. Concerns about compromised firmware are serious enough that some firms, like Hewlett Packard Enterprise, have decided to secure their processor chip supply chains to ensure hardware security.
Software inside Chinese-made devices may also be compromised. The problem arises from the way software is created. While an app or an operating system might appear to be a seamless whole, it is usually a composite made up of multiple pieces of code developed by different teams—many of which are located in unfriendly nations. For instance, Gizmodo recently reported that Russian software code was found secretly embedded in French software used by the TSA for biometrics. This revelation caused concern that Russia could illegally access millions of American biometric records like fingerprints.
The choreography of multiple code elements makes the device work, but it also causes electronic devices to emit signals that baffle their very makers. If the people who built the device don’t know why it’s sending out a given electronic signal, it’s definitely possible for the device to record and send personal information to malicious actors.
With malware on board, our smartphones, smart thermostats, in-home shopping listening devices, cars and PCs could eavesdrop on us and transmit our private information without detection. This might seem paranoid, but remember that hackers exported thousands of emails out of Sony Pictures without anyone even noticing.
The Chinese government can spy on us with relative ease through electronic device and components that American companies sell to the American public. They may or may not be, but the reality at this moment is that we have no idea what they’re doing. The time has come to be more diligent in analyzing potential security risks built into devices made in China.