In 2019, Chinese-owned smartphone and telecommunications company Huawei Technologies was accused of cyber-espionage when reports of a Huawei smartphone, handset, and its Chinese 5G network equipment were allegedly transmitting sensitive data from its users back to China. This led multiple countries such as the United States and New Zealand to block business activities with Huawei, ZTE, and other Chinese telecommunications companies.
These allegations were seemingly debunked in 2019 when German and British intelligence agencies examined 5G Chinese technology and found no evidence of spyware or anything that could transmit user data back to the Communists in Beijing. However, allegations of backdoor exploitation of the technology in 2020 would soon stir up the topic of espionage and data leaks again when it was found that a Huawei data center in New Guinea used out of date encryption software that would be easy to breach(by China) without setting off alarms inside the company. Huawei could plausibly deny ‘giving’ information to the Communist government in this way.As a result, the United Kingdom banned Huawei’s 5G technology and reported that it would strip all Huawei equipment from British telecoms by 2025. The United States would also place export restrictions on Huawei and would ban any American company or individual from owning shares from Huawei.
Well, it turns out the Chinese aren’t done with us yet.
In a 2021 letter addressed to US Department of Commerce Secretary Gina Raimondo from US Senator Chris Van Hollen, it was discovered that the Telecommunications Industry Association investigated Chinese-owned Yealink and found several security threats that could be detrimental to US users’ security.
For those of you who aren’t aware of Yealink, it’s a Chinese company that specializes in communications and video conferencing. One of its products is desk phones used all over the United States, from private companies, schools, and, you guessed it – government agencies.
In an assessment of the Yealink T54W IP Business Phone and Yealink’s Device Management Platform (YDMP) done by Chain Security, the phones were quite the industry-standard communication mediums, except for a few notable observations.
First, they determined that the YDMP Service Agreement requires users to accept the laws of China and arbitration of disputes in Xiamen province. Telecommunication laws in China also allow the monitoring of users when deemed necessary by the Chinese Government when it involves “national interest.” Chinese companies also operate under a blanket national security law that requires them to turn over to the government any information it requests and to cooperate with the government in matters of national security.
Second, they found that the T54W had poor security behavior, where data exchanges were happening every time the phone would reboot. The phone allegedly would send an encrypted message to a Chinese server and receive another encrypted message in return. These were all happening without the user’s knowledge.
Third, they also discovered that the phones in question were “highly susceptible to unauthorized remote access,” which could be used for a cyberattack. The T54W was said to be configured to accept digital certificates from China. Interestingly, one of these certificate authorities was blocked by Google due to initiating Man-In-The-Middle (MITM) attacks. In a conflict between the U.S. and China, the Communists could shut down telecommunications using these devices in an instant
More so, it also does not use digital certificates to prevent unwanted changes to its software. This means that an unauthorized third party can possibly load a program or software to initiate an attack on its users.
Lastly, they determined that Yealink had deep connections with the Chinese Government, where the Xiamen City and Party Committee gave funding to Yealink. An engineering executive at Yealink, Mr. Yang Gui, was said to be an Expert Committee Member of the China Ministry of Science and Technology (MOST). The company is also part of the Thousand Talents Program (TTP), which allegedly used foreign scientists to advance military technology, and was accused of illicit transfer of US technology and intellectual property to China in 2018.
Only time will tell what action the US Government will take against the lesser-known Chinese company Yealink and their line of phones. While there is evidence that these phones can be used for illicit transfers of personal data, no hard evidence has yet to arise except for the aforementioned test.