In 2019, Chinese-owned smartphone and telecommunications company Huawei Technologies was accused of cyber-espionage when reports of a Huawei smartphone, handset, and its Chinese 5G network equipment were allegedly transmitting sensitive data from its users back to China. This led multiple countries such as the United States and New Zealand to block business activities with Huawei, ZTE, and other Chinese telecommunications companies.

These allegations were seemingly debunked in 2019 when German and British intelligence agencies examined 5G Chinese technology and found no evidence of spyware or anything that could transmit user data back to the Communists in Beijing. However, allegations of backdoor exploitation of the technology in 2020 would soon stir up the topic of espionage and data leaks again when it was found that a Huawei data center in New Guinea used out of date encryption software that would be easy to breach(by China) without setting off alarms inside the company. Huawei could plausibly deny ‘giving’ information to the Communist government in this way.As a result, the United Kingdom banned Huawei’s 5G technology and reported that it would strip all Huawei equipment from British telecoms by 2025. The United States would also place export restrictions on Huawei and would ban any American company or individual from owning shares from Huawei.

Huawei Ottawa Research & Development Centre. (Raysonho @ Open Grid Scheduler / Scalable Grid Engine, CC0, via Wikimedia Commons)

Well, it turns out the Chinese aren’t done with us yet.

In a 2021 letter addressed to US Department of Commerce Secretary Gina Raimondo from US Senator Chris Van Hollen, it was discovered that the Telecommunications Industry Association investigated Chinese-owned Yealink and found several security threats that could be detrimental to US users’ security.

For those of you who aren’t aware of Yealink, it’s a Chinese company that specializes in communications and video conferencing. One of its products is desk phones used all over the United States, from private companies, schools, and, you guessed it – government agencies.

In an assessment of the Yealink T54W IP Business Phone and Yealink’s Device Management Platform (YDMP) done by Chain Security, the phones were quite the industry-standard communication mediums, except for a few notable observations.

Yealink SIP-T54W Prime Business Phone (Yealink website)

First, they determined that the YDMP Service Agreement requires users to accept the laws of China and arbitration of disputes in Xiamen province. Telecommunication laws in China also allow the monitoring of users when deemed necessary by the Chinese Government when it involves “national interest.” Chinese companies also operate under a blanket national security law that requires them to turn over to the government any information it requests and to cooperate with the government in matters of national security.

Second, they found that the T54W had poor security behavior, where data exchanges were happening every time the phone would reboot. The phone allegedly would send an encrypted message to a Chinese server and receive another encrypted message in return. These were all happening without the user’s knowledge.