CTT’s Roslyn Layton: New Pentagon reports shows how restricted Chinese IT products routinely make their way into US military networks

Article Introduction

The IG audit shows that the US Army and Air Force purchased thousands of products already flagged as security risks. They include over 8,000 printers from Lexmark, a company the report notes has “connections to Chinese military, nuclear, and cyberespionage programs. The National Vulnerabilities Database lists 20 cybersecurity vulnerabilities for Lexmark, including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer. These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network.”

The report further highlights the purchase of 117 GoPro Action cameras with “vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams. By exploiting these vulnerabilities, a malicious actor could view the video stream, start recording, or take pictures without the user’s knowledge.” It also notes the purchase of 1,573 Lenovo laptops. Lenovo products have been banned, investigated or deemed vulnerable by the State Department in 2006, the Department of Homeland Security in 2015, the Joint Chiefs of Staff Intelligence Directorate in 2016, and the DoD Information Network in 2018.