Two weeks ago, ZDNet compiled a list of “The scariest hacks and vulnerabilities of 2019.” The comprehensive list documented 100+ incidents from the past year, a year the outlet described as “a disaster in terms of cybersecurity news.” Not surprisingly, several incidents involving Chinese products, companies and the government made the list. As the holiday season approaches, consumers must make informed decisions about the products they purchase for themselves, family members and friends, so they can adequately protect their privacy and personal data.
The “hacks and vulnerabilities” on the list included unsecure government servers, aggressive actions by foreign adversaries, firmware/malware/bugs installed in various devices and protocol and supply chain attacks by individuals and groups. Some of these examples involved Chinese actors exploiting hardware and software to steal data and perform surveillance.
A report emerged early in the year that SenseNets, a Chinese government contractor, used facial recognition technology and “trackers” to build a database on and follow the movements of over 2.5 million people, nearly all of whom were located in China’s Xinjiang province, where China’s Uyghur Muslim population resides. This minority group has been subject to severe persecution in recent years. Previous reports highlighted how the communist government forced Uyhgurs to use phones with spyware installed. Ironically, it was a security breach in SenseNets that exposed this surveillance to the public.
In June, Germany’s cyber agencies found a backdoor in Doogee BL7000, M-Horse Pure 1, Keecoo P11 and VKworld Mix Plus phones – all cheap, Chinese smartphones. The malware running on the phone enabled the collection of data and then “ping” its command server. Also in June, researchers at Cybereason exposed how hackers broke into 10 telecommunications companies to steal phone records and hundreds of gigabytes of data. They surmised the effort, dubbed Operation Soft Cell, was a state-sponsored effort by the Chinese government and likely tied to the hacking group APT10.
ZDNet also noted the Department of Defense Inspector General report that criticized the military’s purchases of equipment from Lexmark and Lenovo, both Chinese companies. CTT has amplified this report among policymakers in recent months. It bears remembering that China’s National Intelligence Law compels Chinese companies to provide unmitigated intelligence to the government. Poor or nonexistent security safeguards enable the collection of stolen data not only by unauthorized third parties, but also the Chinese Communist Party.
As new consumer products proliferate, so will the threats. While they cannot stop the actions of a government-backed hacking operation, shoppers should at minimum avoid purchasing products that have a history of exposing and failing to protect personal information.