In June, the U.S. Federal Communications Commission (FCC) with a bipartisan, unanimous vote began a proceeding on whether and how to restrict equipment which poses an unacceptable risk to national security per the Secure and Trusted Communications Networks Act of 2019. Despite significant policy to curtail this risk, the FCC approved 3000 equipment authorizations for Huawei alone since 2018. Most people don’t realize that they are at risk from intrusion from actors affiliated with the People’s Republic of China (PRC) when they use products and services like smartphones by Huawei and ZTE, video surveillance cameras by Hikvision and Dahua, and Hytera radios. This products are widely available on Amazon.com, Best Buy, and Walmart. This article highlights some of the comments from the proceeding.
Lenovo and YMTC are among hundreds which should be added to the FCC’s Covered List
Comments filed jointly by China Tech Threat with BluePath Labs, a leading consultancy providing research, analysis, disruptive technologies, and wargaming, described how the 2019 Secure and Trusted Networks Act directs the FCC to establish a “covered list” of entities and keep it up to date with a set of rules defining the relevant entities, technologies, and federal determinations. Given these parameters, there are likely dozens, if not hundreds, of PRC entities which meet the criteria, far more than the mere five on the FCC’s Covered List today: Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company.
The comments note that per the requirements of the Secure and Trusted Networks Acts, Lenovo and YMTC should be added to the FCC’s Covered List. Both these entities meet the technical and administrative criteria established by the Secure and Trusted Networks Act. Multiple US agencies have reported that traffic has been re-routed and re-directed on Lenovo equipment; DoD describes the security risk of the using this equipment and has restricted it internally. As a semiconductor fabricator, YMTC, which the White House called out in a recent report, can enable kill switches on chips which can cause remote disruption, if not shutdown, of a piece of equipment or network.
Astroturfing by Hikvision and Dahua
More than half of the comments submitted to the proceeding appear to be astroturfed by Hikvision and Dahua. An independent researcher of the video surveillance industry, IPVM, reported on Hikvision’s mass email campaign to its small & medium sized business customers, instructing them on how to comment (notably to tug the heartstrings and say that FCC efforts to promote security will impact their business, family and livelihood) and posting a submission deadline countdown clock on Hikvision website. Dahua performed a similar PR outreach.
IPVM also submitted to the proceeding, referring to ten years of research on Hikvision and Dahua. It documented how Hikvision devices can be compromised by hackers remotely and noting the risks to millions of devices, their deployment in US federal and military locations, and the subterfuge of relabeling devices under the American brand “Honeywell”. IPVM underscored the irony of the manufactured comments in support of Hikivision, while Hikvision itself just admitted to a critical vulnerability, a zero-click unauthenticated remote code execution which allows a potential hacker to take control of the device. This vulnerability puts some 100 million devices at risk. IPVM documents Hikvision’s declarations to being created and controlled by the PRC.
Originally Published by Forbes