Are smartphones made in China trying to spy on us? Top U.S. security officials and the Department of Defense (DoD) think it’s possible, prompting a ban on the sale of Chinese smartphones military base exchanges worldwide.
All Huawei and ZTE cellphones, personal mobile Internet modems, and related products will no longer be sold by concessions at military locations worldwide, according to a mandate by the DoD’s undersecretary for personnel and readiness, DOD spokesman Maj. Dave Eastburn told Stars and Stripes, a military news source.
The U.S. military enacted the ban after TKS, an Army and Air Force Exchange Service concessionary and subsidiary of Vodaphone, began selling Huawei phones at military base exchange facilities across Germany.
“Given the security concerns associated with these devices, as expressed by senior U.S. intelligence officials, it was not prudent for the department’s exchange services to continue selling these products to our personnel,” he wrote in an e-mail, according to the news outlet.
Eastburn also said that the DoD is evaluating the situation to see if the military needs to take further action to protect the security and privacy of its personnel. Those actions could include a ban on any use of mobile devices by active members of military service on bases around the world, he said, according to the publication.
China’s cyber espionage tools?
Officials have good reason to be concerned about the security of mobile devices on base–especially those from Chinese manufacturers. In February, US intelligence directors testified before a U.S. Senate committee that people in the United States should refrain from buying Huawei or ZTE smartphones because of security concerns.
The director of national intelligence and the heads of the CIA, FBI, National Security Agency, Defense Intelligence Agency and National Geospatial-Intelligence Agency testified that Americans should be particularly wary of Huawei devices because of the company’s ties to the Chinese government.
Huawei–currently the world’s largest telecommunications company–was founded by a former People’s Liberation Army officer. U.S. officials believe that the company remains closely linked to the communist regime.
“We’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks,” FBI Director Chris Wray said in testimony before the Senate in February. He said that the devices allow China to covertly collect sensitive information from both corporate and military users and pose a security threat.
“That provides the capacity to exert pressure or control over our telecommunications infrastructure,” Wray testified. “It provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage.”
Links between China-based firms and dodgy mobile phone activity are plentiful. The Federal Trade Commission (FTC) last week gave Florida-based mobile device maker BLU a stinging slap on the wrist over charges it allowed a Chinese partner to collect detailed personal customer information from some of its devices without authorization or consent.
Government threats, government action
The FTC plans to monitor a mandated data-security program at BLU after firmware from Shanghai-based company ADUPS Technology Co. Ltd. that BLU was using on its devices to issue security and OS updates also was found to be collecting and transferring personal information to servers in China at regular, 72-hour intervals.
Customer data collected and sent to China included full content of consumers’ text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on BLU devices to ADUPS Technology servers.
China also poses threats to the U.S. government through its supply chain, which provides a back door into U.S. products and services that could be manipulated for Chinese state interests, according to a recent report published by the U.S. China Commission and undertaken by Interos Solutions.
The report found that China has a number of strategic relationships with U.S. tech companies—including VMWare, Dell and Microsoft–through partnerships with Chinese state-owned enterprises that have ties to China’s military, nuclear, or cyber-espionage programs. These relationships are putting the U.S. government at risk through the potential to use U.S. products from these companies for cyber espionage, the report found.
Other holes in the security landscape
China also is poking holes in the U.S. security landscape through other activities. The country has shown a lack of integrity in terms of how it’s reporting critical vulnerabilities in its national vulnerability database. The Chinese government has attempted to cover up inexplicable delays in public reporting of high-risk software security holes by changing the dates of vulnerability-publication to its national vulnerability database so they match those in the U.S. database, a recent report by Recorded Future found.
The cover-up shows China’s intent to hide vulnerabilities so the government can figure out how to exploit them before stakeholders have a chance to react. It also could pose liability issues for companies that rely on the Chinese vulnerability database for vulnerability data.
Cyber espionage from China isn’t the only threat the military faces from its personnel’s use of mobile devices Because of the increased connectivity of devices thanks to the Internet of Things, military cell-phone users also are exposing themselves and the military to over-the-air risks and vulnerabilities.
This scenario was played out earlier this year when heatmaps from the fitness app Strava were shown to reveal the location of military bases. Soon after this revelations, a Norwegian journalist went one further, fooling Strava into revealing the names of some of soldiers and other personnel on those bases. The hack showed how easily sensitive data can be leaked from these types of apps, something particularly critical when dealing with military personnel and U.S. military interests. Mobile threats, including mobile-phone based malware, are also on the rise, leading to increased risks that mobile phone users will be targeted with attacks.