Cleaning robots, smart speakers, driverless cars, and WiFi-connected kettles and refrigerators are convenient tools that make our everyday lives much easier.
But China’s presence in this burgeoning industry—known as IoT (internet of things)—could pose serious security risks to U.S. companies and consumers, according to a new report commissioned by the U.S.–China Economic and Security Review Commission, a congressional group that reviews issues concerning the U.S.–China relationship.
China has rapidly grown its IoT industry in recent years, with the country poised to become the world’s biggest market by the year 2022, according to market research firm MarketsandMarkets.
The Chinese IoT market stood at 1 trillion yuan (approx. $154 billion) in value in 2017, according to the report.
The 200-plus-page study outlined how the Chinese industry operates and the Chinese regime’s plans to dominate the global market—as well as the potential consequences for the United States should they succeed.
The report explained in great detail how the Chinese regime has prioritized development of IoT technology as an objective for its national interests and financially supported the domestic industry. These give Chinese IoT technology economic advantages that could allow it to spy on consumers, gain military innovations, and unfairly edge out U.S. IoT companies, according to the report.
China’s IoT industry is also being developed in conjunction with the Chinese military and government agencies in order to develop technology with defense and mass surveillance capabilities.
Since at least 2010, Beijing has issued directives mentioning the importance of IoT development. A 2011 article on a government website quoted Ministry of Finance officials explaining that IoT is critical to “achieving indigenously controlled technology and protecting national security.”
Since then, China has jump-started the industry to encompass most of the IoT supply chain from chips, devices, software, and operators. Major telecom giants Huawei and ZTE make the system equipment, for example, while state-owned firms like China Unicom and China Telecom are operators.
Furthermore, China has adopted the strategy of achieving a large market size in order to wield greater representation—and thereby, influence—over international standards bodies. This allows China to dictate its security standards, which, given current trends, often provide fewer security measures against unauthorized access, according to the report.
Becoming a standard-maker would also allow Chinese companies to profit more because they can “sell their products more broadly or earn royalties from licensing their standards-compliant patents to manufacturers that develop devices under that standard and other downstream companies,” the report said.
Notably, China’s domestic technical committees have direct ties with state security agencies. For example, one of the committee directors is an official within the Cyberspace Administration, which is responsible for internet censorship and monitoring. The report also names two research and development institutes belonging to China’s police apparatus—known as the Ministry of Public Security—as “prolific drafters of IoT standards.”
Naturally, this leads to the question of whether the Chinese regime could exploit IoT devices for its purposes.
“China is also actively researching IoT vulnerabilities, both for security purposes and almost certainly to collect intelligence, conduct network reconnaissance for cyberattacks, and enhance its domestic surveillance powers,” the report said bluntly.
Not only can Chinese companies access U.S. data from users who purchased Chinese-made devices, they can also buy up U.S. IoT companies and the data they possess—or buy U.S. data from a third-party vendor.
Beijing also has broad powers to demand companies operating in China hand over customer data—including American firms.
There have been numerous cases of Chinese companies making products that can be remotely accessed or were later found to be secretly collecting data and sending them to servers in China.
In 2017, for example, more than 175,000 IoT cameras around the world produced by Shenzhen Neo Electronics Co. Ltd. were found to be remotely accessible.
In 2013, Russian customs agents found Chinese-made kettles and irons containing WiFi chips that could search for unsecured WiFi networks and “phone home” to grant access.
Beyond that, Beijing has specified that the industry work together with the military and civilian government to conduct IoT research. One of the military applications that Chinese research institutes are studying is how to protect China’s military sensors from unauthorized access.
Another application is for networking the military’s space-air-ground attacks.
The state’s police apparatus is also using IoT computing to collect and manage large amounts data from police monitoring devices.
At the end, the report offered recommendations to the U.S. government to create trade measures that can prevent China from using their economic advantages to continue dominating the IoT market.