IoT device origin matters more than ever
Recently, British politicians called on the government to crack down on the use of surveillance equipment from two Chinese companies, Hikvision and Dahua, which are already blacklisted by Washington. Not only did ministers criticize the state-owned companies as national security and cybersecurity threats, but they also brought into question their human rights record.
This story is not an outlier. From hard-coded admin passwords to “always-on” cloud features, cheap smart / connected devices with limited privacy or regulatory standards – largely from the Asian superpower – have flooded the market over the past decade.
It’s clear that these connected devices pose major security risks to the public and private sectors. In this context, device buyers should consider where their devices come from and regional regulations. Let’s look at why the origin of connected devices today matters more than ever.
The problem with devices from China
The Internet of Things (IoT) has grown in leaps and bounds over the past decade. In fact, the number of connected devices produced and sold has increased 10 times since 2012, to more than 16 billion worldwide. Powered by smaller, cheaper, and more efficient components, most of this growth comes from Chinese companies. But Chinese connected tech is notorious for low cybersecurity standards (and the companies for not respecting human rights).
Case in point: Hikvision. Cameras from this state-owned video surveillance manufacturer and supplier proclaim advanced capabilities such as facial recognition, person tracking and gender identification. The company claims its cameras can even detect emotion. However, human rights groups flag that the technology is abused for ethnic profiling of Uyghurs and other groups in Xinjiang. Meanwhile, Hikvision’s state ownership raises additional data storage and retention questions.
And then there are the cybersecurity vulnerabilities. In the past, hackers have successfully exploited internet ports in Hikvision cameras to gain access without a username or password. Then, once inside, the remote attacker can use this entry to explore the entirety of the victim’s network.
Despite owning about 40% of the global surveillance camera market, Hikvision is increasingly blacklisted by Western governments for the above issues. In August, New Zealand joined the United States in banning equipment from the company. Around the same time, more than 60 parliament members across the United Kingdom called for a public sector ban. Minister David Davis called the devices “invasive and oppressive” that pose “a significant threat to civil liberties.”
Device origin is more important than ever
Hikvision is but one example in an ocean of questionable tech from China. State ownership, ethical pitfalls and cybersecurity problems are unfortunately par for the course for these devices. Why? Undoubtedly one reason is that product quality and security superiority is sacrificed in a race for the lowest price. Meanwhile, another reason is a lack of consumer protections. Unlike other regions of the world, China counts few cybersecurity or privacy protections. As a result, devices are eminently more hackable and therefore dangerous.
On the other hand, consider the various rules and regulations which devices must comply with before hitting the market in Europe. The European Union’s General Data Protection Regulation sets a very high standard on data protection and privacy. Additionally, the bloc is preparing to pass the European Cyber Resilience Act.
Publicly shared in September, the act would introduce “mandatory cybersecurity requirements for manufacturers and retailers … with this protection extending throughout the product lifecycle.” This includes the prohibition of default and weak passwords, support of software updates and mandatory testing for security vulnerabilities. Once passed, companies will have 24 months to get up to standard. Violating the new rules could impose fines of up to €15 million or 2.5% of a company’s worldwide annual revenue (whichever is highest).
The differences between the two regions are night and day. For example, European manufacturers would be very unlikely to ship an entire line of products with a default password like “123456.” In China, however, this not only happens but happens often. Moreover, Europe’s new edict will now prevent manufacturers from setting such low cybersecurity levels and enforce stiff penalties.
For cybersecurity leaders, the difference between device cybersecurity and consumer protections could not be starker.
Think beyond price in your next purchase
My advice is to think beyond price. Sure, Chinese devices might be better for the bottom line, but they can also lead to very costly data breaches and open security holes into your home or workplace.
Likewise, remember that typical recommendations – such as changing default passwords or strict firewalling – will not always mitigate the whole range of issues. For example, millions of smart televisions from China have been shown to surreptitiously collect data about nearby networks and attached devices. Again, company and personal information security simply cannot be guaranteed based on the countless examples of dodgy devices from this part of the world.
Leaders: do your research, evaluate the risks and buy accordingly. You should take device origin into strong consideration. Your data is worth it.