By: Ryan Neuhard, Columnist

Photo by: Reuters

Electronics sourced from China pose a risk to US national security. Firms in China have repeatedly pre-installed malicious software on products sold in the United States. This activity provides Chinese authorities with the means to conduct espionage and launch cyber-attacks against US targets.

The United States should consider the production of electronics to be a national security process and take proactive steps to safeguard it. Safeguards should include measures to deter firms from embedding malware in products, to clarify the source of content in electronics, to support electronics producers in friendly countries, and to prohibit critical sectors from buying electronics with content from China.

Cases of Pre-Installed Malware

In the past five years, there have been at least a half a dozen cases of pre-installed malware appearing on electronics built in China. [i] The malware created backdoors and collected sensitive information without users’ knowledge or consent. Among the known cases, mobile phones and laptops were frequent targets.

For instance, in November 2016 researchers discovered Shanghai Adups Technology Company, a firmware supplier based in China, supplied malware to multiple manufacturers who pre-installed it on at least 120,000 mobile phones.[ii] The malware collected users’ text message content, contact lists, call histories, location data, phone identifier numbers, and other sensitive data.[iii]

A year earlier, malware was discovered on approximately 750,000 Lenovo laptops.[iv] Lenovo, a manufacturer based in China, pre-installed malware that intercepted browsing data and inserted content into their users’ browser in an effort to deliver targeted advertisements.[v] The malware also inadvertently created another security vulnerability that allowed websites to generate fraudulent security certificates.[vi]

Finally, as recently as March 2018, researchers linked Tian Pai, a mobile distributor based in China, to pre-installed malware on approximately five million mobile phones. [vii] The malware impersonated Wi-Fi security software and installed additional software without the users’ knowledge or approval. [viii] Prior to being caught, the malware installed botnet and advertisement software.[ix]

Opportunity for China’s Government

In many cases, China-based firms are planting malware on products for commercial, not political, motives. The firms intend to use the software to push sponsored software onto users’ devices, to insert advertisements into users’ browsers, or to collect information to sell to advertisers. However, regardless of the firm’s original intent, China’s government can coopt these companies’ software and any data they collect, due to the terms of China’s cyber security laws and regulations.

In June 2017, China’s government implemented the Cyber Security Law of the People’s Republic of China. [x] Provisions within the law require firms in China to store their data locally and provide authorities access upon request. [xi] These provisions provide Chinese authorities with the opportunity to make use of any data the firms collect and any backdoors they install on users’ electronics.

Response Options

The United States should consider four sets of countermeasures to address this problem:

First, the United States should establish regulations that prohibit companies from pre-installing software on products that performs tasks without user authorization. In order to be effective, these regulations will need credible enforcement mechanisms and penalties. Enforcement mechanisms could include third-party inspections, like those Lenovo agreed to after the Superfish incident. [xii]

Second, the United States should restrict sensitive national security sectors from buying electronics with Chinese content. US institutions have already begun implementing some restrictions. For example, on April 17, the Federal Communications Commission formally proposed new rules intended to discourage telecommunication providers from purchasing hardware from risky companies, which could include China-based manufacturers. [xiii] These restrictions could expand from restrictions on the use of federal funds to restrictions on all use, regardless of the funds used. These restrictions could also be expanded to other sensitive sectors, like customers in the energy, medical, transportation, and law enforcement sectors.

Third, the United States should establish transparency requirements that enable consumers to more easily identify the origin of content in electronics. This would help consumers hold firms accountable and help national security sectors avoid Chinese content.

Fourth, the United States should support the development of alternative suppliers in the United States and allied nations. Support can include investment, hiring assistance, and education programs. This support will provide consumers with better alternatives to electronics with content from China.

[i] Other cases include: Shanghai Adups Technology Company’s second round of malware in 2017, Lenovo’s Android.Sprovider.7 malware in 2016, Lenovo’s LSE malware in 2015, and Star’s Uupay.D malware in 2014. Pre-installed malware is particularly difficult for security researchers to detect, so these known cases likely represent only a subset of the actual cases.

Nathan Collier, “Mobile Menace: Monday: Upping the Ante on Adups,” Malwarebytes Labs, 18 December 2017, accessed 15 May 2018, https://blog.malwarebytes.com/cybercrime/2017/12/mobile-menace-monday-upping-the-ante-on-adups-fwupgradeprovider/

“Doctor Web Discovers Trojans in Firmware of Well-Known Android Mobile Devices,” Doctor Web, 12 December 2016, accessed 15 May 2018, https://news.drweb.com/show/?i=10345&lng=en

Alex Hern, “Lenovo Does It Again as LSE Component Removed After Security Fears,” The Guardian, 14 August 2015, accessed 15 May 2018, https://www.theguardian.com/technology/2015/aug/14/lenovo-service-engine-pre-installed-security-superfish

CL, “Android Smartphone Shipped with Spyware,” G Data, 16 June 2014, accessed 15 May 2018, https://www.gdatasoftware.com/blog/2014/06/23951-android-smartphone-shipped-with-spyware

[ii] “Kryptowire Discovers Mobile Phone Firmware that Transmitted Personally Identifiable Information (PII) Without User Consent or Disclosure,” Kryptowire, 15 November 2016, accessed 15 May 2018, https://www.kryptowire.com/adups_security_analysis.html

“Kryptowire Provides Technical Details on Black Hat 2017 Presentation: Observed ADUPS Data Collection & Data Transmission,” Kryptowire, 2 August 2017, accessed 15 May 2018, https://www.kryptowire.com/observed_adups_data_collection_behavior.html

Matt Apuzzo and Michael Schmidt, “Secret Backdoor in Some US Phones Sent Data to China, Analysts Say,” New York Times, 15 November 2016, accessed 15 May 2018, https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html

[iii] Matt Apuzzo and Michael Schmidt, “Secret Backdoor in Some US Phones Sent Data to China, Analysts Say,” New York Times, 15 November 2016, accessed 15 May 2018, https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html

[iv] Maria Armental, “Lenovo Reaches Tentative Settlement Over Superfish PC Adware,” Wallstreet Journal, 5 September 2017, accessed 15 May 2018, https://www.wsj.com/articles/lenovo-reaches-tentative-settlement-over-superfish-pc-adware-1504655796

[v] Dan Goodin, “Lenovo PCs Ship with Man-in-the-Middle Adware that Breaks HTTPS Connections [Updated],” Ars Technica, 19 February 2015, accessed 15 May 2018, https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

[vi] United States Computer Emergency Readiness Team (US-CERT), “Alert (TA15-051A): Lenovo Superfish Adware Vulnerable to HTTPS Spoofing,” US Department of Homeland Security, 30 September 2016, accessed 15 May 2018, https://www.us-cert.gov/ncas/alerts/TA15-051A

[vii] Feixiang He, Bohdan Melnykov, and Elena Root, “RottenSys: Not a Secure Wi-Fi Service at All,” Checkpoint Cyber Security, 14 March 2018, accessed 14 May 2018, https://research.checkpoint.com/rottensys-not-secure-wi-fi-service/

[viii] Ibid.

[ix] Ibid.

[x] Cybersecurity Law of the People’s Republic of China, Order No. 53 of the President, issued 11 July 2016, implemented 1 June 2017, accessed 15 May 2018, http://www.lawinfochina.com/display.aspx?id=22826&lib=law

“中华人民共和国网络安全法,” Xinhua, 7 November 2017, accessed 16 May 2018, http://www.xinhuanet.com/politics/2016-11/07/c_1119867015.htm

[xi] Jack Wagner, “China’s Cybersecurity Law: What You Need to Know,” The Diplomat, 1 June 2017, accessed 16 May 2018, https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/

[xii] “In the Matter of Lenovo (United States) Inc., a corporation,” Docket No. C-4636, Federal Trade Commission, 20 December 2017, accessed 16 May 2018, https://www.ftc.gov/system/files/documents/cases/152_3134_c4636_lenovo_united_states_decision_and_order.pdf

[xiii] David Shepardson, “FCC Chief Proposes Steps to Protect U.S. Communications Networks,” Reuters, 26 March 2018, accessed 1 May 2018, https://www.reuters.com/article/us-usa-fcc/fcc-chief-proposes-steps-to-protect-u-s-communications-networks-idUSKBN1H21ZN.

US Federal Communications Commission, FCC Proposes Prohibiting Universal Service Spending on Equipment and Services from Companies that Pose National Security Threats (Washington DC: FCC, 2018), accessed 1 May 2018, https://transition.fcc.gov/Daily_Releases/Daily_Business/2018/db0417/DOC-350251A1.pdf.