China’s insidious surveillance army: The internet of things

The headline alone is terrifying: “Surveillance cameras made by China are hanging all over the U.S.” Scarier still, it’s true — the Chinese government owns a 42 percent stake in Hikvision, one of the world’s largest manufacturers of cameras and other video surveillance equipment. Its products are used at public sites and private companies around the world, including multiple U.S. government facilities.

It’s easy to extrapolate some bleak scenarios based on this information: could the Chinese government be building “back doors” into Hikvision systems to facilitate state-sponsored snooping on sensitive American sites? The company vigorously denies this possibility, though it brings up echoes of 2012 when Chinese tech firms Huawei and ZTE landed in hot water for potentially threatening U.S. national security.

But while cyberespionage will always grab headlines, there’s a quieter, more pervasive security threat at play here.

{mosads}China is still the engine behind global tech hardware manufacturing, an industry which continues to boom as internet-connected devices become an increasingly common part of our daily lives. The so-called “internet of things” is growing exponentially, including everything from the surveillance cameras Hikvision makes to your fitness tracker or smart thermostat. These devices collect a wealth of information on the environment and users with which they interact, and communicate that data with various digital service providers. By some estimates, there will be 200 billion connected devices by 2020, and 95 percent of those devices will be manufactured in China.

Simply put, we’re all going to be using Chinese technology and devices as a critical component of our connected lives moving forward. How consumers, companies, and governments effectively manage that reality will have widespread implications for digital security and privacy protection. 

As a first line of defense, consumers and companies alike need to develop a greater awareness of the unique security vulnerabilities IoT devices can present. Malicious actors can leverage weak security settings to either take over a particular device, or use that device as part of a broader network attack. For example, Chinese-made cameras were a primary vector for the Mirai botnet that enabled unprecedented distributed denial-of-service attacks that crippled Twitter, Netflix, and Paypal, among other companies in 2016. That incident exploited weak default passwords for connected devices (think “123456” or “password”), allowing hackers to use the device as a bot to attack other systems. This wasn’t the first IoT-based cyberattack, and it certainly won’t be the last. New methods of adapting a world of connected gadgets for malicious purposes are emerging daily.

In many cases, however, these risks can be mitigated by simple good cyber hygiene. Since many people don’t see their camera or FitBit as a security risk, they’re less likely to keep these connected devices updated with the latest software upgrades or security patches. Running outdated software or firmware means devices are more likely to be affected by a broader array of attacks. If a connected device can’t be updated, it shouldn’t be used.

In addition, many companies and individuals don’t bother changing the username and password from factory defaults. That’s how Mirai was able to spread so quickly – it simply tried common username and password combinations. It guessed, and far too often, it was right. As a prerequisite for connecting a device to the internet, users should change the passwords to a unique, strong phrase. Passwords are by no means foolproof security mechanisms in the digital age, but for now they’re critical to IoT security.

The conversation about China’s role in building the world of connected devices is bigger than just the threat of spying, and it starts with getting the basics right. To protect our digital privacy, we all need to be more critical consumers of connected devices and practice better cybersecurity fundamentals when it comes to getting our gadgets online.

Kaelyn Lowmaster (@TheLowMaster) is the principal analyst for One World Identity, an independent research and advisory firm focused on identity.