Bad Homburg, March 17, 2021 – Five well-known Chinese electronics manufacturers have been declared a national security threat by the FCC under the US Secure Networks Act. In addition to Huawei and ZTE, which have already been considered a security risk since 2019, the ban now also affects Hytera, Hikvision and Dahua. All companies are now on the black list for use in US government agencies. These vendors also work as OEMs for well-known companies whose products are also found in large numbers in Germany and Europe. “The supply chains of IoT devices are complex – Huawei certificates in devices from Cisco, which our team was able to uncover, are a perfect example. The Chinese companies now affected are among the largest OEMs in the world, and their technology is also used ‘undercover’ in products from well-known manufacturers such as Abus or Panasonic,” warns Rainer M. Richter, Managing Director of IoT Inspector. The German company the firmware of IoT devices for security vulnerabilities. However, he said, the problem extends far beyond the five companies affected. According to IoT Inspector, many surveillance cameras and telecom devices present security vulnerabilities and barely protected access points that can be easily exploited by attackers or intelligence agencies. “This ranges from undetected administrator access from one of the OEMs to WiFi access that can be easily hacked via an IoT device,” Richter elaborates. Manufacturers based outside of China are no exception.
The U.S. authorities’ ban, meanwhile, goes one step further and also includes “subsidiaries and affiliates of these entities” as well as “telecommunication or video surveillance services provided by such entities or using such equipment.” Subcontractors, security service providers or companies that provide or use products from these OEMs and partners with their label are thus also part of the U.S. ban, which may also make its mark in Europe. “During the course of our analyses, we regularly encounter unexpected elements and reveal hidden supply chains. The only way to uncover the supply chain and identify the original manufacturer is to examine the firmware – in addition to analyzing it for security vulnerabilities,” Richter says. As a rule, his company and its partners work together with the respective manufacturer to identify and eliminate the liabilities; however, a general awareness of security in the Internet of Things is still far from sufficiently developed.
There is immense carelessness in the implementation of these devices, which pose a silent threat in critical infrastructure and in an increasing number of businesses and homes, he said. “It must be clear that each of these devices is integrated into an IT network and can be exploited as a Trojan horse. IoT should not be seen as ‘Plug, play & forget’!” criticizes Rainer M. Richter of IoT Inspector. In this respect, the clear ban by the US authorities can also be understood as a warning for companies in Germany – because it is definitely to be expected that devices such as security cameras from these manufacturers will also be used in critical German infrastructures. Manufacturers and distributors are therefore urged to check their firmware for security vulnerabilities, preferably before installation, and then secure it in a targeted manner. In addition, domestic authorities and network operators should also become more aware of the risks associated with IoT devices and secure the infrastructure and its components accordingly against these dangers.