Chinese companies like Huawei are making great, cost-effective phones that are low in price but keep up with the big guns in terms of specs. The brand names are everywhere – Huawei, ZTE, Oppo and OnePlus for example. However, American intelligence agencies are warning customers that their device could potentially be used to spy on them, and advising against purchasing devices sold by Chinese companies. So, are Chinese smartphones safe? Should you buy one? And what should you do if you already own one?
What’s the Big Deal?
Espionage isn’t something we tend to think of outside of a Hollywood blockbuster, but governments attempting to steal each other’s secrets is a real problem. China targets the US for espionage purposes, and hackers have allegedly gained access to secret information such as trade secrets, military information, governmental data and records of personnel.
There has been growing debate in Australia on whether Chinese companies should be allowed to participate in projects that could potentially gain them access to sensitive data. Chinese products and personnel can potentially provide cheaper goods and services, with technology and expertise more developed than that of the Western world in some areas. Governments and companies need to make the decision between accessing the high-quality, inexpensive advantages China has to offer, and the risk involved in potentially exposing the country to espionage.
International responses vary – the U.S. restricts Chinese participation, whereas in the U.K. they are happy to utilise the skills and expertise of skilled Chinese nationals but subject the software and hardware that is produced with several layers of vetting to ensure its safety. In Australia, we are still on the fence. We have refused to allow Chinese companies to offer tenders on any part of the NBN and will probably do the same with coming 5G network infrastructure, but Chinese smartphones are readily available.
Accusations of Espionage
A Taiwanese chip company called MediaTek built a chip that was used in millions of lower-end smart phones, many of them made by Chinese manufacturers. The chip was found to have a debug setting enabled, which the company claimed was used to test the phone’s ability to operate with other smart devices in China.
It was a valid feature during the design process, but created a huge security risk when it was sold while still enabled on customer’s devices. The setting could have allowed root access to the phone by another person or piece of software. While this glitch was a MediaTek error and quickly resolved, it didn’t look good for the predominantly Chinese manufacturers who shipped the phone while they were vulnerable.
Lenovo’s disregard of consumer privacy was more overt. They admitted that computers shipped in 2014 had malware preinstalled. Lenovo sold their laptops with Superfish, which was designed to influence the ads users saw but also left information on browser traffic wide open to malicious people and programs. They added unremovable BIOS malware on laptops, and included unwanted analytics software on their ThinkPad and ThinkCenter desktops. Lenovo admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled.
In 2016 Krytpowire, a mobile security firm, found that up to 700 million lower-end android devices had Chinese malware hidden as a preinstalled support app. The third-party software had access to and sent information about user’s text messages, contacts, calls, location, and other data to a serverin Shanghai. The company responsible, Shanghai Adups Technology Co., claimed it was only intended for the Chinese market and the American phones were loaded with it only as a mistake.
It sounds like great cause for concern – and potentially could be – but it’s important to keep these breaches in perspective. Information about user habits is valuable, and mistakes do happen. The two biggest security flaws in the past year, called Spectre and Meltdown, were as a result of security flaws that were present in chips made in America. For the average user, greedy advertising companies and mistakes by manufacturers are more likely than malicious espionage.
The Problem with Buying from China
So if it can happen anywhere, why is the focus on China? There are several aspects that make Chinese devices and software of more concern than other brands.
Chinese influence in Australian life is enormous, and is on the increase, and there is evidence that not all deals are above board. Chinese entities are under investigation for financing and putting pressure on Australian politicians. Chinese hackers have gained access to extremely sensitive data from America, and there’s little doubt that similar data from Australia would be of interest. There are accusations of China spying on senior Australians.
Chinese companies attempted to get involved in Australia’s NBN rollout, and are now attempting to offer tenders on creating and constructing 5G technology. They can offer advanced technologies and information, as well as less expensive materials and production. The companies wanting to offer tenders are private, being fully owned by shareholders. However, there is concern about how much influence the government has on private enterprise in China.
The Chinese government is often represented on the boards of major companies, ensuring that businesses operate in line with political ideologies. Even though telecommunications companies might be completely benign now, the possibilities of potential loopholes being exploited in future makes many Australians understandably wary.
All phones collect potentially sensitive data in order for apps and core processes to function, no matter where the phone originates. The difference is where that data is stored and how it is used. Even though your Chinese phone might not have any Chinese apps, firmware and background software can still communicate with Chinese servers. While China does have data protection laws, how they can be used is very different to what Western consumers have come to expect.
So how concerned should you be?
While they might have the capability, it’s highly unlikely that the Chinese government are interested in hacking ordinary civilian devices.
“The security concerns around Huawei mostly relate to its telecommunications equipment. The concern is the Chinese government can pressure Huawei into doing its bidding; that could be anything from giving Chinese government network spooks early access to vulnerability information, through to actually backdooring the technology,” Patrick Gray, security expert and host of the Risky Business podcast, told the Sydney Morning Herald.
“For most people the handsets should be fine from a security perspective, but it really depends on who you are. If you’re a likely target of Chinese espionage — a mining company executive, for example — I’d give them a miss.”
The Android operating system should help keep users safe, and remember that non-Chinese devices can still be vulnerable. No matter which device you use, the biggest concern should be maintaining your phone’s security with regular updates, and paying close attention to only downloading from trusted, reputable sources. Just because an app is on Google Play, doesn’t mean it’s safe. Regardless of device, operating system or country of origin, the best way to keep secure is to be aware of security issues and be proactive. If you are very concerned about privacy though, better give the Chinese devices a miss.