Security firm: Chinese company sponsoring Orlando conference suspected of 'collecting information'

Economics
Yea
A Yealink phone. | Wikimedia Commons

ORGANIZATIONS IN THIS STORY

LETTER TO THE EDITOR

Have a concern or an opinion about this story? Click below to share your thoughts.
Send a message

Community Newsmaker

Know of a story that needs to be covered? Pitch your story to The Business Daily.
Community Newsmaker

Yealink, a video conferencing and voice communications company that has suspected ties to the Chinese government, is a platinum sponsor of the upcoming Enterprise Connect conference in Orlando, Fla., and representatives from the company are expected to attend the event from March 21-24.

A report last year by Chain Security, a U.S. firm that analyzes electronics for security, noted that Yealink may be risky to do business with due to its ties to the Chinese Communist Party, Defense One reported.

The report “raises serious concerns about the security of audio-visual equipment produced and sold into the U.S. by Chinese firms such as Yealink,” Sen. Chris Van Hollen (D-Md.) said in a Sept. 28 letter to U.S. Department of Commerce Secretary Gina Raimondo. Yealink has phones that are installed across the U.S., including at government agencies.

The report details security concerns with the company, most notably that it allegedly has the ability to record phone calls made on its devices.

“We observed that if the phone is being managed by the device management platform, and if the user’s PC is connected to the phone in order to access a local area network, it's collecting information about what you're surfing on your computer," Chain Security CEO Jeff Stern said, Defense One reported. “The method of using the desktop IP phone, such as the Yealink phone, as an ethernet switch to connect the PC to the local area network is a common business practice. The administrator on that platform can also initiate a call recording without the user's knowledge … What they do is they issue a command to the phone to record the calls.”

According to Stern, “This feature is intended for use by an enterprise customer's employee or representative. However, every system has a superuser administrator, or SYSADMIN. In these types of systems, the SYSADMIN typically has access to everything. Some modern systems, especially after Snowden, deny this capability to the SYSADMIN. But we need to assume that this is not the case here and that the Yealink DMP SYSADMIN is in China,” Defense One reported.

Chain Security’s report notes that Yealink’s service agreement requires users to accept China’s laws, which means that Yealink is free to "actively monitor users if the national or public interest requires." The national interest as referred to in the report is the Chinese Communist Party, the story said.

The report also found that the Yealink phones allegedly communicate encrypted messages to Chinese-based cloud server Alibaba Cloud multiple times per day. It is not possible to program the phone to cease that activity. There were also custom Chinese chips manufactured by Rockchip for Yealink phones that have not gone through the same industry standard testing.

The report noted that "Yealink has both historical and current deep ties to the Chinese State." Examples provided in the report include Xiamen City and Party Committee giving funding to Yealink, the management company of record with China's Thousand Talents Program, and a Yealink engineering executive, Yang Gui, who is an expert committee member of the China Ministry of Science and Technology (MOST). The MOST role, according to the report, means that "Yealink should be considered a high-risk for the illicit transfer of knowhow and technology from countries outside China, the recruitment of foreign experts and the inducement of foreign experts to violate nondisclosure agreements."   

Defense One noted that Yealink is purported to be a top 10 contender in the $300 million government IP phone market.

“Without some sort of monitor watching what’s going on on the phone, you wouldn’t know this firmware is on there, and it can do anything you want in terms of surveilling your network and the subnet. The scenario we worry about with a device like this is that it will surveil your network and then exfiltrate, essentially, your network architecture or your network implementation,” Stern said, as reported by Defense One.

In response to the Van Hollen letter, acting CFO and Assistant Secretary for Administration Wynn W. Coggins wrote that, "The Department of Commerce shares your concerns about the security of the Information and Communications Technology and Services supply chain and the threats to that supply chain posed by our foreign adversaries and is actively working to address those concerns."

ORGANIZATIONS IN THIS STORY

LETTER TO THE EDITOR

Have a concern or an opinion about this story? Click below to share your thoughts.
Send a message

Community Newsmaker

Know of a story that needs to be covered? Pitch your story to The Business Daily.
Community Newsmaker

MORE NEWS