MERICS Blog, European Voices on China, Header


Cheap internet-connected devices made in China are becoming a major threat to global IT security. China will have to regulate the “Internet of Things” so that everyday household items cannot be used to launch cyber attacks.

symbol: network

For years, China has been the United States’ main antagonist in cyberspace – despite the fact that Russia has made a comeback as the evil foe during this year’s presidential election campaign. But in recent weeks, China has been back in the spotlight – though not for the reasons you may have expected.

There was no scandal involving Chinese hackers aggressively breaking into international systems for profit or espionage. The new major problems for IT security have names like Hisilicon, Shenzhen Anran Security Camera, ZTE, Guangzhou Juan Optical and Hangzhou Xiongmai Technology. They are makers of predominantly low-cost devices that connect to the Internet - mostly referred to as the Internet of Things (IoT). These companies have no malicious intent, but they can cause substantial harm by failing to secure their products.

In early October, the blog of journalist Brian Krebs, who is one of the world's leading security researchers and has exposed many criminal hacking activities, suffered from unprecedented artificially generated traffic – a so-called Distributed Denial of Service Attack (DDoS). The content delivery network and anti-DDoS-provider Akamai severed relations with its pro bono client Krebs when the assault started to impact its paying customers. The attack was unlike anything seen before. Millions of seemingly innocuous, poorly secured household appliances and home security systems were infected by the Mirai malware and connected in a botnet to attack the blog. Most of these “smart” devices had been assembled in China.

Toasters brought down Netflix

Later in October, another major incident caused internet outages across the US East coast. Many popular services such as Amazon, Netflix, Twitter and the programming site Github experienced disruptions or went completely dark for hours. This was due to an attack on their DNS provider Dyn using the same method of employing internet-connected toasters, coffeemakers and surveillance cameras. DNS (Domain Name System) is the system that converts website names into numerical IP addresses.

There is no reason to believe that these attacks were politically motivated. They were most likely the work of amateur hackers. But they present a powerful threat to global Internet security nevertheless as they enable abuse and criminal activities. Everybody with basic IT skills can activate the botnet and point it at a target. The botnet can even be rented out for a few thousand US dollars.

Many of the compromised devices came from China. They can be organized into an effective botnet and manipulated into carrying out cyber attacks. The technology behind this is so simple that it might be exaggerated to even classify those attacks as hacking – if it were not for the far-reaching consequences for a large number of users of online services or digital devices. Most of the vulnerable IoT devices use standard combinations of usernames and passwords that were pre-set in the factory, and the attackers use malware to search for these combinations.

Chinese manufacturers should take responsibility

Remarkably, a Chinese company is among the first to address the problem. Hangzhou Xiongmai Technology has started a partial recall of products sold in the US market – mostly electronics boards for digital video recorders and IP cameras – for security reasons. It also announced to issue a new round of security patches to protect its devices from hackers. These steps are unusual as makers of components of IoT devices rarely offer security upgrades for their products.

However, Xiongmai also threatened to sue newspapers and blogs that named the company as the main source for the attacks. In a message first posted to social media and later to the company website, Xiongmai denied responsibility and stated that it asked its users to change the factory-set passwords when setting up their new devices. Placing the burden of security on the users however seems like a bad idea. It should be the company’s responsibility to create individual passwords for each device that leaves the factory – following the example of most manufacturers of internet routers.

The gap in China’s cybersecurity strategy

The Internet of Things plays a major role in Chinas industrial development strategy. In an effort to emulate Germany’s "Industry 4.0" strategy, the Chinese government aims to install IT systems to enhance the efficiency of its manufacturing plants. Autonomous driving is another area of development, which requires connected, yet secure IT-Systems.

China’s cybersecurity strategy is dominated by the aim to achieve so-called cyber-sovereignty (国家网络主权) and to keep foreign competitors out of the country. This is especially the case for technology used by the government and state-owned companies or those working on critical infrastructures like water, energy or transport.

But this state-centric strategy is not sufficient to protect users of vulnerable technology from increasing cyber threats. Managing and securing the Internet of Things will be a critical part of any cybersecurity strategy around the world. If the Chinese government really wants to get tough on IT security, it should get serious about securing toasters, coffee machines and fridges that connect to the Internet.