Why British homes are at risk from ‘Trojan Horse’ smart devices
Across the US, websites began to stutter, stall and go offline. Error messages showing “404 page not found” popped up across popular sites including Reddit and Twitter as they went down.
In the largest internet blackout of its kind, the US web found itself under sustained attack by a vast “botnet”, which fired millions of requests per second at internet servers until they collapsed under the strain.
The cyber attack was particularly unusual. An army of hackers were not behind the botnet; rather it was around 600,000 hacked home internet devices, such as routers and security cameras, that were spamming the web. Even digital water pumps and ovens were used to overwhelm websites.
Known as Mirai, the virus hijacked the growing network of smart gadgets in the 2016 cyber attack.
The incident was one of the first examples of so-called “Internet of Things” (IoT) devices being weaponised, prompting a wave of concern about the security of these devices and their possible misuse.
Now, fears are growing that IoT technology could pose another previously overlooked security risk: as “Trojan horse” spying devices.
Alarm is being raised about the possibility of the newly muscular Chinese state harnessing the potential of the vast pools of data collected by internet connected devices ranging from cars to smart metres.
“The most game-changing advantage of technology is that it enables the accumulation of massive amounts of data,” Charlie Parton, a former British diplomat serving in China wrote in a report on the technology published this week.
“The [Chinese Communist Party] views data as a strategic resource. When processed and aggregated, data can support its interests across military, economic, political, cultural and other domains.”
Concerns are rising as manufacturers increasingly make devices - ranging from your car to your fridge - that are connected to the internet by default. The push to make everything “smart” is partly driven by a desire to keep people spending on newer, shinier gadgets that promise to talk to each other and help people live like the Jettsons.
Many of these gadgets are gathering vast quantities of data, from petabytes of security camera footage that is stored in internet databases to more mundane information on what is in your fridge that day.
Other devices, designed for industry, track the passage of goods across continents or monitor industrial machines to ensure they are still working. Electric charging infrastructure, critical to net zero, is increasingly connected to the internet.
Researchers are now raising questions over whether this vast array of IoT devices, evolving with little security oversight, poses a national security risk thanks to the potentially huge volumes of data scooped up. Smart gadgets, cameras and chips are largely manufactured in vast quantities within China. By oversight or by design, millions of IoT devices could have security flaws that create a risk to consumer data.
Jake Moore, global cybersecurity advisor at Eset Security, says devices could be “utilised by a hostile state such as China to influence, pressure or threaten an individual, company, or even an adversary”.
The vast majority of IoT devices are mundane in nature. They could monitor the contents of a fridge, the status of a washing machine or the location of a shipping container.
But others, including CCTV cameras, can connect to the wider internet, or even perform facial recognition functions. Smart doorbells with cameras attached or baby monitors that are connected to the web can also hoover up visual data. Vehicles are being fitted with devices that connect to the web too and can collect information on individuals’ movements.
Whether or not devices are intended as spying devices can be irrelevant. A report last year from the US Cybersecurity Infrastructure and Security Agency warned of a Chinese-made GPS tracker, fitted in millions of vehicles, came with a default password of “123456” that made it trivially easy for hackers to infiltrate.
After the Mirai botnet attack, one Chinese manufacturer recalled more than 4.5m security cameras that had an easy-to-guess default password.
Prof Alan Woodward, a cyber security expert at the University of Surrey, says: “The bottom line is that any networked IoT device can form part of an attack surface. China has become the de facto source for such devices because they are built to a very attractive price point.
“The trouble is you tend to get what you pay for: security is an afterthought, if it’s a thought at all.”
The British Government has started to wake up to the potential threats of these cheap and cheerful internet-connected gadgets.
Last year Parliament passed the Product Security and Telecommunications Infrastructure Act, which forces makers of smartphones, TVs, speakers and routers to meet minimum cyber security standards and tell customers at the time of purchase when their new items will stop receiving security software updates.
The Government departments have also been ordered to strip out security cameras made by Chinese companies Hikvision and Dahua. The cameras notoriously caught snapshots of former Health Secretary Matt Hancock embracing an aide in his office, which later leaked to the press.
Hikvision has called concerns about its technology “unsubstantiated” and a “knee jerk reaction”.
There are concerns that China’s dominance of technology runs deeper than just consumer gadgets.
Ministers previously ordered telecoms companies to strip technology made by China’s Huawei from mobile and broadband networks by 2027, amid concerns it represented a national security risk, something the company always denied.
Three Chinese companies, Quectel, Fibocom and China Mobile, make up roughly half of global shipments of IoT cellular modules, according to data from Counterpoint Research. While these historically only processed tiny packets of data over 2G networks, increasingly they are picking up and transmitting more information over 4G and 5G mobile networks.
The proliferation of these IoT modules means that bugs or backdoors, whether left in by design or by accident, are a risk. Concerns have only mounted after a concealed tracking device was found in a government car, believed to have been planted in a part imported from China, the i reported.
Under Chinese law, the CCP can compel companies to aid intelligence gathering operations and provide customer data.
Parton has gone as far as to call for a ban on the sale and installation of new Chinese IOT kits that connect to cellular networks.
Parton, the former diplomat, who now works for the consultancy OODA, writes in a report sent to government officials: “[Chinese Communist Party] policy documents show the strategic importance of IOT technology to the party.
“In line with CCP industrial policy to promote global champions in new industries, IOT companies have benefited from the creation of a domestic market which excludes international competition.”
For now, the main risk presented by IOT technology appears to be weak security practices and cheap, hackable gadgets. But as China’s dominance continues to grow, a more strategic threat could be emerging.
A government spokesman said: “We are legislating to protect consumers' connected devices, such as smartphones, TVs, speakers and routers, through new laws to strengthen their privacy and security.”
"It will ban sales in the UK of smart devices with poor cyber security and get rid of easy-to-guess passwords which are often included as standard with consumer tech."
