A major Chinese phone maker could be putting U.S. consumers, companies, and even national security data at risk, and a U.S. senator wants to know what the Commerce Department is going to do about it.
As DefenseOne first reported, in a Sept. 28 letter obtained by Defense One, Sen. Chris Van Hollen, D-Md., described a report that “raises serious concerns about the security of audio-visual equipment produced and sold into the U.S. by Chinese firms such as Yealink.”
Yealink doesn’t have the name recognition of the controversial Chinese telecom giant Huawei, but its phones are widely installed across the United States, including in government agencies. In September, Yealink and Verizon announced plans to sell “the nation’s first 4G/LTE cellular desk phone.”
In the letter, Van Hollen asked Commerce Secretary Gina Raimondo whether her agency is aware of the report by Chain Security, a Virginia-based company that analyzes electronics for security. He asked whether she considers its analysis credible, and if so, what she wants Commerce to do about it.
Many of the security issues raised in the report are similar to those that the U.S. government has had for years about Huawei. In essence, there are a number of big—but possibly unintentional—security flaws that an adversary could use to steal data. But with the Yealink T54W phone in particular, there are also some concerning features that are clearly built in on purpose.
The report pointed to the Yealink software that connects each phone to the local network. Called the device management platform, or DMP, it allows users to make calls from their PCs and network administrators to manage the phones. But it also allows Yealink to secretly record those phone calls and even track what websites the users are visiting.
“We observed that if the phone is being managed by the device management platform, and if the user’s PC is connected to the phone in order to access a local area network, it’s collecting information about what you’re surfing” on your computer, said Chain Security CEO Jeff Stern. “The method of using the desktop IP phone such as the Yealink phone as an Ethernet switch to connect the PC to the local area network is a common business practice. The administrator on that platform can also initiate a call recording without the user’s knowledge…What they do is they issue a command to the phone to record the calls.”
Stern clarified that “this feature is intended for use by an enterprise customer’s employee or representative. However, every system has a Superuser Administrator, or SYSADMIN. In these types of systems, the SYSADMIN typically has access to everything. Some modern systems, especially after Snowden, deny this capability to the SYSADMIN. But we need to assume that this is not the case here and that the Yealink DMP SYSADMIN is in China.”
Chain Security’s report notes that Yealink’s service agreement requires users to accept China’s laws, while “a related set of service terms allows the active monitoring of users when required by the ‘national interest’ (this means the national interest of China).”
Stern also noted that the phone also doesn’t use digital certificates to prevent unauthorized changes to its software. That makes it far easier for attackers to compromise the data on the phone and potentially even the entire network it’s connected to, without attribution to Yealink. “Without some sort of monitor watching what’s going on on the phone you wouldn’t know this firmware is on there and it can do anything you want in terms of surveilling your network and the subnet. The scenario we worry about with a device like this is that it will surveil your network and then exfiltrate…essentially your network architecture or your network implementation.”
The lack of a firmware signature requirement isn’t exactly unheard of. Stern called it an “old mistake.” But he said, “There’s no reason that old mistakes like this should continue to be there. Like, this is bad.”
A Verizon spokesperson said Yealink’s DMP “has been built to meet the custom requirements of Verizon” and that the customization was related to “security; feature management exposure to the devices through the DMP; firmware management and remote diagnostics.”
That response left Stern with more questions. “Who is doing the firmware customization? Does [Verizon] have a license to modify the source code of the firmware? Does [Verizon] plan to do penetration testing on the firmware before releasing it to their users? Does [Verizon] do source code security analysis on all firmware that it receives from Yealink?”
Stern also found that the phone exchanges encrypted messages with a Chinese-based cloud server, Alibaba Cloud, multiple times a day. You cannot program the phone not to do that. To stop it, you have to go to the enterprise’s network router and prohibit the exchange. But if you didn’t know that the phone was doing it in the first place, there’s little that you can do to stop it.
There’s also a specialized microprocessor unit from a Chinese chip maker called Rockchip. Of course, Chinese chips are in all sorts of devices and security experts can test most of them for bugs. But this one hasn’t gone through that same testing because, says Stern, Rockchip designed it specifically for Yealink. “This one is clearly a specialized product, based on the model number developed for Yealink and there’s no documented vulnerabilities to mitigate against. Except there are vulnerabilities, right? Because everything has vulnerabilities. It’s just no one is reporting on it because it’s a specialized chip,” he said.
That doesn’t mean that something is wrong with the chip, exactly, but it hasn’t received the same sort of scrutiny that other, more widely distributed components do receive.
One telecom industry expert who is familiar with the report, but did not help write it and has no affiliation with Chain Security, described the firm as reputable. The expert didn’t endorse or dispute any of the report’s findings but said that the language in Yealink’s service agreement alone was enough to warrant a review by the government. “The fact that you [meaning Yealink] are bound by Chinese law, that is something the government needs to know.”
If the Commerce Department investigates the report’s concerns and finds them valid, Yealink might find themselves on a path similar to that of Huawei, placed on a list of untrustworthy technologies that government customers are not allowed to purchase. The industry expert said there was no set process or timeline for such determinations to occur.
Stern said he believed that Yealink phones were in government offices, since the government market for IP phones is roughly $300 million, by his analysis, and Yealink is one of the top ten providers. A web search shows Yealink manuals uploaded for reference to the websites of many local, state, and federal agencies.
Van Hollen’s office didn’t provide any additional detail on why they had sent the letter to the Commerce Department. A Van Hollen spokesperson said that “the letter really speaks for itself — the Senator is simply seeking more information.”
On Dec. 28, the Commerce Department responded to Van Hollen in a separate letter obtained by Defense One. “We take these matters seriously,” wrote Wynn W. Coggins, Acting Chief Financial Officer and Assistant Secretary for Administration. “The Department of Commerce shares your concerns about the security of the Information and Communications Technology and Services (ICTS) supply chain and the threats to that supply chain posed by our foreign adversaries and is actively working to address those concerns.”