A major Chinese phone maker could put consumers, businesses, and even US national security data at risk, and a US senator wants to know what the Commerce Department will do about it.
In a letter dated September 28 obtained by Defense One, Democratic Senator Chris Van Hollen described a report that “raised serious concerns about the security of audio-visual equipment produced by Chinese companies such as Yealink and sold in the United States.”
Yealink does not have a well-known name for the controversial Chinese telecom giant Huawei, but its phones are widely installed across the United States, including government agencies. In September, Yealink and Verizon announced plans to sell “the nation’s first 4G/LTE cellular desktop phone.”
In the letter, Van Hollen asked Commerce Secretary Gina Raimondo if her agency was aware of the report by Chain Security, a Virginia-based company that analyzes electronics for security purposes. He asked if she considered her analysis credible, and if so, what she wanted the trade to do about it.
Many of the security issues raised in the report are similar to those the US government has faced for years around Huawei. In essence, there are a number of significant – but potentially unintended – security flaws that an adversary can use to steal data. But with the Yealink T54W in particular, there are also some worrisome features that are clearly built on purpose.
The report pointed to Yealink software that connects each phone to the local network. It’s called a Device Management System, or DMP, and it allows users to make calls from computers and network administrators to manage phones. But it also allows Yealink to secretly record these phone calls and even track which websites users visit.
“We noticed that if the phone is managed by the device management platform, and if the user’s computer is connected to the phone in order to access a local network, it collects information about what you are browsing” on your computer, said Chain Security CEO Jeff Stern. The method of using a desktop IP phone such as Yealink phone as an Ethernet switch to connect a computer to a local area network is a common business practice. Administrator on this platform can also start call recording without the user knowing… what they do is issue a command to the phone to record calls. “
Stern explained, “This feature is intended for use by an employee or representative of an enterprise customer. However, every system has a superuser administrator, or SYSADMIN. On these types of systems, SYSADMIN usually has access to everything. Some modern systems, especially after Snowden, denies this ability for SYSADMIN. But we have to assume that’s not the case here and that Yealink DMP SYSADMIN is in China.”
The Chain Security report notes that Yealink’s service agreement requires users to accept China’s laws, while “the set of relevant terms of service allow for active monitoring of users when it is required by the ‘national interest’ (that is, China’s national interest).”
Stern also noted that the phone also does not use digital certificates to prevent unauthorized changes to its software. This makes it easy for attackers to hack the data on the phone and possibly even the entire network it’s connected to, without attributing to Yealink. “Without some kind of monitoring that monitors what’s going on on the phone, you wouldn’t know that this firmware is there and it can do anything you want in terms of monitoring your network and subnet. The scenario we are concerned about with a device like this is that it will monitor your network and then intrusive… essential to your network architecture or network implementation.”
Not having a firmware signature requirement is unheard of. Stern called it an “old mistake.” But he said, “There’s no reason to keep having old bugs like this. Like, that’s bad.”
A Verizon spokesperson said Yealink’s data management plan was “created to meet Verizon’s customized requirements” and that the customization was related to “security; offering feature management for devices through DMP; remote firmware management and diagnostics.”
This reply left Stern with more questions. “Who does the customization of the firmware? He does [Verizon] You have a license to modify the source code of the firmware? Do [Verizon] Planning to do a penetration test on the firmware before releasing it to its users? Do [Verizon] Does it analyze source code security on all firmware it receives from Yealink? ”
Stern also found that the phone exchanges encrypted messages with a Chinese cloud server, Alibaba Cloud, several times a day. You can’t program the phone not to. To stop this, you have to go to the enterprise network router and block the exchange. But if you didn’t know the phone was doing this in the first place, there isn’t much you can do to stop it.
There is also a specialized microprocessing unit from a Chinese chip maker called Rockchip. Of course, Chinese chips are in all kinds of devices and security experts can test most of them for errors. But that didn’t pass the same test because, says Stern, Rockchip built it specifically for Yealink. “Obviously this is a specialized product, based on the model number developed for Yealink and there are no documented vulnerabilities to mitigate them. Except there are weaknesses, right? Because everything has weaknesses. It’s just that nobody reports them because it’s a specialized chip” .
That doesn’t mean there’s something wrong with the chip, exactly, but it hasn’t received the same kind of scrutiny that other widely distributed components do.
One telecoms industry expert familiar with the report, but did not help write it and has no affiliation with Chain Security, described the company as reputable. The expert did not endorse or oppose any of the report’s findings, but said that the language in the Yealink service agreement alone was enough to warrant a review by the government. “The fact that you [meaning Yealink] We are committed to Chinese law, and that’s something the government needs to know.”
If the Commerce Department investigates the report’s concerns and finds them valid, Yealink could find itself on a path similar to Huawei’s, listing untrustworthy technologies that government customers are not allowed to purchase. The industry expert said there was no set process or timeline for such decisions to occur.
Stern said he believed the Yealink phones were in government offices, since the government market for IP phones is about $300 million, according to his analysis, and Yealink is one of the top ten providers. A web search shows Yealink directories uploaded for reference to the websites of many local, state, and federal agencies.
Van Hollen’s office did not provide any additional details about why they sent the letter to the Commerce Department. A Van Hollen spokesperson said, “The message really speaks for itself – the senator is simply looking for more information.”
On December 28, the Commerce Department responded to Van Hollen in a separate letter obtained by Defense One. “We take these matters very seriously,” Wynn W. Coggins, Acting Chief Financial Officer and Assistant Secretary of Administration wrote. “The Department of Commerce shares your concerns about the security of the Information and Communications Technology and Services (ICTS) supply chain and the threats to the supply chain posed by our foreign adversaries and is actively working to address these concerns.”
Yealink did not respond to a request for comment for this story.