A report late last year by Chain Security, a firm that analyzes electronics for security, noted that Chinese company Yealink may be risky to do business with due to ties with the Chinese Communist Party, Defense One reported.
In a Sept. 28 letter to U.S. Department of Commerce Secretary Gina Raimondo, Sen. Chris Van Hollen (D-Md.) described the Chain Security report, which “raises serious concerns about the security of audio-visual equipment produced and sold into the U.S. by Chinese firms such as Yealink.” Yealink has phones that are installed across the U.S., including at government agencies.
The report details security concerns with the company, most notably that it allegedly has the ability to record phone calls made on its devices.
“We observed that if the phone is being managed by the device management platform, and if the user’s PC is connected to the phone in order to access a local area network, it's collecting information about what you're surfing on your computer," Chain Security CEO Jeff Stern said, Defense One reported. “The method of using the desktop IP phone, such as the Yealink phone, as an ethernet switch to connect the PC to the local area network is a common business practice. The administrator on that platform can also initiate a call recording without the user's knowledge … What they do is they issue a command to the phone to record the calls.”
According to Stern, “This feature is intended for use by an enterprise customer's employee or representative. However, every system has a superuser administrator, or SYSADMIN. In these types of systems, the SYSADMIN typically has access to everything. Some modern systems, especially after Snowden, deny this capability to the SYSADMIN. But we need to assume that this is not the case here and that the Yealink DMP SYSADMIN is in China,” Defense One reported.
Chain Security’s report notes that Yealink’s service agreement requires users to accept China’s laws, which means that Yealink is free to "actively monitor users if the national or public interest requires." The national interest as referred to in the report is the Chinese Communist Party, the story said.
The report also found that the Yealink phones allegedly communicate encrypted messages to Chinese-based cloud server Alibaba Cloud multiple times per day. It is not possible to program the phone to cease that activity. There were also custom Chinese chips manufactured by Rockchip for Yealink phones that have not gone through the same industry standard testing.
The report noted that "Yealink has both historical and current deep ties to the Chinese State." Examples provided in the report include Xiamen City and Party Committee giving funding to Yealink, the management company of record with China's Thousand Talents Program, and a Yealink engineering executive, Yang Gui, who is an expert committee member of the China Ministry of Science and Technology (MOST). The MOST role, according to the report, means that "Yealink should be considered a high-risk for the illicit transfer of knowhow and technology from countries outside China, the recruitment of foreign experts and the inducement of foreign experts to violate nondisclosure agreements."
Yealink is slated to attend an Enterprise Connect conference in Orlando, Fla., from March 21-24. Yealink is one of the platinum sponsors of the event.
Defense One noted that Yealink is purported to be a top 10 contender in the $300 million government IP phone market.
“Without some sort of monitor watching what’s going on on the phone, you wouldn’t know this firmware is on there, and it can do anything you want in terms of surveilling your network and the subnet. The scenario we worry about with a device like this is that it will surveil your network and then exfiltrate, essentially, your network architecture or your network implementation,” Stern said, as reported by Defense One.
In response to the Van Hollen letter, acting CFO and Assistant Secretary for Administration Wynn W. Coggins wrote that, "The Department of Commerce shares your concerns about the security of the Information and Communications Technology and Services supply chain and the threats to that supply chain posed by our foreign adversaries and is actively working to address those concerns."