China Targets Control Over Internet of Things for Spying, Business
China Targets Control Over Internet of Things for Spying, Business
Report warns Beijing working to dominate Internet
By : Bill Gertz October 25, 2018 5:00 am
China is aggressively seeking to dominate the Internet of Things and plans to use access to billions of networked electronic devices for intelligence-gathering, sabotage, and business purposes, according to a forthcoming congressional report.
China for nearly a decade has been investing heavily in the emerging technology on the Internet of Things (IoT) and has made outpacing similar U.S. efforts one of the ruling Communist Party of China's highest strategic goals.
"China’s unique approach to the development of IoT and its enabling infrastructure poses significant challenges for U.S. economic and national security interests," says a report by the U.S.-China Economic and Security Review Commission due out Thursday.
"The highest echelons of the Chinese regime view IoT development and deployment as critical matters of China’s economic competitiveness and national security."
A major concern outlined in the report is China's efforts to uncover vulnerabilities in IoT systems that can be used by Beijing for strategic objectives in both peacetime and war, the report said.
"Aside from industrial control systems, unauthorized access to health care devices could kill patients and exploitation of smart car vulnerabilities could kill drivers and pedestrians alike, among other examples of possible misuse of data and devices that could have dire consequences," the report warns.
"The future destructive potential of unauthorized access to IoT devices appears potentially limitless."
The IoT is an ill-defined term for a global information and communication infrastructure. It is made up of linked devices ranging from biomedical devices for monitoring patients to self-driving cars to critical infrastructure.
The universe of IoT devices includes billions of electronic systems such as, video cameras, smart phones and smart watches, and industrial control systems used in electric grids.
Chinese IoT objectives include building "smart cities" that monitor public utilities, flows of people and traffic, underground pipelines, and air and water quality, the report said.
Other Chinese IoT plans include advanced remote industrial controls; medical IoTs; smart homes equipped with remote controls for appliances and security systems; and smart cars linking vehicle sensors to drivers, roads, cloud services, and other electronic devices.
The IoT is expanding rapidly and will be further enhanced with emerging advanced information technologies, such 5G cellular technology.
Use of 5G networks will increase the ability of networked devices to interact through faster data transfer speeds.
China, according to the report, is working on major programs to find vulnerabilities in IoT technology ostensibly for cyber security.
However, the report suggests the research is cover for plans to conduct for cyber espionage, sabotage, and military cyber reconnaissance using the Internet of Things.
One example of an IoT cyber attack took place in 2016 when the malware known as the Mirai botnet infiltrated thousands of linked devices by scanning the Internet for video cameras—most made in China—and DVRs that were not protected and easily accessed by using default passwords such as "password."
Mirai "commandeered some one hundred thousand of these devices, and used them to carry out a distributed denial of service (DDoS) attack against DynDNS that shut down many popular websites," the report said.
A second botnet called IoTroop targeted several brands of Chinese-made Internet Protocol cameras in late 2017.
A Chinese case discovered in 2016 by security researchers revealed that firmware update software made by the Shanghai ADUPS Technology Co. Ltd. was secretly siphoning off private data and sending it to China.
"ADUPS’s firmware update software is currently in use on more than 700 million low-end mobile phones and IoT devices around the globe, including devices in the United States," the report said.
Chinese IoT researchers also are preparing to use cyber attacks against the "Internet of Underwater Things" that has applications for submarine warfare.
"The imperfect availability of enemy location information in underwater warfare offers a strategic advantage to any nation with advanced underwater sensor technology, and compromised IoT devices and sensor networks operating underwater at a variety of depths could nullify any such advantage," the report said.
China also is preparing to use the IoT for intelligence gathering and network reconnaissance—the first step in cyber war.
"Personnel from several of the PLA’s signals intelligence units have published multiple articles on IoT security-related topics, suggesting that these units have likely already exploited device vulnerabilities for these ends," the report said.
The Chinese military's cyber and computer attack force has written journal articles discussing the use of "emissions from IoT devices as possible avenues for side-channel attacks and listing location tracking features and internet connections as other weak points for exploitation," the report said.
"The PLA’s operational cyber warfare units have also previously shown direct interest in exploiting IoT security vulnerabilities for offensive information warfare," the report said, such as IoT data collection and cellphone-transmitted viruses.
A PLA electronic warfare report said smart cars are very vulnerable to attack and unauthorized access through their internal car wireless sensor networks, car-mounted controller area network buses, car-mounted local area networking, car software applications, car-mounted onboard diagnostic systems, and smart tire-pressure monitoring systems.
China is also using the IoT to boost its mass internal security surveillance capabilities to control the Chinese people, the report said.
The civilian Minister of State Security intelligence services also has "taken a lead in weaponizing IoT exploits for both offensive and espionage operations," the report said.
"One of the most sophisticated botnets targeting IoT devices in recent years has been the ‘Reaper' botnet, which has exploited vulnerabilities in a wide array of IoT devices in order to link them into a global command-and-control network," the report said, noting that the botnet originated in China.
The Reaper botnet was behind the 2015 compromise by the MSS of some 60 million health records of the U.S. health care provider Anthem.
"Such attacks pose a direct threat to sensitive U.S. IoT data even when no Chinese corporate entity is involved in its collection, processing, transmission, or storage," the report said.
One major effort by Beijing to control the technology behind the Internet of Things has been lobbying international organizations to adopt Chinese hardware and software standards.
Those Beijing-friendly technical standards then will be exploited by China in gathering large data sets that will benefit Chinese companies under government control.
China also is gaining access to massive amounts of data on Americans through authorized end-user agreements for Chinese-made products.
"China’s access to U.S. IoT data will only grow as Chinese IoT companies leverage their advantages in production and cost to gain market share in the United States," the report said.
The data will be used with China's growing ability to develop artificial intelligence that can be applied for intelligence or military operations or handed over to Chinese companies for economic gain.
The report concluded that the Chinese drive to control the Internet of Things threatens U.S. national security and economic interests
The report urges the U.S. government to address the threat posed by Chinese efforts to control the Internet of Things.
"The seriousness of the challenge from Chinese IoT policies will only increase in the years to come as the United States and China continue to engage in what amounts to a struggle for no less than the future of the internet," the report said. "The outcome of this struggle will ultimately rest upon the U.S. willingness to understand Chinese IoT development policies, and to develop sound policies of our own."
The 212-page report, "China’s Internet of Things," was produced for the commission by the contractor SOS International LLC.