Smartphones made by ZTE and Huawei have been banned from sale at US military bases around the world, following concerns that they could pose a security threat.
As the Wall Street Journal reports, the Pentagon has imposed the ban after rising concerns that the Chinese manufacturers could be pressured by the authorities in Beijing to plant code that could spy on servicemen, or even remotely disable communications.
In a statement, Pentagon spokesperson Army Major Dave Eastburn made clear that the Pentagon views Huawei and ZTE devices with suspicion:
“Huawei and ZTE devices may pose an unacceptable risk to the department’s personnel, information and mission. In light of this information, it was not prudent for the department’s exchanges to continue selling them.”
The concern about technology manufactured by Chinese companies is certainly nothing new. Back in 2010, for instance, I wrote an article on the Sophos Naked Security blog, citing ZTE and Huawei, about a ban India had imposed on importing Chinese networking equipment over fears that it may have been implanted with information-stealing spyware.
And a 2012 US congressional report warned of the “long term security risks” associated with doing business with ZTE or Huawei.
With so much technology manufactured in China, it’s certainly a challenge knowing what America is supposed to do if Chinese products cannot be trusted.
Maybe it’s only a matter of time before Beijing responds in a tit-for-tat fashion warning Chinese firms not to buy products from Cisco and Intel because of their US government links.
As an aside, in the last week we have seen another smartphone manufacturer making the headlines. As we discuss on the latest “Smashing Security” podcast, the FTC has rapped the knuckles of Florida-based BLU which had placed its trust in a third-party, Shanghai ADUPS Technology Co Ltd, to manage out tedious boring stuff like rolling out security updates to handsets.
Little did BLU smartphone owners know that ADUPS was grabbing a huge amount of data and sending it a Chinese server.
How much data?
“…the full content of consumers’ text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on BLU devices.”
Other customers of ADUPS include ZTE and Huawei.
Check out this episode of the “Smashing Security” podcast to hear this case discussed in more detail.
Smashing Security #076: 'Spying phones, hacked ski lifts, and World Password Day'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
So, I think it’s important to remember that the mobile security threat is not limited to the type of smartphone you purchase, in which country it was manufactured, or what operating system it runs.
You also need to consider the third-party apps that you install onto a device, or that come pre-installed.
Can you feel confident that that app you have installed isn’t secretly sharing your location with a server based in China? Or that personal information you enter into an app is being securely encrypted, transmitted in a safe fashion, and stored securely?
Earlier this year, after concerns were raised after it was discovered that Strava was exposing soldiers’ exercise routes, there were calls for the military to review its policies about usage of fitness tracking apps.
Clearly armies around the world need to think very carefully about what technology they allow their soldiers to carry around with them.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.