If TikTok is spyware, then what about Chinese IoT?

An image of security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock)

The tech cold war between Washington and Beijing went up a notch late last month. At the end of February, United States federal agencies were given 30 days to delete TikTok from all government mobile devices. Citing espionage fears, other western governments are pursuing similar bans.

This decision intends to safeguard digital infrastructure and data from bad actors. If this is the case, then connected devices are next in the crosshairs. China is the world’s biggest supplier of devices and parts powering the Internet of Things (IoT). From devices inside local networks to companion apps, the threat vector is huge.

Looking ahead, let’s look at why the private sector must also consider its cybersecurity stance beyond TikTok.

The TikTok problem

To be clear, there are legitimate issues surrounding TikTok. There are growing concerns the app and its parent company, ByteDance, share sensitive user data with the Chinese government. This is because local laws allow the government to secretly request data from corporations and citizens for “intelligence gathering”.

Other countries are also moving to ban the app. Canada declared about the same time a ban on government devices using TikTok. Meanwhile, the European Union's executive branch announced its own temporary ban on the app on employee phones. Meanwhile, India made this decision a few years ago. In 2020, India banned 60 Chinese apps, including TikTok, claiming they were transmitting user data back to China.

The prohibition opens up a digital can of worms. If governments fear data snooping from the social media giant, then the focus must turn to anything else running Chinese software. And the country’s track record with connected devices isn’t great – Chinese devices often count questionable government links, listen in on users and share data with servers back in the country.

Carsten Rhod Gregersen

Carsten Rhod Gregersen is the CEO and Founder of Nabto.

The dangers of connected devices

Chinese IoT is arguably more dangerous than TikTok. These connected devices have data-transmitting sensors and communicate over WiFi. Theoretically, with full permissions inside a local network, the device has unparalleled access. It can do all sorts of things from monitoring traffic to flooding the network with information (a distributed denial-of-service attack) to targeting other connected devices. This is a concerning possibility considering the suspected links between the central government and major device makers like Huawei.

Further, cheap devices with low cybersecurity thresholds are imminently hackable, serving as a potential gateway behind your firewall. Case in point: state-owned surveillance camera manufacturer Hikvision. Not patching or changing default passwords left tens of thousands of devices vulnerable to hackers last year. Then, once on the inside, the attacker can exploit the entirety of the victim’s network.

Much like TikTok, governments are already raising a red flag and taking preemptive security steps against connected devices from China. In November, for example, the US banned Hikvision and several prominent Chinese brands to “protect the nation’s communications network.” The UK followed suit, with MPs pointing out that the cameras can record sensitive personal information like facial recognition, behavioral analysis and gender identification.

The public sector views this tech as a dire threat to data privacy, security and trusted collaboration. It begs the question – if it’s not good enough for the government, why is it good enough for your business?

What businesses must do

Without safeguards, connected devices can open backdoors into your business. It’s time for the private sector to move in step with the public sector and shut down such dangers. The good news is this is possible in the following three ways.

First, partition devices on your business network between trusted and non-trusted categories. The idea is to establish a distinct grouping for devices with low-security protocols. Then limit their credentials and visibility. Therefore, in an attack, the compromised device is quarantined from the larger network.

Additionally, select products from trustworthy regions. Although the price is higher, reputable brands from reputable parts of the world deliver higher standards. For instance, European devices adhere to the General Data Protection Regulation (GDPR), which mandates data collection, storage, analysis and sharing. Further, the EU is drafting the Cyber Resilience Act, which introduces mandatory cybersecurity regulations for products with digital components throughout their lifespan – a world first. These measures help guarantee the safety and security of your devices.

Finally, set up peer-to-peer connections. These connections create direct, encrypted infrastructure between a peer and a client. Once established, devices communicate in a manner which helps prevent access from third parties.

The answer is not to do away with this technology. Connected devices still deliver valuable and actionable insights into your business. Rather, it’s up to us as leaders to know what we’re getting into, understand the pitfalls and onboard devices securely. Consider where the device comes from and how it handles your data. Take note of the warning signs and start protecting yourself and your customers today.

We've featured the best secure smartphones.

Carsten Rhod Gregersen is the CEO and Founder of Nabto. He is a regarded industry commentator with more than two decades of experience with connected devices.