Workers in a call center in Norwich, Norfolk, United Kingdom

Workers in a call center in Norwich, Norfolk, United Kingdom Getty Images

Science & Tech

Common Office Desk Phone Could Be Leaking Info to Chinese Government, Report Alleges

Phones by Yealink have been observed sending encrypted messages to Chinese servers three times a day.

Patrick Tucker

|
Patrick Tucker
By Patrick Tucker
Science & Technology Editor, Defense One

A major Chinese phone maker could be putting U.S. consumers, companies, and even national security data at risk, and a U.S. senator wants to know what the Commerce Department is going to do about it.

In a Sept. 28 letter obtained by Defense One, Sen. Chris Van Hollen, D-Md., described a report that “raises serious concerns about the security of audio-visual equipment produced and sold into the U.S. by Chinese firms such as Yealink.” 

Yealink doesn’t have the name recognition of the controversial Chinese telecom giant Huawei, but its phones are widely installed across the United States, including in government agencies. In September, Yealink and Verizon announced plans to sell “the nation’s first 4G/LTE cellular desk phone.”

In the letter, Van Hollen asked Commerce Secretary Gina Raimondo whether her agency is aware of the report by Chain Security, a Virginia-based company that analyzes electronics for security. He asked whether she considers its analysis credible, and if so, what she wants Commerce to do about it.

Many of the security issues raised in the report are similar to those that the U.S. government has had for years about Huawei. In essence, there are a number of big—but possibly unintentional—security flaws that an adversary could use to steal data. But with the Yealink T54W phone in particular, there are also some concerning features that are clearly built in on purpose. 

The report pointed to the Yealink software that connects each phone to the local network. Called the device management platform, or DMP, it allows users to make calls from their PCs and network administrators to manage the phones. But it also allows Yealink to secretly record those phone calls and even track what websites the users are visiting.

​​“We observed that if the phone is being managed by the device management platform, and if the user’s PC is connected to the phone in order to access a local area network, it's collecting information about what you're surfing” on your computer, said Chain Security CEO Jeff Stern. “The method of using the desktop IP phone such as the Yealink phone as an Ethernet switch to connect the PC to the local area network is a common business practice. The administrator on that platform can also initiate a call recording without the user's knowledge…What they do is they issue a command to the phone to record the calls.”

Stern said that “this feature is intended for use by an enterprise customer's employee or representative. However, every system has a Superuser Administrator, or SYSADMIN. In these types of systems, the SYSADMIN typically has access to everything. Some modern systems, especially after Snowden, deny this capability to the SYSADMIN. But we need to assume that this is not the case here and that the Yealink DMP SYSADMIN is in China.”

Chain Security’s report notes that Yealink’s service agreement requires users to accept China’s laws, while “a related set of service terms allows the active monitoring of users when required by the ‘national interest’ (this means the national interest of China).” 

Stern also noted that the phone also doesn’t use digital certificates to prevent unauthorized changes to its software. That makes it far easier for attackers to compromise the data on the phone and potentially even the entire network it’s connected to, without attribution to Yealink. “Without some sort of monitor watching what's going on on the phone you wouldn't know this firmware is on there and it can do anything you want in terms of surveilling your network and the subnet. The scenario we worry about with a device like this is that it will surveil your network and then exfiltrate…essentially your network architecture or your network implementation.” 

The lack of a firmware signature requirement isn’t exactly unheard of. Stern called it an “old mistake.” But he said, “There's no reason that old mistakes like this should continue to be there. Like, this is bad.”

Defense One asked a Verizon spokesperson whether the company was selling phones with the Yealink DMP and without digital certificates. The spokesperson initially said the company had customized the DMP to address issues related to security and firmware upgrades.

That response left Stern with more questions. “Who is doing the firmware customization? Does [Verizon] have a license to modify the source code of the firmware? Does [Verizon] plan to do penetration testing on the firmware before releasing it to their users? Does [Verizon] do source code security analysis on all firmware that it receives from Yealink?” 

But after this article was published, a second Verizon spokesperson said that the company’s original statement was incorrect. Verizon “does NOT use the DMP referred to in the article. Access to [the Yealink] DMP is completely blocked in Verizon’s custom firmware. Verizon has no exposure from DMP.” 

The second spokesperson also said, “Every One Talk desk phone uses Cybertrust certificates which are validated for all device boot up and secure firmware upgrade activities.”

But Verizon is far from the only distributor of Yealink phones. And Stern found a variety of issues beside the DMP and firmware certificate.

Stern also found that the phone exchanges encrypted messages with a Chinese-based cloud server, Alibaba Cloud, multiple times a day. You cannot program the phone not to do that. To stop it, you can set your organization’s network router to prohibit the exchange—but only if you know the phone is doing it in the first place.

Yealink phones also contain a specialized microprocessor unit from a Chinese chip maker called Rockchip. Of course, Chinese chips are in all sorts of devices and security experts can test most of them for bugs. But this one hasn’t gone through that same testing because, says Stern, Rockchip designed it specifically for Yealink. “This one is clearly a specialized product, based on the model number developed for Yealink and there's no documented vulnerabilities to mitigate against. Except there are vulnerabilities, right? Because everything has vulnerabilities. It's just no one is reporting on it because it’s a specialized chip,” he said. 

That doesn’t mean that something is wrong with the chip, exactly, but it hasn’t received the same sort of scrutiny that other, more widely distributed components do receive. 

One telecom industry expert who is familiar with the report, but did not help write it and has no affiliation with Chain Security, described the firm as reputable. The expert didn’t endorse or dispute any of the report’s findings but said that the language in Yealink’s service agreement alone was enough to warrant a review by the government. “The fact that you [meaning Yealink] are bound by Chinese law, that is something the government needs to know.”

If the Commerce Department investigates the report’s concerns and finds them valid, Yealink might find themselves on a path similar to that of Huawei, placed on a list of untrustworthy technologies that government customers are not allowed to purchase. The industry expert said there was no set process or timeline for such determinations to occur. 

Stern said he believed that Yealink phones were in government offices, since the government market for IP phones is roughly $300 million, by his analysis, and Yealink is one of the top ten providers. A web search shows Yealink manuals uploaded for reference to the websites of many local, state, and federal agencies.

Van Hollen’s office didn’t provide any additional detail on why they had sent the letter to the Commerce Department. A Van Hollen spokesperson said that “the letter really speaks for itself — the Senator is simply seeking more information.” 

On Dec. 28, the Commerce Department responded to Van Hollen in a separate letter obtained by Defense One. “We take these matters seriously,” wrote Wynn W. Coggins, Acting Chief Financial Officer and Assistant Secretary for Administration. “The Department of Commerce shares your concerns about the security of the Information and Communications Technology and Services (ICTS) supply chain and the threats to that supply chain posed by our foreign adversaries and is actively working to address those concerns.” 

Yealink did not respond to a request for comment on this story.

This story has been updated to reflect additional statements from Verizon.

NEXT STORY: 2021 Top Ten: Tech

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.