For more than a decade, cybersecurity experts across the government and private sectors have sounded the alarm about the increasing risks posed by technology products manufactured in China.
The United States’ longstanding dependency on Chinese-made devices has been repeatedly exploited as part of a state-backed effort by China’s ruling communist regime to undermine the strategic interests and national security of the United States, from preinstalled malware on consumer devices to sabotage operations in critical infrastructure.
While not every Chinese-made device poses such a risk, the growing catalog of cyberattacks exploiting Chinese hardware underscores the need for vigilance when purchasing or using such products, and suggests the U.S. government may need to do more to curb its reliance on China for a broad array of devices.
Chinese Malware Preinstalled on US Government-Funded Phones
Sending Americans’ most sensitive personal information directly to China probably wasn’t what the Federal Communications Commission had in mind when it decided to subsidize affordable mobile phones for millions of low-income Americans.That’s exactly what happened, however.
Beginning in 2015, a wide range of budget Android phones manufactured by American company BLU in China were systematically preloaded with malware by suspected Chinese state-backed actors.
Those phones were found by cybersecurity company Kryptowire to have been preloaded with malicious software by the Shanghai Adups Technology Company, an opaque IT services company established in China in 2012, with which BLU had contracted to provide service updates for its devices.
The Adups malware operated at the most foundational level of the phones, including in the wireless update and settings apps, meaning that the malware could not be removed without rendering the phones unusable.
For years, Adups collected granular location data, contact lists, logs for calls and texts, and even the full contents of texts from Americans’ phones. Some of the phones even allowed remote actors believed to be based in China to take screenshots or otherwise seize control of the devices.
To make matters worse, all that data were encrypted and sent back to a server in China, where Chinese Communist Party (CCP) law mandates that information is a national resource, effectively transferring Americans’ most personal data directly to the regime.
The malign activity was able to bypass detection for some time because the malware was embedded in the software of the phone and therefore automatically whitelisted by most malware detection tools, which were programmed to assume that a product’s rudimentary software and firmware would not be malicious.
It’s still unclear just how many Americans were caught up in the operation. Adups claimed on its website in 2016 to have a worldwide presence with more than 700 million active users, and that it also produced firmware integrated into mobile phones, semiconductors, wearable devices, cars, and televisions.
In 2017, the Federal Trade Commission reached a settlement with BLU, finding that the company had knowingly misled its customers about the extent of data that could be collected by Adups.
Mystery Routers Hidden in US Ports
The report revealed that giant ship-to-shore cranes, which are used to unload cargo throughout the United States’ largest ports, had been equipped with Chinese-manufactured modems with no known function.
Investigators warned that the technology embedded in the devices could allow unauthorized access to sensitive U.S. port operations and that some of the modems were also found to have active connections to the operational components of the cranes, suggesting they could be remotely controlled by a device no one previously knew existed.
All of the cranes in question were manufactured in China by Shanghai Zhenhua Heavy Industries, a subsidiary of the state-owned China Communications Construction Co.
U.S. lawmakers noted at the time that Zhenhua’s manufacturing facility was located adjacent to China’s most advanced ship-making facility, where the regime builds its aircraft carriers and houses advanced intelligence capabilities.
In a letter dated Feb. 29, 2024, addressed to the president and chairman of Zhenhua, the lawmakers demanded to know the purpose of the cellular modems discovered on crane components and in a U.S. seaport’s server room that houses firewall and networking equipment.
Exploitation of Chinese Routers, Cameras
Chinese state-sponsored cyber actors have also been found exploiting vulnerabilities in network devices such as home routers, storage devices, and security cameras.These devices, often manufactured in China, have been targeted to serve as additional access points for conducting network intrusions on other entities, effectively leveraging vulnerabilities inherent in certain Chinese-made devices to gain a foothold in American networks, according to the Cybersecurity and Infrastructure Security Agency.
In one such major incident in 2016, Dahua Technology, a leading Chinese manufacturer of surveillance equipment, was linked to a distributed denial-of-service (DDoS) attack and, again in 2021, security researchers found a flaw in Dahua’s software that allowed hackers to bypass authentication protocols and seize control of the devices.
In that incident, more than a million devices were exploited and used to create two botnets, which were then used to target the website of a cybersecurity journalist in a DDoS and extortion campaign.
Chinese state-sponsored cyber actors have continued to extensively target these and similar vulnerabilities in Chinese-made security cameras and webcams in the years since.
In February of this year, the Department of Homeland Security distributed a bulletin warning that innumerable such cameras were still being used throughout U.S. infrastructure sites, including in the electrical grid and ports.
That bulletin warned that Chinese-manufactured devices were especially likely to be exploited in cyber attacks and that tens of thousands of the devices had already been used to that end.
In 2024, the bulletin warned that Chinese-manufactured security cameras used in the United States by an American oil and gas firm began communicating with a server in China believed to be linked to the CCP.
“[China]-manufactured, internet-connected cameras and devices could serve as additional vectors for cyber actors to gain and maintain stealthy, persistent access to US critical infrastructure,” the bulletin reads.
Likewise, many of these devices continue to pour into the United States despite their known risks due to a process known as “white-labeling,” according to the document.
White-labeling occurs when the products in question are imported after being packaged and sold by a different company, such as when a compromised security camera is preinstalled on a device manufactured by a different company.
Chinese Devices a Trojan Horse for Sabotage
The repeated exploitation of Chinese-made technology by malign actors, often with the backing of the CCP, underscores the growing cyber threat posed by the regime.
“[Chinese] state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States,” an advisory published by the agency reads.
That malware is devised “to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness.”
Those efforts to exploit vulnerabilities in devices such as routers and security cameras, and to weaken the United States in preparation for a potential wartime scenario, have been massively successful thus far in no small part due to the prevalence of Chinese-manufactured technology products in the United States.
The increasing reliance on Chinese-manufactured components in public and private systems is a major threat to the United States’ national security that will likely only be overcome by increasing domestic development of critical technologies and related infrastructure.
