Does Australia Need A ‘Cyber Trust’ Label For Security Products?
Australian homes as well as businesses, are facing a crisis especially households or factories that have invested in high-risk Chinese products or have devices with the Chinese manufactured Quectel or Fibcom modules built in with questions now being asked to whether Australia needs a Cyber Trust Mark” label for devices sold at retailers as well as IOT devices sold into businesses.
What Australians are not realising is that they are increasingly buying Internet-connected “smart” devices that are vulnerable to hackers claim experts.
Currently Officeworks is selling security cameras manufactured by Chinese Company Hikvision who own the consumer brand EZVIZ. Hikvision products are banned in Australia, the USA, the UK, and several other Countries.
Another questionable Chinese consumer brand is Anker manufactured Eufy who security cameras are sold at Bunnings and JB Hi Fi.
Because of new security risks experts are now claiming that beefed-up security standards will be necessary to address the growing threats from criminals, hostile governments such as South Korea and Chinese hacking groups as well as Russian and East European hacking gangs as well as State sponsored hacking teams who have been identified as being responsible for major hack attacks on Countries such as Australia, the USA, France and the UK.
Public fears about cybersecurity were stoked in Australia earlier this year with attacks on Optus Telstra, and Medibank, this has seen Australian authorities move to set up security task forces, with the Federal Government currently recruiting people with hacking experience.
Closer to home, hackers have used Ring cameras and Eufy products to spy on kids and even lure them into creepy conversations.
Only this week a mother reported hearing a voice talking to their child in a cot at an NSW home early in the morning.
In the USA Mike Gallagher, the chairman of the House Select Committee on China, is among a growing group of policymakers focused on so-called “Internet of Things,” or IoT devices, which generally are understood as non-computer devices with a web connection.
Examples range from smart TVs, wearable fitness trackers, doorbell cameras, and thermostats to control systems for factories and power plants.
A key concern according to the congressman, is the fast-growing use of Chinese-made mobile modules that allow smart devices to connect to the Internet, these devices are being widely sold in Australia.
The New York Post claimed that the comments sound like science fiction, but with widespread control of those modules, China could steal data or remotely shut down critical infrastructure in a conflict scenario, according to US lawmakers.
Hackers could crank up AC units en masse to cause power brownouts or take control of self-driving cars or even medical devices like pacemakers – as former Vice President Dick Cheney once feared.
In a statement to The Post, Gallagher said “modules sourced from [People’s Republic of China] companies like Quectel pose a security risk in any technology, but especially in government hardware, critical infrastructure, and lifesaving first response systems.
“Using these modules may create a backdoor for malign Chinese government actors to access and potentially cripple our devices,” Gallagher added. “It’s just common sense: critical infrastructure must not be dependent upon CCP technology.”
In August, Gallagher and the committee’s top Democrat, Rep. Raja Krishnamoorthi, asked FCC Chairwoman Jessica Rosenworcel to examine the use of Chinese-made modules.
The lawmakers’ letter said the Chinese Communist Party has “given extensive state support” to the industry and singled out two Chinese firms, Quectel and Fibocom, as major producers of modules widely used in products in Australia and the USA ranging from smart gear used by State Governments and local councils to and drones and even first responder body cameras.
The lawmakers cited Russia’s recent theft of $5 million in farm equipment from a John Deere dealership, only for the vehicles to be rendered useless after their modules were remotely disabled.
A Quectel spokesperson said the company’s “IoT modules do not pose any risk to national security or privacy” and noted that it has “proactively engaged with regulators, government agencies, and industry stakeholders to address any concerns they might have.”
Fibocom did not return a request for comment.
FCC Commissioner Nathan Simington, a Republican, said the threat of a state-sponsored attack on key infrastructure such as industrial installations, public utilities or law enforcement should be taken “totally seriously.”
“In a lot of ways, we’re lucky that a lot of the hacks so far have just been criminal activity,” Simington said. “At the end of the day, criminals are way less resourced than the Chinese NSA or the Russian NSA.”
For consumers, Simington is backing the FCC’s current push for a “US Cyber Trust Mark” label for smart devices that voluntarily adhere to “widely accepted cybersecurity standards,” including regular software updates over a disclosed period of time after the device is released.
In an August statement in support of the FCC’s labelling effort, Simington warned that “attacks on unpatched devices are becoming more frequent and more dangerous” and cited the risk of “botnets,” or networks of hijacked devices utilized in major cyberattacks.
“There are lots of people buying devices every day – we’re talking millions of units a year – they’re buying them on the expectation that those devices are secure,” Simington told The Post.
He indicated that if those expectations are violated, people are going to have some pretty legitimate questions about what exactly various Governments departments were doing to minimise the risk from attacks.