Get subscribed to our newsletter
Get interesting updates to your email inbox.
Smart home thermostats. Smart home security cameras. Smart refrigerators. Smart TVs. Smart pet feeders. Smart breast pumps.
From rooftop to basement and the bedrooms in between, much of the technology making consumer products smart comes from a little-known Chinese firm, Tuya Inc. of Hangzhou.
Tuya says as of 2020, its services cover more than 1,100 categories, such as healthcare, agriculture and apartment management, and are sold in more than 220 countries and regions globally in over 116.5 million smart devices.
More than 5,000 brands have incorporated Tuya's technology in their products, including Dutch multinational Philips, and TCL, the Chinese electronics company that makes Roku TV, according to the company. Global retailers Amazon, Target and Walmart sell consumer products that use Tuya's technology.
Some cybersecurity experts worry about the lack of protection for the consumer data collected by Tuya tech in household items and in products used in health care and hospitality.
The experts are urging Washington to limit or ban Tuya from doing business in the United States, in part because a broad new Chinese law requires companies to turn over any and all collected data when the government requests it.
"If you think about this as a safety issue, you can't buy a toy with broken glass in it. You can't buy expired medicines," said Vince Crisler, CEO of Dark Cubed, a cybersecurity firm in Arlington, Virginia. "Could these devices be considered a safety issue and therefore there is a certain level of standards? I think that's absolutely a starting point where Congress could legislate."
In October 2020, Republican Senator Marco Rubio introduced the Adversarial Platform Prevention (APP) Act "which would establish a set of data protection and censorship related standards and restrictions that must be met before high-risk foreign software … is permitted to legally operate in the United States."
VOA Mandarin contacted Rubio's office for comment on Tuya but received no response.
Tuya technology provides the function known as "platform as a service" (PaaS), which enables things to be "smart" by providing them with an internet connection. The smart devices then create a large, inter-connected network.
This interlocking chain is the so-called internet of things (IoT). While this allows devices to work with little human intervention and makes life easier, the connected devices generate "loads of data that can be used to make the devices useful but can also be mined for other purposes. All this new data, and the Internet-accessible nature of the devices, raises both privacy and security concerns," according to the website HowStuffWorks.
Backed by Tencent, the Chinese tech conglomerate with close ties to Beijing, Tuya is one of the leading enterprises in the sector less than a decade after its founding in 2014. It raised
$915 million when it was listed on the New York Stock Exchange in March.
Cybersecurity experts see Tuya's data collection as similar to that of Chinese telecom giant Huawei and its 5G-related products because Tuya could "siphon the masses of data – including classified government data – created and shared on its networks, and make it available to the Chinese government," said an analysis published on the political website, The Hill. "Tuya may well be funneling the information picked up on home security cameras and connected health devices – just to name two examples – back to Beijing."
The article, by two senior researchers from the Washington think tank American Enterprise Institute (AEI), suggests that the U.S. needs to limit Tuya's expansion in the American market.
Klon Kitchen, one of the authors and a cybersecurity expert, told VOA Mandarin via email that the central concern is that companies like Tuya must comply with China's new Data Security Law.
That law stipulates that Chinese enterprises and individuals must support, assist and cooperate with law enforcement on data concerning the national economy, national security and the public. The June 2021 law also forbids any company in China from providing any foreign law enforcement officials with data stored within China.
"This data might be collected, moved, and held in a 'secure' fashion … but it must still be given to the CCP (Chinese Communist Party) and therefore there is a persistent threat that must be addressed," Kitchen said. "Tuya doesn't have to be incompetent or malicious to be a threat, it only needs to be compliant with Chinese law."
Tuya has not responded to VOA Mandarin's request for comment. According to an editor's note that appears with The Hill analysis, "Regarding the potential for sharing data with the Beijing government, Tuya states that all user data on its platform is assigned to specific regional data centers, according to the users' locations, and that servers operate independently with no connection to China."
Scott Ford, CEO of the Kansas City-based tech start-up Pepper, told VOA Mandarin that the industry needs to regulate data flows.
"Let's say that a foreign platform has access to 10 million U.S. households or more; that's a growing risk here," he told VOA in an interview conducted via Zoom. "The ability to turn everybody's thermostat up at once and create a power grid issue, the ability to access video at any time ... and there's no regulatory environment, there's no protections for those types of things today."
Bob O'Donnell, president and chief analyst at the market research firm TECHnalysis Research of Foster City, California, told VOA Mandarin in an email that there should be concerns about Chinese companies with strong ties to the government.
"The truth is, the potential negative impact from a massive [Internet of Things]-related attack could be much worse than any 5G-related concerns," he said. "There are hundreds of millions of connected IoT devices in use today, some of which have personal information such as live video feeds or other data, that could be used for nefarious purposes."
In March, Dark Cubed studied 10 home smart devices sold in the U.S. market. Priced from $20 to $100, Chinese smart technologies were embedded in most of the items.
"Every IoT device we reviewed had a business connection to China and every product was observed communicating with infrastructure in China, without our permission," said the report.
Crisler of Dark Cubed told VOA Mandarin that the company found numerous security risks in smart-device apps developed by Tuya.
"There was a lot of potential for information leaks," Crisler said. "Tuya owns the entire chain ... and there's no insight into how they're using that data."
Last year, the U.S. passed the Cybersecurity Improvement Act, which covers cybersecurity for IoT devices owned or controlled by the federal government. And the Biden administration has continued an executive order signed by former President Donald Trump in 2019 to protect sensitive data from foreign adversaries.
"The United States must act to protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary," said EO 13873.
Kitchen said this is a start.
"Tuya is the overwhelming market leader and is quickly gaining a foothold in the U.S.," he said. "We must address the larger issues beyond Tuya, but we cannot wait for the perfect solution while allowing the CCP to dig deeper and deeper into American IoT infrastructure." (VOA/RN)
Keywords: China, Cybersecurity, Smart devices, Science and Technology
The government is expected to release a new cybersecurity strategy this year, Lt Gen Rajesh Pant, the National Cybersecurity Coordinator at the Prime Minister's Office said at an event.
The coordinator, at an event organized by the Public Affairs Forum of India (PAFI), added that the strategy would holistically cover the entire ecosystem of cyberspace in India.
ALSO READ: Government To Soon Unveil a New Cybersecurity
"The vision of this strategy is to ensure safe, secure, resilient, vibrant, and trusted cyberspace," he said.
The new strategy would serve as a guideline to tackle every aspect, whether it is governance or data as a national resource, or building indigenous capabilities or cyber audit, to name a few.
Cybercrimes are increasing. Attribution is the difficult part and now (cybercriminals) have started taking advantage of the dark web. Pandemic gave the perfect storm to the cybercriminals. Pixabay
There are about 80-odd deliverables coming out of this new strategy, he added. The theme of the PAFI Dialogue was 'Cyber Security in the New Normal.'
"Pandemic has shot up the cyber-crimes in India by 500 percent and India is one of the top 3 attacked countries in the world as far as cyber-attacks are concerned," Pant said.
ALSO READ: Now Hackers Aim to Hit Cybersecurity
There are emerging threats from the proliferation of new technologies like drones and IoT devices. To ensure a safe, secure, and trusted cyberspace, the government has taken a series of initiatives.
"Cybercrimes are increasing. Attribution is the difficult part and now (cybercriminals) have started taking advantage of the dark web. Pandemic gave the perfect storm to the cybercriminals," he added. (IANS/KB)
Cybersecurity researchers have found an interesting piece of malware that, instead of stealing passwords or extorting the owner of a computer for ransom, blocks infected users' computers from being able to visit a large number of websites dedicated to software piracy. However, the malware appears murky. Researchers at Sophos, a global leader in next-generation cybersecurity, have detailed a curious cyberattack campaign that targets users of pirated software with malware designed to block access to websites hosting pirated software.
The developers disguise the malware as cracked versions of popular online games such as Minecraft and Among Us, as well as productivity tools such as Microsoft Office, security software, and others. The disguised malware is distributed via the BitTorrent platform from an account hosted on "ThePirateBay" digital file-sharing website. "Links to the malware are also hosted on Discord. Once installed, the malware blocks the victim's access to a long list of websites, including many that distribute pirated software," the researchers said in a blog post.
The researchers were not able to discern a provenance for this malware. "But its motivation seemed pretty clear: It prevents people from visiting software piracy websites (if only temporarily), and sends the name of the pirated software the user was hoping to use to a website, which also delivers a secondary payload," they explained.
Follow NewsGram on Facebook to stay updated.
Andrew Brandt, principal threat researcher, Sophos, said: "Sometimes it is easy to see clearly what an adversary's end game is and why they have chosen a particular approach to achieve it. This is not one of those times". On the face of it, the adversary's targets and tools suggest this could be some kind of anti-piracy vigilante operation. "However, the attacker's vast potential target audience -- from gamers to business professionals -- make the ultimate purpose of this operation a bit murky," Brandt cautioned. At least some of the malware, disguised as pirated copies of a wide variety of software packages, was hosted on game chat service Discord.
ALSO READ: cyber attackers bec attacks
Other copies, distributed through Bittorrent, were also named after popular games, productivity tools, and even security products, accompanied by additional files that make it appear to have originated with a well-known file-sharing account on ThePirateBay. In this malware case, the attackers use an age-old approach of modifying the HOSTS file settings on an infected device to "localhost" a long list of websites, thereby blocking the user's access to them.
The malicious files are compiled for 64-bit Windows 10 and then signed with bogus digital certificates that wouldn't pass more than a very rudimentary check. "Once downloaded and installed by a user, the malware hunts for files named 7686789678967896789678 and 412412512512512. If it finds them it stops any further launch of the attack," said Sophos researchers. The malware also triggers a fake error message to appear when it runs, which asks people to re-install the software, they added. (IANS/JC)
Cyberattacks are increasing in frequency and severity, but nearly 80 percent of Indian organizations struggle to provide adequate education to their leaders and employees regarding cybersecurity, according to a survey released on Tuesday. Despite increasing cyberattacks, budgets on cybersecurity have remained stagnant and executive teams continue to underestimate the level of damage threats can do to organizations, revealed the survey by global cybersecurity firm Sophos.
The survey identified that in India, the executives assume that their organization will never get attacked. This was followed by the assumption that even though their organization may be compromised, there is nothing they can do to stop it.
Follow NewsGram on Facebook to stay updated.
“At a time when data breaches and sophisticated cyberattacks like ransomware are growing at an alarming rate, cybersecurity preparedness is paramount. While businesses are waking up to take note of such attacks and working to secure their organizations, it is vital for them to educate their leaders and employees about the seriousness of cyberattacks,” said Sunil Sharma, MD – sales, at Sophos India and SAARC, in a statement.
“It is high time that cybersecurity is seen as adding value to the overall business and not as a cost. Business leaders should understand that their stakeholders, including customers, will trust them more if they know they are dealing with an organization that follows best cybersecurity practices and that their data is safe,” he added.
The findings also showed 56 percent of Indian organizations weren’t running up-to-date cybersecurity protection at the time of the most significant attack they suffered in the past year. “Organisations need to be more vigilant, educating their employees and leaders about cyber hygiene along with having the right cybersecurity tools, people and processes in place to minimize the impact,” Sharma said. (IANS/JC)