The Risks of Buying Inexpensive Chinese IT components

The changes that COVID-19 has brought to this world are unprecedented, affecting every part of our lives, our businesses and our supply chains. We live in strange times when both webcams and toilet paper have become scarce on store shelves for exactly the same reason. The difference between the two is that if you buy the wrong kind of toilet paper, it’s very unlikely that you’ll be compromising your own personal or company security. But if you buy the wrong webcam, security camera, router, VOIP phone system, cell phone, WiFi adapter, or even smart lightbulb, you might be letting hackers into your company and putting your business at risk.

The sad news is that with the global COVID-19 pandemic, many of the name-brand IT components you want to buy are in very short supply. For example, due to the proliferation of people working from home, webcams are in great demand. Brand name webcams like Logitech, a best seller for many years, all but disappeared from Amazon for many months. As a result, lower priced no-name webcams flooded the market to fill the void. While some didn’t work at all, most worked poorly at best. But they all brought with them a certain level of risk.

What Are The Risks?

The risks of buying inexpensive Chinese IT components do not necessarily arise because the manufacturer is Chinese. Many of these issues are also present in products built in Taiwan, Korea, Japan, and Eastern Europe -- most often anywhere technology is advanced and labor is cheap. In fact, the biggest issues have to do with the company culture and security mindset, not the nationality of the brand name slapped on the front of the box.

And to be clear, even USA-based brands have some or all of their internal components built in overseas factories, including Apple, Dell, Netgear, Cisco and almost any other company you can think of. The reality of our global economy is that products come from all over the world, with a majority coming from China.

So what makes these inexpensive Chinese IT components so dangerous to your company?

Lack Of Security Updates

Programmers know that all software has bugs. That includes software written by the most reputable software companies (Microsoft, Oracle), hardware companies (Dell, HP), router/infrastructure companies (Cisco, Netgear), and even cloud software companies (Dropbox, Google Cloud, Amazon AWS, Microsoft Azure).

The hallmark of good software is not necessarily that version 1.0 is bug-free, but that the company behind the hardware has a culture built around discovering bugs and security issues, and patching their software at a rapid and regular pace.

IT manufacturers of lower priced companies very often have a different culture, which is based on designing quickly, manufacturing cheaply, and selling rapidly. And so security updates for the “firmware” (code that is built into the components), or the drivers (that connect the components to other devices) are often overlooked. From their perspective, there’s no money in updates.

The result is that bugs -- which are often discovered by either cybersecurity investigators or the general public -- do not get fixed.

An example of this problem can be found in an article by Techradar about the security risks built into home routers. The online magazine reported on a study of home routers conducted by a German organization, Fraunhofer Institute for Communication (FKIE). The study found that of the 127 routers tested, “46 of the products it tested had not received any kind of security update within the past 12 months, with some vendors shipping firmware updates without fixing known vulnerabilities, and one set of products not seeing a firmware update for more than five years.” The list of routers tested included Netgear, ASUS, AVM, D-Link, Linksys, TP-Link and Zyxel.

Trojans and Back Doors

Another risk of buying components from unknown inexpensive Chinese IT vendors is that the companies may intentionally leave Trojans or back doors into their devices. According to an article published by TechTarget about the dangers of products from Huawei, a major Chinese IT manufacturer, refers to this phenomenon as “intentionally bad software.” The fear is that the manufacturer will intentionally leave undocumented methods for accessing the hardware, perhaps for its own convenience, but certainly without regards to the security implications.

National Security Issues?

The TechTarget article also mentions that certain business and political issues may be competing with customer loyalty and security. According to the article, China “requires that any successful company be intertwined with the Communist Party, which itself is integrated into the government and military infrastructure of the country.”

National Security is not likely a concern when you’re thinking about inexpensive Chinese IT components like webcams and WiFi adapters (though maybe it should be). But National Security is at issue with allowing Huawei to participate in the 5G infrastructure of European and American wireless communications networks. If the Chinese government were to have influence over the performance of infrastructure components during an episode of global cyber warfare, it could have disastrous effects for Western Civilization, the USA, and your organization.

And while National Security probably isn’t an issue with most companies, all companies would like to know that external bad actors do not have the ability to take down their networks or to pry on their company data. In other words, your cybersecurity plan begins long before designing firewall configurations, configuring end-point protection, or writing password policies. Cybersecurity begins with your buying decisions, including which vendors you can trust, and which models perform best for your specific situation.

How Digital Uppercut Can Help

Since 2006, Digital Uppercut has been helping companies with their IT and Cybersecurity planning and ongoing maintenance. If your company is having a difficult time sourcing the right products for your network expansion, or if you are concerned about the origins and security of your current equipment, let’s talk. We can help by reviewing your current infrastructure, determining your needs, and helping to specify and purchase the new equipment and software that is right for you and your organization. Whether you work with us or not, think very carefully before buying inexpensive Chinese IT components.