A Chinese-built desk phone used widely across U.S. offices, including government agencies, could be giving away consumer, corporate, and even national security information to the Chinese government, a report revealed this week.
The concerns about the desk phone, the Yealink T54W IP Business Phone, were first described in an August 2021 government report, later cited by Sen. Chris Van Hollen (D-MD) in a September 2021 letter to the Department of Commerce, and first reported by Defense One last week. According to the report, researchers found both common vulnerabilities that are in many different office phone systems as well as vulnerabilities more specific to Yealink’s services and that appeared to be included more intentionally.
A web search shows Yealink phone systems have been selected for use at the U.S. Embassy in Ukraine, as well as several other federal, state and local government offices in the U.S.
Chain Security authored the report on the Yealink phones and found that the phone and Yealink’s Device Management Platform (DMP) include features that allow Yealink administrators in China to turn on and access call-recording features from their end.
The Yealink DMP Service Agreement also explicitly requires users to accept the laws of the People’s Republic of China (PRC) and agree to arbitrate all legal disputes in China’s Xiamen province. A related set of service terms also state’s Yealink may actively monitor its users when required by the “national interest” of the Chinese government.
The Chain Security report also found that in its default settings, the Yealink phone is also vulnerable to malicious infiltration by third-party groups. This means that hackers can access the phones. Chinese state-funded hackers could also theoretically access the phones while giving plausible deniability to the Chinese government as they surveil foreign communications.
The Yealink phone system also does not provide digital certificates, notifying users of potential unauthorized software changes. This makes it harder for users to recognize if their phone systems are being compromised
In addition to the specific vulnerabilities of the phone system, Chain Security also noted Yealink has close, long-standing ties with the Chinese government. Yealink engineering executive Yang Gui is an Expert Committee Member for the China Ministry of Science and Technology (MOST). The Xiamen City and Party Committee has also given direct financing to the Chinese phone company.
Van Hollen, who serves on the Senate Foreign Relations Committee, asked Commerce Secretary Gina Raimondo if she was aware of the potential vulnerabilities on the Yealink phone system and what her department is doing about it in his Sept. 28 letter. Van Hollen included the full Chain Security report in his letter.
It remains unclear what the Commerce Department has done since Van Hollen raised concerns about the Chinese phone systems.
Lawmakers have paid increased attention to data security risks posed by China in recent years. The U.S. has banned investments in Huawei and dozens of other Chinese technology companies, out of concern about surveillance features on their devices, as well as their ties to the Chinese government.
