New Delhi: The smart washing machine at your house, the fridge that knows how to monitor temperature and order refills, the coffee machine at work that you can get going while on your way to office — the internet of things is transforming our lives. It is also developing into the most far-reaching and intrusive tool for intelligence gathering, taking spies into our bedrooms and living rooms. The chips embedded into those devices talk to you, but also talk to servers operated by the People’s Republic of China’s intelligence services.
In the US, the risks posed by China-made chips have led government offices to evict entire classes of wi-fi-enabled gadgets from their offices. Top Chinese companies have been barred from selling surveillance equipments.
But in India, key ministries, including Home and Defence, seem unprepared to deal with the looming challenge, an investigation by ThePrint has found.
In recent years, there has been an explosion in the adoption of advanced technologies like the Internet of Things (IoT) and smart products in India. While they seemingly make everyday life easier – they are fraught with risks, especially risks associated with hacks and data leaks to China.
This has consequences in both India’s civil and military domains.
An Israeli cyber firm Toka is reportedly selling technology that can alter digital realities. Essentially, products that can hack surveillance cameras and completely alter their feeds.
Chinese video and surveillance technology and hardware are being banned by the US due to vulnerabilities in their design that allow data to be extracted.
Such cyber technology developments are ominous for India. Both Israeli and Chinese technologies and hardware are central to the ubiquitous IoT, which comprises products like smart surveillance cameras, smart fridges, smart air conditioners, and smart lights that are found in residential and official spaces.
“IoT products are a network of physical objects that are embedded with electronics, software, sensors, and connectivity. They can collect and exchange data with one another to improve efficiency and productivity,” explained Vineet Kumar, founder of CyberPeace foundation.
Further, these technologies are remotely connected and operated via data sensors and wifi.
Also read: Indian troops on China border told to format smartphones, delete 42 apps
Threats to India
Four developments explain why these IoT products pose a threat to India.
Firstly, there has been rapid growth in IoT products in the country over the last decade. A recent report highlights that India’s IoT market grew by 264 per cent in the second quarter of 2022.
Secondly, this rise has coincided with an increase in cyber-attacks in India. Attacks on both India’s digital infrastructure and IoT products have multiplied significantly over the past few years. According to a recent Microsoft report, India is among the top-three nations most vulnerable to malware attacks on IoT products.
Thirdly, given their use in everyday life, IoT products could also pose a threat to India’s military ecosystem. While the armed forces have moved to ban software from China that could pose a threat, there remains a level of ambiguity regarding hardware and IoT.
Fourthly, there is a complicated China link that makes the problem more complex for India.
Two pathways of cyberattacks from China
Cyber and malware attacks originating specifically from China pose a grave threat to India, like the recent attack on the digital infrastructure of New Delhi’s most pivotal hospital – the All India Institute of Medical Sciences (AIIMS) – bringing the capital city’s healthcare nerve centre to a near standstill.
Last year, Chinese hackers had also attacked India’s power grids in the northern region of Ladakh.
“There are two main pathways for Chinese cyberattacks into India. One target is critical infrastructure like electricity grids and digital networks. The other emanates from hardware,” Sameer Patil, Senior Fellow at Observer Research Foundation, told ThePrint.
The hardware for most tech products including those that fall under the IoT category is manufactured in China, even if it may operate on western software. This Chinese hardware may have built-in vulnerabilities that create potential backdoors, making the products susceptible to hacking and allowing the exfiltration of data and information to China, explained Patil.
“Essentially, the data from these products can be taken from servers in China due to these backdoors,” he added.
Adding complexity, China is also a central fulcrum in India’s smart products market.
China’s control over IoT & smart products in India
With the IoT market rapidly expanding in India, data suggests that the sector will have a turnover of over $1.1 billion in 2023. A chunk of this increase in revenue for IoT will fall in the smart products category. Currently, smart products form the largest segment in the IoT market in India.
“In India, a majority of the smart devices like smart lights, smart cameras, and smart air conditioners are using data-transmitting sensors that are not manufactured in India,” Kanishk Gaur, a cybersecurity expert, explained.
The data-transmitting sensors connect to wifi networks and ensure the smart products function remotely.
“The data sensors are where China enters the picture. The majority of these sensors are not manufactured in India and are made in China – they almost have a monopoly in supply,” added Gaur.
Even for data storage, Chinese companies are at the forefront, another cybersecurity professional pointed out.
“The backend systems, servers, and software upgrade mechanisms for all data sensors operate from China. All the data from these smart products can then flow back to China through backdoors or listening channels, thus creating a vulnerability for India,” Gaur said.
The cybersecurity professional explained that “to offset Chinese dependence, India needs to invest in developing the capacity to manufacture data sensors indigenously. While indigenous production may take a while, partnerships with countries like Taiwan and South Korea can be undertaken to offset risks”.
Indigenous production is not necessarily capital-intensive but requires a significant thrust on Research & Development (R&D). Time for this is now, he added.
Given China’s centrality in the sector, and the implied vulnerabilities in IoT products, critical ecosystems like India’s armed forces could face threats too.
India’s defence forces & smart technology
To deter any vulnerabilities and hacking threats from smart technology that is China-dependent, the armed forces have omitted the use of smart devices in technical and operational areas. Only official laptops are allowed for use and not personal ones in official spaces, sources in the defence and security establishment said.
Further, any new software and networks that are incorporated are vetted thoroughly to prevent any vulnerabilities, the sources added.
In the military canteens, no dubious technology or smart products from undesired vendors and contractors are kept, said one source.
But there are no mandates for smart products in the personal homes of military personnel – a potential vulnerability.
“The ability to comprehensively vet smart products in military canteens is fraught with complications,” a defence expert said on the condition of anonymity.
Suppliers, spare parts, and components are part of the supply chain for any product. Being able to thoroughly assess the whole sequence for Chinese connections in a globalised production chain is nearly impossible, he added.
Further, as the threat from Chinese software and applications has been rising, the Indian Army has set out a list of applications that are banned for use by personnel, another source in the defence and security establishment explained.
Specifically, there are 89 apps that have been banned which could be used by foreign intelligence agencies or non-state actors to extract information.
To counter any hacking or extraction of data from China, apps like TikTok, WeChat, SHAREit, Zoom, PUBG, and all Tencent Gaming apps that have connections to China have also been banned from use. All dating apps are banned as well, the source said.
US bans Chinese video & communication tech
In the US, the Federal Communications Commission in November 2022 completely banned the purchase of communication equipment that can pose a threat to national security.
The ban specifically covered all video or telecommunications technologies that are manufactured in China by conglomerates like Huawei and ZTE – extending to smart technology and IoT products.
The ban also extended to other Chinese manufacturers like surveillance equipment-maker Dahua Technology, video surveillance company Hangzhou Hikvision Digital Technology, and telecommunications firm Hytera Communications.
While India hasn’t moved to ban Chinese surveillance and technology outrightly like the US, defence and cyber experts suggest New Delhi may need to pivot to this line of thinking, given the implications on national security.
Lastly, India’s cybersecurity policy and data protection policy have been in the works for years and have still not been made into law. Pushing the needle on these may also help offset vulnerabilities from China-manufactured smart technologies.
(This is an updated version of the copy.)
(Edited by Nida Fatima Siddiqui)
Also read: Indian Army asking officers to stay away from Facebook a knee-jerk, ineffective diktat