Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Probability that Chinese intelligence backdoors consumer electronics?
5 points by theoryofx 84 days ago | hide | past | favorite | 7 comments
It seems kind of inevitable that we will discover that Chinese intelligence agencies have been spying on millions of people's homes, businesses, and government offices.

Their government is hostile to most Western countries, to some degree or another, and have the ability to intercept and control the products of every Chinese manufacturer without any legal recourse.

It seems obvious, or at least very likely, that Chinese intelligence agencies backdoor consumer electronics (TVs, routers, switches, wifi APs, ESP32s, air sensors, and the rest).

Maybe they're risk averse and only enable spying on specific devices (government workers, specific targets, and the like)?

Technically any device that supporters auto-updating could be backdoored at any time, for example with targeted firmware delivered to specific devices.

Maybe the NSA is on this and spends a lot of time reverse engineering consumer electronics but sadly I tend to doubt it.

Are there any independent security researchers that spend their time looking into this potentially massive problem?




For anything important, the manufacturer is going to have a way of getting root so enough front-doors exist already, and how well does that company protect its key?

The bottom line is that if the answer to this question is important, assume yes, and for all threat actors.


Is the massive problem you see that the Chinese might be doing this or that the company that sold/gave you your device absolutely is?


The massive problem as I see is that Chinese intelligence has the incentive and capability to do this and yet no one seems to be doing anything about it.


>Maybe the NSA is on this and spends a lot of time reverse engineering consumer electronics but sadly I tend to doubt it.

It's more likely the CIA[0] is exploiting consumer electronics that the NSA -- the Joshua Shulte trial cast a lot of light on the tools folks deploy locally.

There's a LOT more of these exploits that need a human in the loop to deploy -- I'd be more worried about who you let near your electronics than where they were made.

I don't think anyone is deliberately inserting backdoors, but existing business pressures lead to rushed, sloppy code which due to the nature of the internet of things is difficult or impossible to patch.

While these devices may be manufactured in China, they are designed all over -- Korea, Taiwan, and of course, right here in the USA.

Keep in mind how hard it is to avoid "showing your hand" if you have access to information -- even if "The Chinese" (or "The NSA" or any other entity) had some godlike ability to spy, you need a human analyst to listen to the interception. Perhaps a second to translate it. And then someone needs to decide what to do with it. Multiple that by soooo many interesting people having interesting conversations...

I'd focus on things like using E2EE comms, MFA on your accounts, etc rather than some boogieman exploiting nation level tradecraft to own you in particular.

https://en.wikipedia.org/wiki/Joshua_Schulte#Leaks_of_classi...


"these exploits that need a human in the loop to deploy -- I'd be more worried about who you let near your electronics "

These devices are flashed in factories in China and receive firmware updates over the air from China. There's no human required.

"you need a human analyst to listen to the interception. Perhaps a second to translate it."

Have you missed out on this new "AI" thing everyone is talking about?


>These devices are flashed in factories in China and receive firmware updates over the air from China

The updates often come from US based FTP servers.

>Have you missed out on this new "AI" thing everyone is talking about?

Still need an intelligence officer to act on the data -- takes time.


"The updates often come from US based FTP servers."

Almost never FTP and it's not a significant difference if the Chinese company uploads it to S3 and the device downloads it from there.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: