How Chinese manufacturers’ interception of foreign IoT tech is a threat to our privacy

The Internet of Things (IoT) is ushering in the world of connected devices. Set to become an industry worth $8.9 trillion by 2020, it is, however, one of the rockiest industries for startups entering the field, according to industry insiders. In the “factory of the world,” getting your product manufactured can sometimes also get it stolen.

“Usually, once the [intellectual property] infringement has occurred, there is little that can be done because usually, the Chinese company has managed to get the IP without violating any law,” Dan Harris, Managing Partner at international law firm Harris Bricken, told TechNode.

IP infringement is a problem plaguing China for decades. The issue has recently become one of the main points of the US-China trade tensions. Because they involve many different components—external and internal product design, firmware, software, and sensors—protecting IoT products legally can be complex.

“The problem with IoT is that a product developer is more dependent on a factory to produce the hardware, and costs are a big consideration which requires cooperation because you don’t want to build your own factory,” said Beijing-based software developer Horatio Martin.

Western-style agreements just don’t work

The problem is not only that Chinese manufacturers illegally copying IoT products. Many foreign companies, especially startups, practically give away their IP. According to Harris, foreign IoT companies are “relinquishing their intellectual property to Chinese companies more often, more wantonly, and more destructively than companies in any other industry.”

“The most common mistake we see is foreign companies that turn over their IP to a Chinese company without sufficient protections in place,” said Harris. “This usually occurs when the foreign company wants the Chinese company to help develop a product or manufacture a product.”

Protecting IP rights in the IoT industry is complex but Harris says that the legal framework is better than most realize.

“The legal framework is fine. The two biggest problems are foreign companies not operating within the framework and Chinese courts that are reluctant to get tough on infringement,” said Harris.

He advises companies to sign a China-centric contract with their manufacturer before revealing any IP or trade secrets. As Harris points out on his China Law Blog, companies will sometimes sign agreements with manufacturers both in Chinese and in English but the Chinese one will differ greatly from the English version. Worst of all, Chinese courts will usually only accept the Chinese version.

Technical piracy

Legal protection is just one part of the story—some companies don’t even manage to protect their products on the technical level. Zhai Jing, a self-employed developer of IoT products, says that some IP owners are not even aware of the need to encrypt their software which can be cloned cheap and easy. One example is MCUs or microcontrollers, small computers often embedded in IoT devices.

“IoT devices are commonly produced with MCUs. There is a black market providing a service to crack and copy them,” Zhai told TechNode.

Trade secret theft, piracy, reverse engineering, code tampering, and selling devices on the gray market or outside of the official distribution channel—these are not only attacks on companies’ IP, it can also put end users at risk of data theft and privacy breach.

By now, most of us have heard that intelligent devices such as Amazon’s Alexa can be hacked and used to record our conversations. Other connected devices, such as webcams, security cameras, high-tech baby monitors, smart TVs and even smart refrigerators can be also used to monitor us. This is the price of our new interconnected world: smart devices are in danger of bugs, leaks, and hacks.

However, not many consumers are aware that some of these weaknesses can stem from the manufacturing floors of Shenzhen. While many shoppers are more than happy to buy a knockoff Prada bag, a poorly executed IoT product may carry more risks. And the problem is likely to get bigger as more of our appliances get smarter.

“If the experience of off-shore manufacturing has taught the industry anything, it is that the process of protecting IP should not start when the final product hits the streets,” Martin Warmington, MicrochipDirect global sales manager, wrote for Electronic Sourcing Magazine. “Counterfeiting, reverse engineering, and IP theft can occur on the production line or within an insecure supply chain, making security critical throughout production.”

How IoT can protect itself

To avoid this, foreign IoT companies need to choose the manufacturers wisely, both Zhai and Harris agreed. One way to protect against ripoffs is to not tell the factory what the product is used for or simply lie about its usage, said Zhai. Another is to avoid giving away all the production to one factory and spread out the supply chain.

“That sounds easy in theory but there are still problems that can occur,” said Nick Dimitrijevic, Business Development Manager at Berkeley Sourcing Group, a company that helps hardware startups and established businesses to find manufacturers in China. “If these factories come into contact they could still rip you off.”

Dimitrijevic agrees that legal protection is important. For startups, losing an IP can be a matter of life and death. But he also says that it that can be very expensive for startups to get legal protection and sometimes not effective. A lot can be done before getting IP protection.

“From my perspective, some companies are at times too careful because they do not make enough products for legal protection to be viable for them—they have to strike some kind of balance,” Dimitrijevic told TechNode. “On the other hand, there are manufacturers which systems have great protection. Those are the ones that work with big companies like Apple and Nike. You literally cannot put a flash drive into their system let alone take something out.”

One manufacturer TechNode talked to, who wished to stay anonymous, said that choosing the type of manufacturer can affect a company’s likelihood to be copied. Original Equipment Manufacturers (OEMs) are a type of manufacturer that usually focus on specific products and have R&D capabilities which mean copying a product will be easier for them. For Electronics Manufacturing Services (EMSs) such as Foxconn, copying might be harder.

Similarly, if an IoT company develops its firmware in cooperation with the manufacturer the risk of losing control over their products is greater. On the other hand, developing firmware independently is an effective way of securing the IP of an IoT product, Dimitrijevic explained.

IoT is far from the only industry affected by China’s poor IP protection but things are starting to change. In an earlier interview with TechNode Xiang Wang, China IP Practice Head at international law firm Orrick, said that improvements are coming from various levels: more patents filed by local companies, more IP-related lawsuits, as well as the country’s more important position globally as a key venue for patent litigation. The factory floors of China, however, remain a complex problem to solve.

“It’s not like China doesn’t want to regulate [IP theft], the problem is that there are hundreds of thousands of factories and you cannot control which factory makes what,” Dimitrijevic said. “The size of it all is too big prevent copying.”