top of page

ASIO alert on product manufacturing espionage

National intelligence chiefs have issued a warning on rampant commercial espionage by China. At an unusual public meeting of the "Five Eyes" intelligence sharing group, the chiefs warned of the "most sustained, sophisticated and scaled theft of intellectual property (IP) and expertise in human history" making it the number one threat to innovation, with cyber attacks aimed at stealing IP occurring about every 12 hours.


What drew Genesys' attention was the example given by Australia's ASIO director-general Mike Burgess that described the theft of hardware designs and firmware for an electronic product "similar to a motion detector" that is very typical of the kind of products we design on behalf of our clients.


Five people standing with national flags in the background
The national intelligence chiefs of Australia, the US, UK, Canada and NZ, publicly meeting in San Francisco USA. Source: FBI

According to an article published on ABC News and other media outlets, an Australian company with a globally successful product suddenly found their sales plummet when an identical but cheaper and inferior quality replica started being sold out of China. The branding must have been identical as well because faulty products (due to cheap components) were being returned to the Australian company who had not manufactured these copies.


The IP theft was traced to a person offering to share information at an international conference who persuaded a company employee to place a USB stick in a company laptop. When connected back to the corporate network, malware was used to steal the product designs.


According to Burgess the IP was taken by Chinese "intelligence services who passed the information to a state-owned enterprise that mass produced the goods and sold them on the market".


During product development, cybersecurity efforts are traditionally focused on making information gathered by products secure, particularly around compliance with government regulations on privacy. This is a complicated exercise in its own right with multiple standards that could be applicable, such as UL 2900-1 on Software Cybersecurity for Network-Connectable Products.


However, product developers should also pay close attention to ensure that malicious actors are not able to secure access to the IP that underpins their business. IP does not just mean patents, which are ultimately published. IP also cover circuit schematics, PCB layout, firmware code, mechanical components, enclosure designs and more.


Genesys recently undertook a comprehensive cybersecurity audit of its working environment, engaging an external consultant to undertake an independent assessment of our security measures, including penetration testing and identification/closure of vulnerabilities. However, as the above example attests, the most IT secure systems in the world will not work if staff are not aware of social engineering techniques. Staff education and training are key.


We would encourage all product developers in Australia to include a budget for ensuring "external" cybersecurity of their business. This should include the company's own cybersecurity measures as well as an audit of any suppliers that hold critical IP on their behalf. Guidance is available from the Australian Cyber Security Centre run by the Australian Government.


To keep up to date everything related to embedded Product Development, subscribe to our newsletter.






Comments


bottom of page