Smart home thermostats. Smart home security cameras. Smart refrigerators. Smart TVs. Smart pet feeders. Smart breast pumps.
From rooftop to basement and the bedrooms in between, much of the technology making consumer products smart comes from a little-known Chinese firm, Tuya Inc. of Hangzhou.
Tuya says as of 2020, its services cover more than 1,100 categories, such as healthcare, agriculture and apartment management, and are sold in more than 220 countries and regions globally in over 116.5 million smart devices.
More than 5,000 brands have incorporated Tuya’s technology in their products, including Dutch multinational Philips, and TCL, the Chinese electronics company that makes Roku TV, according to the company. Global retailers Amazon, Target and Walmart sell consumer products that use Tuya’s technology.
Some cybersecurity experts worry about the lack of protection for the consumer data collected by Tuya tech in household items and in products used in health care and hospitality.
The experts are urging Washington to limit or ban Tuya from doing business in the United States, in part because a broad new Chinese law requires companies to turn over any and all collected data when the government requests it.
“If you think about this as a safety issue, you can't buy a toy with broken glass in it. You can't buy expired medicines,” said Vince Crisler, CEO of Dark Cubed, a cybersecurity firm in Arlington, Virginia. “Could these devices be considered a safety issue and therefore there is a certain level of standards? I think that's absolutely a starting point where Congress could legislate.”
In October 2020, Republican Senator Marco Rubio introduced the Adversarial Platform Prevention (APP) Act “which would establish a set of data protection and censorship related standards and restrictions that must be met before high-risk foreign software … is permitted to legally operate in the United States.”
VOA Mandarin contacted Rubio’s office for comment on Tuya but received no response.
Tuya technology provides the function known as “platform as a service” (PaaS), which enables things to be “smart” by providing them with an internet connection. The smart devices then create a large, inter-connected network.
This interlocking chain is the so-called internet of things (IoT). While this allows devices to work with little human intervention and makes life easier, the connected devices generate “loads of data that can be used to make the devices useful but can also be mined for other purposes. All this new data, and the Internet-accessible nature of the devices, raises both privacy and security concerns,” according to the website HowStuffWorks.
Backed by Tencent, the Chinese tech conglomerate with close ties to Beijing, Tuya is one of the leading enterprises in the sector less than a decade after its founding in 2014. It raised
$915 million when it was listed on the New York Stock Exchange in March.
Cybersecurity experts see Tuya’s data collection as similar to that of Chinese telecom giant Huawei and its 5G-related products because Tuya could “siphon the masses of data – including classified government data – created and shared on its networks, and make it available to the Chinese government,” said an analysis published on the political website, The Hill. “Tuya may well be funneling the information picked up on home security cameras and connected health devices – just to name two examples – back to Beijing.”
The article, by two senior researchers from the Washington think tank American Enterprise Institute (AEI), suggests that the U.S. needs to limit Tuya’s expansion in the American market.
Klon Kitchen, one of the authors and a cybersecurity expert, told VOA Mandarin via email that the central concern is that companies like Tuya must comply with China’s new Data Security Law.
That law stipulates that Chinese enterprises and individuals must support, assist and cooperate with law enforcement on data concerning the national economy, national security and the public. The June 2021 law also forbids any company in China from providing any foreign law enforcement officials with data stored within China.
“This data might be collected, moved, and held in a ‘secure’ fashion … but it must still be given to the CCP (Chinese Communist Party) and therefore there is a persistent threat that must be addressed,” Kitchen said. “Tuya doesn’t have to be incompetent or malicious to be a threat, it only needs to be compliant with Chinese law.”
Tuya has not responded to VOA Mandarin’s request for comment. According to an editor’s note that appears with The Hill analysis, “Regarding the potential for sharing data with the Beijing government, Tuya states that all user data on its platform is assigned to specific regional data centers, according to the users’ locations, and that servers operate independently with no connection to China.”
Scott Ford, CEO of the Kansas City-based tech start-up Pepper, told VOA Mandarin that the industry needs to regulate data flows.
“Let's say that a foreign platform has access to 10 million U.S. households or more; that's a growing risk here,” he told VOA in an interview conducted via Zoom. “The ability to turn everybody's thermostat up at once and create a power grid issue, the ability to access video at any time ... and there's no regulatory environment, there's no protections for those types of things today.”
Bob O’Donnell, president and chief analyst at the market research firm TECHnalysis Research of Foster City, California, told VOA Mandarin in an email that there should be concerns about Chinese companies with strong ties to the government.
“The truth is, the potential negative impact from a massive [Internet of Things]-related attack could be much worse than any 5G-related concerns,” he said. “There are hundreds of millions of connected IoT devices in use today, some of which have personal information such as live video feeds or other data, that could be used for nefarious purposes.”
In March, Dark Cubed studied 10 home smart devices sold in the U.S. market. Priced from $20 to $100, Chinese smart technologies were embedded in most of the items.
“Every IoT device we reviewed had a business connection to China and every product was observed communicating with infrastructure in China, without our permission,” said the report.
Crisler of Dark Cubed told VOA Mandarin that the company found numerous security risks in smart-device apps developed by Tuya.
“There was a lot of potential for information leaks,” Crisler said. “Tuya owns the entire chain ... and there's no insight into how they're using that data.”
Last year, the U.S. passed the Cybersecurity Improvement Act, which covers cybersecurity for IoT devices owned or controlled by the federal government. And the Biden administration has continued an executive order signed by former President Donald Trump in 2019 to protect sensitive data from foreign adversaries.
“The United States must act to protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary,” said EO 13873.
Kitchen said this is a start.
“Tuya is the overwhelming market leader and is quickly gaining a foothold in the U.S.,” he said. “We must address the larger issues beyond Tuya, but we cannot wait for the perfect solution while allowing the CCP to dig deeper and deeper into American IoT infrastructure.”
Lin Yang of VOA’s Mandarin Service contributed to this report.