Corruptible Connections: CCP Ties and Smart Device Dangers

By:

Age: 15 hours

The founder of Xiaomi, Lei Jun, now serves as a deputy to the National People’s Congress. (Source: Lintao Zhang/Getty Images)

Executive Summary:

  • Smart home device manufacturers in the People’s Republic of China (PRC) benefit from efforts by Beijing to export data infrastructure and governance standards along with “Internet of Things” (IoT) devices.
  • Manufacturers like Xiaomi, TCL, and Skyworth maintain strong links with the PRC government via internal Party-aligned structures, leadership by Party members, and participation in bidding for contracts from state-owned enterprises and military procurement.
  • PRC companies have shipped products overseas that have been assessed as having serious cybersecurity risks: a U.S. government agency found TCL smart TVs allowed unauthorized access to the devices’ data and media files, while users discovered Skyworth Group smart TVs were sending back data about other devices in users’ homes back to a Beijing-based company’s servers.

On September 8, the 2025 World Smart Industry Expo concluded in Chongqing. A sprawling event hosting over 600 companies from around the world, the venue comprised 130,000 square meters of indoor exhibition space, in addition to a large outdoor area for live demonstrations of drone hardware and other tech. It was a chance for the People’s Republic of China (PRC) to flex its growing technological and industrial muscles to a global audience (World Internet Congress, September 9).

Coverage of the expo in state media noted that “smart home” (智能居家) technologies were one of five main dedicated sections, along with autonomous networked electric vehicles (智能网联新能源汽车), digitized urban management systems (数字城市), low-altitude autonomous commercial drones (低空经济), and autonomous robots (智能机器) (Xinhua, September 9).

“Smart home” technologies, which include networked consumer-grade appliances under the umbrella of the “Internet of Things” (IoT), are rapidly becoming available in homes across the world. Beijing has spent years ensuring that these products are designed and manufactured in the PRC and then exported alongside data infrastructure and governance standards. Centrally directed efforts since 2009 to control end-product manufacturing, component supply chains, and technical standards point to ambitions to make dominance of the global IoT industry a national priority (China Brief, July 25, August 7).

Within the PRC, legislative requirements to share data via the 2021 “Data Security Law” (数据安全法) mean that, in an authoritarian system that lacks legal protections from government overreach, seemingly innocuous appliances present significant security risks to consumers (Xinhua, June 6, 2021). Such devices range from home security systems to kitchen appliances to smart TVs.

The State Advances in Top IoT Firms 

The United States imports millions of smart home devices from the PRC every year, including those manufactured by PRC companies or foreign manufacturers operating in the country. The largest Chinese smart home device manufacturers, as with similar firms across all sectors in the PRC, have extensive ties to the Chinese Communist Party (CCP). According to the 1993 “Company Law” (公司法), all companies with more than three employees who are CCP members, are required to form CCP cells, branches, or committees composed of company employees (Xinhua, December 29, 2023). As of 2021, companies with 50 or more employees are also required to create Party cells, regardless of the number of Party members employed (MERICS, August 20). This is also the case for foreign companies operating in the country. Since 2021, all 500 of the largest firms in the PRC have such internal party organizations (CNA, September 6, 2024). Much of this renewed pressure has been driven by a newly created ministerial-level body, the Society Work Department (SWD; 社会工作部) (MERICS, August 20; SWD, accessed September 17).

A typical PRC-based smart home device manufacturer is Beijing-based consumer electronics giant Xiaomi (小米). One of the world’s largest manufacturers of smart home devices under its subsidiary Mijia (米家), Xiaomi produces millions of products, including smart TVs, smartphones, electric vehicles, and software. In 2021, the U.S. Department of Defense (DoD) designated the company as a Communist Chinese Military Company (CCMC) due to its military ties, though the designation was later removed following a lawsuit (Reuters, May 26, 2021). Founded by entrepreneur and inventor Lei Jun (雷军), who now serves as a deputy to the National People’s Congress (NPC), Xiaomi established an internal CCP committee in 2015. This year, Lei even presented suggestions for national policy changes in areas like AI governance and electric vehicle regulations to the NPC (People’s Daily, March 9).

An article on the website of the Society Work Department from March 2025 highlights Xiaomi as an exemplar for Party-building within non-state-owned enterprises (非公有制企业). According to the article, the Xiaomi Party Group “promotes the integration of Party building into the entire production and operational process” (推动党建融入生产经营全过程). It notes that Party members constitute 25 percent of its workforce (over 10,000 people), and that Xiaomi’s Party members typically are “young and smart” (年轻、高知), have an average age of 32, and work in technology, product management, or research and development (R&D)—something that holds true across the technology sector. A core aim of those selected to work in the company’s Party organizations is to promote “the resonance and mutual integration of Party-building work and business development” (推动党建工作与企业发展同频共振、互融互促). Among its institutional innovations is the development of a “smart Party-building system” (智慧党建系统) to assist its members. Most relevant to interactive smart devices, the article praises the work of Party members involved in acoustic phonetics R&D within the company’s AI lab. The employees were awarded a “National Pioneering Worker” (全国工人先锋号) award for their work on improving technologies that can perform human-like interactions (SWD, March 18).

Xiaomi’s trajectory over the past decade toward embedding the Party throughout its entire organization does not appear to be exceptional for smart device manufacturing companies. Many other large manufacturers of smart home and IoT devices share even deeper ties to the CCP and PRC government. TCL Technology Group Corp (TCL科技), headquartered in Guangzhou, is a huge—and growing—manufacturer of Smart TVs. In its latest quarterly report, it states that it has grown its global market share in TVs and commercial displays by 4 percent in the last year to 24 percent (TCL, September 13). It is a partially state-owned, and publicly traded, company whose founder and current board chair, Li Dongsheng (李东生), is a Party member (Party Member’s Net, December 12, 2020). This latter detail is omitted from Li’s extensive bio on the company’s English-language website, though it notes that he has received a number of prestigious awards from Party and state bodies over the last four decades (TCL, accessed September 18). But such affiliations are likely of interest to both policymakers and those in industry, as the company has declared a plan to “build a world-leading smart ecosystem” (打造全球领先的智能物联生态系统), in part by shaping industry-wide standards (TCL, September 9, 2021). Reports in the United States have also alleged that the company has received sizable subsidies from central and provincial governments (The National Interest, March 27, 2020).

The prevalence of Party members throughout world-leading manufacturers of smart home devices is principally a concern due to the requirement for members to pursue CCP goals. These goals, as defined by Party leaders, can be inimical to the interests of the United States and its allies and partners (China Brief, September 5). But legal requirements for government cooperation, thanks to the 2021 Data Security Law (数据安全法), provide an additional source of potential risks for those concerned with data security. PRC companies that generate or handle data are required by law to implement security measures such as informing PRC authorities of data breaches or vulnerabilities (Article 29), while simultaneously being obligated to cooperate with PRC authorities by providing data access “for the purpose of safeguarding national security and investigating crimes” (关为了维护国家安全和侦查犯罪的需要) (Article 35) (China Brief, July 16, 2021, September 10, 2024).

Technical Vulnerabilities Warrant Concern

Industry-leading firms in the PRC may pose risks in association with their links to the CCP, but these are not necessarily the firms that pose the biggest risks at the technical level. According to an anonymous source working on IoT cybersecurity regulation and certification within the European Union, lesser-known IoT device companies are the most risky for average users. Larger manufacturers with established reputations and large user bases typically have stronger security features, such as random or user-defined passwords, secure storage, and frequent updates. But some smaller manufacturers are more likely to ship devices with weak security features and leave potential exploits unpatched for longer—sometimes never resolving them at all. The rationale for this relatively lax approach to security, according to the source, is usually a simple profit motive. If demand for a device manufactured by a smaller company only amounts to several thousand units, especially outside of their home market, the company may make the calculation that an exploitable security feature, even if identified, is simply not worth resolving (Author interview, September 15).

Weak device security can be exploited by hackers, often using weak default credentials to gain access to devices by taking advantage of poor encryption. The best way to avoid this is to simply change default passwords on devices to a new, personal, secure password. A typical goal of hackers is to hijack smart home devices (which usually have much lower computing power than a laptop or desktop) and forcibly recruit these devices into a botnet: a swarm of many devices “enslaved” to carry out tasks provided by the person controlling the swarm (also known as a botnet “herder”). The “herder” uses a small fraction of the computing power of each device to carry out Distributed Denial of Service (DDoS) attacks, contacting a target with requests from each device in the swarm to overwhelm it. Botnets can also be used for cryptocurrency mining, again by using a small amount of computing power from each of thousands or even millions of devices to solve blockchain equations to verify cryptocurrency transactions, rewarding the “miner” with a small sum of cryptocurrency.

More disturbingly, once a malicious actor has access to a device linked to a home network, it becomes possible to spread malware from that device onto other networked devices. Even if “quarantined” in less sensitive areas of the home, devices connected to the internet by wifi or ethernet cable still can spread malware to other devices on the same network. This could include personal computers, televisions, or home security systems equipped with cameras and microphones. IoT devices equipped with cameras with weak or no credentials can be found by searching resources like ShoDan.io, a search engine that allows users to search for webcams, microphones, routers, and device types connected to the internet (ShoDan.io, accessed September 17). The security risks associated with unauthorized access to cameras and microphones without the knowledge or permission of their owners are many and varied. They include eavesdropping, command injection (triggering smart speakers to place orders, unlock doors, or open garages via malicious skills), as well as biometric and behavioral profiling.

In recent years, expert assessments have found that some devices manufactured by PRC firms have contained security risks. In 2020, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) found that TCL has shipped products with serious vulnerabilities. At least two TCL-manufactured smart TVs allowed unauthorized access to the device’s data and media files. According to the NIST’s report, any user or device connected to the adjacent network could “arbitrarily browse and download sensitive files” (NIST, November 10, 2020).

Similarly, in 2021, an anonymous poster on the Chinese online forum V2EX said that their smart TV was collecting information and sending it a PRC data analytics company headquartered in Beijing (v2ex, April 22, 2021). The following week, Skyworth Group (創維), the Shenzhen-based maker of the TV, made a statement in response. The company claimed that it had terminated its partnership with the firm responsible for the violations, Gozen Data (勾正数据) (Skyworth, April 27, 2021). It is unclear if any of the models Skyworth sells in the United States were affected, but as the original poster noted, their smart TV was scanning all devices connected to the same wifi network every 10 minutes, sending various information back to a domain owned by Gozen, “gz-data.com” (tom’s guide, May 5, 2021).

Skyworth’s customers extend beyond those overseas. A subsidiary, Skyworth Qunxin Security (創維群欣安防), focuses on security products like CCTV systems and cameras. It has previously been awarded contracts by state-owned enterprises like the Bank of China, and there is historic evidence of Skyworth bidding on contracts with the People’s Liberation Army (PLA). Its current contracts are unknown, but the company was banned from military procurement processes by the PLA in 2024 for “false bidding violations” (虚假投标违规行为) (CPS, September 3, 2008; Sina Finance, December 31, 2024).

In the United States, consumers remain at risk in part due to a lack of any comprehensive program for IoT verification or certification. Individual states like California and Oregon have some privacy and cybersecurity laws, but these are quite basic by global standards (California DOJ; Oregon DOJ, accessed September 18). For instance, EU standards under the 2014 Radio Equipment Directive (RED) cover IoT devices with explicit requirements protecting personal data, privacy, and preventing fraud in place for internet-connected consumer devices (EUR-lex, December 28, 2024). The United States nevertheless contains requirements for what devices can be purchased and used via guidance from federal agencies. The Federal Communications Commission (FCC), for example, is in the process of standing up a new, voluntary labeling program for consumers to understand the security of their smart home and other IoT devices. This program, U.S. Cyber Trust Mark, is expected to come into effect by the end of 2025. Like current EU certification guidelines, specific privacy and security parameters must be met to obtain the U.S. Cyber Trust Mark label.

Products manufactured outside the United States are eligible to apply for the Cyber Trust Mark, but those manufactured by certain entities are not. Proscribed entities largely overlap with the FCC’s Covered List, the U.S. Department of Commerce’s Entity List, and the DoD’s List of Chinese Military Companies (DoD, October 18, 2022; FCC; U.S. Department of Commerce, accessed September 18). Given this, it is conceivable that the deep connections between PRC tech and AI companies and the PRC government could provide justification for an outright ban on many PRC-based manufacturers that currently export smart home and IoT devices to the United States. There are no current plans for such a course of action, which is unlikely to happen without a significant worsening of bilateral relations, but the regulatory powers exist to do so.

Conclusion

The high level of control exerted by government on businesses in the PRC means that IoT devices manufactured in the country may constitute hazards. End users currently have options to mitigate the risk of misuse and exploitation by third parties. Given links to the PRC government and obligations under PRC Data sharing laws, many Chinese manufacturers could prove to be insecure. That said, U.S. Cyber Trust Mark certification and labeling should roll out within the end of the year and provide a simple way for consumers to verify trusted device manufacturers. In the meantime, limiting the use of IoT devices in sensitive areas, including one’s own home, could be the best defense of all.