Americans returning to their offices following the surge of the COVID-19 Omicron variant may want to think twice about what they say — Beijing just might be listening in through the phone on their desk.

As senior officials in the United States government, we worked to mitigate the possibility of the Chinese military and intelligence services obtaining access to U.S. or allied telecommunications networks through the back door via companies like Huawei and ZTE. What if, however, the U.S. is letting the Chinese gain access through the front door of a different company?

A recent report by Virginia-based Chain Security outlines several technical issues with the Chinese internet protocol (IP) phone maker, Yealink. Yealink’s desk phones are currently being sold broadly to U.S. businesses and the U.S. government, and according to a Defense One story citing Chain Security CEO Jeff Stern, the company is a top ten desk IP phone provider to government agencies. Concerningly, the Chain Security report found:

· Yealink phones exchanged encrypted messages with Chinese-based cloud server, Alibaba Cloud, multiple times per day.

· Yealink’s device management platform allows Yealink to secretly record user’s phone calls and even track what websites are being visited if a user’s computer is connected to the phone for internet access.

· Like many electronic devices, Yealink’s devices allow for a Superuser Administrator (SYSADMIN) for the stated purpose of executing administrative functions. Yealink’s SYSADMIN is located in China.

· Under law, all Chinese companies are beholden to the Chinese military and intelligence services. Yealink would be compelled to oblige to any Chinese government request seeking the communications of Yealink’s users, including American citizens.

· Yealink’s phones contain specialized semiconductors from Chinese chip maker Rockchip, creating another potential point for China to compromise as we have written in a recent report published by the Center for the Study of the Presidency and Congress.

· Yealink company leadership has concerning ties to the Chinese Government and Communist Party leadership.

These findings raise several important security concerns. For example, merely having one compromised phone can in turn, compromise the entirety of a sensitive conference call conversation among multiple parties. What, if any, sensitive U.S. government conversations are at risk for espionage by China due to Yealink products?

In our view, the report demands further investigation and scrutiny by the United States Department of Commerce (as called for by Senator Chris Van Hollen), the Department of Defense (DOD), the Department of Homeland Security (DHS), the Federal Communications Commission (FCC), and outside think tank technology and telecommunications experts. In addition, the video devices sold by Yealink into the U.S. should be investigated for potential security threats as well.

As the U.S. looks to address this threat, potential remedies could include:

· Adding Yealink to the Commerce Department’s trade blacklist called “The Entity List.”

· An awareness campaign to be shared with U.S. businesses and government agencies that brings the potential threat to their attention.

· Adding Yealink to the list of covered entities for the FCC’s purposes. This could be done via a specific determination made by a national security agency such as DoD or DHS.

Either way, this year, policymakers in Washington should take a closer look at Yealink and the national security risks the use of its phones pose, especially as Yealink may be helping facilitate a closer look at American citizens by our primary geopolitical foe in the world: the Communist Chinese Government.