A recent report that shows China could spy on Americans via smart coffee makers is very concerning, since Beijing is waging what is known as unrestricted hybrid warfare, according to data security expert Rex Lee.

Evidence that coffee makers manufactured by China-based firm Kalerm are insecure was uncovered by American researcher Christopher Balding. According to his report (pdf), these internet-connected machines collect information, such as payment data, time, and location, from users in China.

“While we cannot say this company is collecting data on non-Chinese users, all evidence indicates their machines can and do collect data on users outside of Mainland China and store the data in China,” the report warned. “The data is collected at the point of operation from software embedded in the coffee maker.”

According to Kalerm’s website, its coffee makers are sold in 45 countries and regions, including the United States, Canada, the United Kingdom, and Australia. Some of its models are promoted as Internet of Things (IoT) devices, capable of accepting Chinese online payment platforms such as Alipay and WeChat Pay, while the machines can be remotely controlled and monitored using a mobile app.

Intrusive apps and IoT devices are technology making up China’s unrestricted hybrid warfare, Lee said during a recent interview with EpochTV’s “China Insider.” Lee is a former adviser to the U.S. Department of Homeland Security, the National Security Agency (NSA), and the House and Senate Judiciary Committees.

Related CoverageChinese Coffee Machines Could Be Spying on You; Victims in Restaurant Beating Silent in China

China aims to use unrestricted hybrid warfare operations to achieve the objectives of war without actual war. In other words, Lee said China wants to “subdue the enemy without fighting.”

Under the strategy, the Chinese Communist Party (CCP) uses intrusive apps, products, and services to “surveil and data mine the end-user,” Lee said.

The strategy is indiscriminate, Lee continued, saying that it targets everyone, including teens and children.

In the case of problematic coffee makers, Lee said the problem did not lie with the devices, but rather the mobile app used to connect to the machines.

“So you buy a smart coffeemaker, it’s not just smart and sitting there with a camera and a microphone in there. It has to be activated through an app,” Lee said.

“You can actually unplug it [the smart coffee maker], throw it away,” Lee continued. “But if the app is still active on your smartphone, your tablet PC, or your Smart TV, they’re going to be able to surveil and data mine you through the microphone and camera associated with that host device where the app is being hosted.”

An intrusive app “can effectively be able to attach itself to the contact app and collect all of the end-user’s contact information, calendar information,” Lee explained. “It can attach itself to the accelerometer on the device, giving the ability for the app developer to track the end user, whether they’re sitting, walking, riding a bike, or in a car.”

Consequently, the problem is not limited to one particular manufacturer of smart coffee makers. Rather, devices manufactured by companies that share the same app developer would warrant security and privacy concerns, Lee added.

In China, local laws grant CCP officials sweeping authority to collect data. For example, the country’s Cybersecurity Law, which went into effect in 2017, requires that all companies operating in China store their data within China’s borders.

“When you’re talking about apps and platforms developed by companies in adversarial countries, such as China and Russia, then there becomes even a greater privacy and cybersecurity threat associated with using those products and services,” Lee said.

Read MoreHow Chinese Data Trove on 2 Million People Serves Beijing’s Unrestricted WarfareCommunist China’s Silent War Against America

China has for years devoted its attention to the development of its IoT industry. According to China’s state-run media, the sector grew to more than 2.4 trillion yuan (about $375 billion) by the end of 2020, citing data from the country’s Ministry of Industry and Information Technology.

U.S. officials have long taken notice of the threat posed by Chinese IoT devices. In 2018, the U.S.–China Economic and Security Review Commission published a report warning U.S. companies and consumers.

“China is also actively researching IoT vulnerabilities, both for security purposes and almost certainly to collect intelligence, conduct network reconnaissance for cyberattacks, and enhance its domestic surveillance powers,” the report said.

More recently, Reps. Jay Obernolte (R-Calif.) and Sara Jacobs (D-Calif.) introduced new legislation in March, seeking to subject companies selling IoT devices to regular federal review in order to protect American consumers.

“Companies that make the devices can have access to the activity each device monitors, which can result in nefarious use of that data when those companies are connected to China or other known malicious actors,” according to a press release announcing the new bill.

Lee offered a solution to the concerns surrounding IoT devices.

“We can control the distribution of these apps and platforms if Google, Apple, and Microsoft are willing to take a hit in the wallet” for the sake of national security and the security of their end users, Lee said.

“They can stop distributing the surveillance and data-mining apps and platforms,” Lee said.