Chinese Cellular IoT Radio Modules Pose An Alarming US National Security Risk
What Is The IoT And Who Are the Players?
Internet of Things (IoT) is a term bandied about quite often, though it is sometimes unclear what it refers to exactly. In short, IoT is the name given to any device that can receive, process, and/or send data to other devices or systems via the Internet or other Internet-attached communication networks. This could include smart home devices, vehicles, critical infrastructure, or any other internet-connected device, thus making its reach and scope very broad. Despite this broad spectrum, there is specific concern over cellular connectivity modules that provide the actual connectivity capabilities to IoT devices.The Concern Over IoT Security
This month, the United States House of Representatives’ Select Committee On The Chinese Communist Party penned a letter to the Federal Communications Commission’s (FCC’s) chairwoman, Jessica Rosenworcel, on the security risks of cellular connectivity modules produced by Chinese companies, under the influence of the People’s Republic of China (PRC) or the CCP. This letter highlighted that the CCP has provided “extensive state support to its cellular IoT industry, led by Quectel and Fibocom.” As part of this state-level support, companies must comply with the Party’s demands, such as requests for data, regardless of where that data is held or maintained.
Given this concern, the Committee has effectively requested that the FCC respond to the threat posed by the People’s Republic of China and its IoT industry. Though, it is still somewhat unclear exactly what that ‘threat’ is, so we must first look at that.
Examining The Threat Of Chinese IoT Cellular Modules
"Recent events demonstrate the power of these small modules. Last year, Russia stole $5 million worth of farm equipment from a John Deere dealership in Ukraine and attempted to bring it back to Russia.1 Luckily, that equipment was embedded with Western-made connectivity modules. Because the modules can be controlled remotely and the vehicles require internet connectivity to operate, remotely shutting down the module allows the module provider to shut the vehicle down. When Russia moved the stolen John Deere vehicles across the border into Russia, the modules were disabled—shutting down the equipment and effectively turning the vehicles into bricks."While bricking vehicles is certainly a concern, it is most definitely not the only one by most accounts. Just like shutting off cars, a threat actor or state-sponsored group might be able to shut off critical life support devices connected to patients in hospitals around the United States, for example. In a wartime situation, scenarios where China could potentially cripple power grids, water systems, and other critical infrastructure, bringing the United States to its knees, are not far-fetched.
Furthermore, there is no real defense for this if companies are building these modules into every IoT device imaginable, with minimal care or caution. We spoke with IoT module industry contacts, who elaborated that it is entirely feasible for these modules to send or receive specific data requests or actions without the host knowing. This is irrespective of whether these communications are in-band (on traditional cellular networks), or out-of-band (on unlicensed frequency spectrum, which can be or has been used for back-channel communications with devices. Moreover, these IoT devices could be tracked without the host’s knowledge, making them an easy target if need be.
Closing out this cacophony of concerns, those backchannel communications could be used to update the devices’ firmware and immediately make them insecure, thereby allowing for a whole host of other security problems.
This Security Risk Is Not New
Even before this happened, in 2019, the FCC raised the alarm about both Huawei and ZTE in the telecommunications sector, explaining that both companies “pose a threat to national security.” While this is not necessarily aimed at the cellular modules in IoT devices, it is certainly related as part of the ongoing, and perhaps escalating, security face-off with China.
Securing The Future Of The IoT - Where Do We Go Now?
At the end of the day, international trade and competition are all positive aspects of the global economy, but not when it comes at the cost of national security. The United States’ global security profile could be significantly weakened if these Chinese-made IoT modules are continually implemented in products state-side in the US, as they could prove to be ticking timebombs, unless there was more transparency and less overreach from the CCP. As such, there needs to be some level of response not only from the FCC but Congress as well, as this very real threat posed by Chinese communication technologies may not be all that far from coming to fruition.