Chinese Cellular IoT Radio Modules Pose An Alarming US National Security Risk

Over the past year, as tensions have intensified with China over the South China Sea and Taiwan, the United States has begun to focus on Chinese Communist Party (CCP) influenced businesses and organizations operating or providing services in the US. Perhaps the most prevalent example of this is TikTok, and the concern that the social media platform is not only a propaganda tool for the CCP, but also a backdoor into the lives and devices of US citizens. However, the TikTok app affects a somewhat narrow subset of people here in the US, whereas Chinese-made Internet-Of-Things (IoT) cellular modules could reach out and touch exponentially more US citizens.

What Is The IoT And Who Are the Players?

Internet of Things (IoT) is a term bandied about quite often, though it is sometimes unclear what it refers to exactly. In short, IoT is the name given to any device that can receive, process, and/or send data to other devices or systems via the Internet or other Internet-attached communication networks. This could include smart home devices, vehicles, critical infrastructure, or any other internet-connected device, thus making its reach and scope very broad. Despite this broad spectrum, there is specific concern over cellular connectivity modules that provide the actual connectivity capabilities to IoT devices.
In the connectivity module space, there are many players, including those you may have heard of, like Huawei, who encountered issues with telecom equipment, and some you may not have heard of like, Quectel and Fibocom. Regardless of whether you are familiar with these companies, all of them provide products like 4G LTE and 5G modules to international companies, which then further distribute these products on-board devices and applications of their own, such as smart city infrastructure, drones, body cameras worn by first responders, and even critical infrastructure like public utilities. This manufacturing and supply chain dynamic has thereby allowed these connectivity modules to fly under the radar of national security concerns as just another component or subsystem of a random product or device. As such, these modules might just prove to be one of the largest security concerns the US has ever faced as a nation.

The Concern Over IoT Security

As the demand for IoT devices outpaces production capabilities, companies are more willing to implement modules that fit a specific design spec, despite any potential concerns. This is especially true if these Chinese-manufactured parts are able to undercut the pricing of their Western counterparts. Thus, Chinese-manufactured connectivity modules from the aforementioned companies might make it to production in the United States, connecting homes, vehicles, and other smart devices to the Internet while hiding dark secrets.

This month, the United States House of Representatives’ Select Committee On The Chinese Communist Party penned a letter to the Federal Communications Commission’s (FCC’s) chairwoman, Jessica Rosenworcel, on the security risks of cellular connectivity modules produced by Chinese companies, under the influence of the People’s Republic of China (PRC) or the CCP. This letter highlighted that the CCP has provided “extensive state support to its cellular IoT industry, led by Quectel and Fibocom.” As part of this state-level support, companies must comply with the Party’s demands, such as requests for data, regardless of where that data is held or maintained.

Given this concern, the Committee has effectively requested that the FCC respond to the threat posed by the People’s Republic of China and its IoT industry. Though, it is still somewhat unclear exactly what that ‘threat’ is, so we must first look at that.

Examining The Threat Of Chinese IoT Cellular Modules

While the letter from the committee primarily outlined concerns about data access by the CCP, it also details other forms of access to any IoT device. Namely, it alludes to the possibility of shutting down IoT devices altogether, with an anecdote about stolen John Deere tractors that were disabled using Western-made modules:

"Recent events demonstrate the power of these small modules. Last year, Russia stole $5 million worth of farm equipment from a John Deere dealership in Ukraine and attempted to bring it back to Russia.1 Luckily, that equipment was embedded with Western-made connectivity modules. Because the modules can be controlled remotely and the vehicles require internet connectivity to operate, remotely shutting down the module allows the module provider to shut the vehicle down. When Russia moved the stolen John Deere vehicles across the border into Russia, the modules were disabled—shutting down the equipment and effectively turning the vehicles into bricks."

While bricking vehicles is certainly a concern, it is most definitely not the only one by most accounts. Just like shutting off cars, a threat actor or state-sponsored group might be able to shut off critical life support devices connected to patients in hospitals around the United States, for example. In a wartime situation, scenarios where China could potentially cripple power grids, water systems, and other critical infrastructure, bringing the United States to its knees, are not far-fetched.

Furthermore, there is no real defense for this if companies are building these modules into every IoT device imaginable, with minimal care or caution. We spoke with IoT module industry contacts, who elaborated that it is entirely feasible for these modules to send or receive specific data requests or actions without the host knowing. This is irrespective of whether these communications are in-band (on traditional cellular networks), or out-of-band (on unlicensed frequency spectrum, which can be or has been used for back-channel communications with devices. Moreover, these IoT devices could be tracked without the host’s knowledge, making them an easy target if need be.

Closing out this cacophony of concerns, those backchannel communications could be used to update the devices’ firmware and immediately make them insecure, thereby allowing for a whole host of other security problems.

This Security Risk Is Not New

Though much of this is quite concerning, it is not necessarily a newly discovered problem in the security world. In March of 2023, Sen. Mark R. Warner [D-VA] and John Thune [R-SD] introduced the RESTRICT Act, a bill that was railed against as being too vague and overreaching. While that may or may not be true, the bill mentions the need to evaluate the hardware within many different devices, including vehicles, drones, and other things listed in the aforementioned Committee letter.

Even before this happened, in 2019, the FCC raised the alarm about both Huawei and ZTE in the telecommunications sector, explaining that both companies “pose a threat to national security.” While this is not necessarily aimed at the cellular modules in IoT devices, it is certainly related as part of the ongoing, and perhaps escalating, security face-off with China.

Securing The Future Of The IoT - Where Do We Go Now?

At the end of the day, international trade and competition are all positive aspects of the global economy, but not when it comes at the cost of national security. The United States’ global security profile could be significantly weakened if these Chinese-made IoT modules are continually implemented in products state-side in the US, as they could prove to be ticking timebombs, unless there was more transparency and less overreach from the CCP.

As such, there needs to be some level of response not only from the FCC but Congress as well, as this very real threat posed by Chinese communication technologies may not be all that far from coming to fruition.