Chinese Counter-Devices Raise Concerns Amidst Growing IoT Security Fears
In a concerning turn of events, Russian agents who attempted to pilfer $5 million worth of John Deere tractors in Ukraine last year found their efforts thwarted when skilled remote operators harnessed the capabilities of American-made Internet of Things (IoT) devices to render the vehicles inoperable. However, Representatives Mike Gallagher (R-Wisc.) and Raja Krishnamoorthi (D-Calif.) have sounded the alarm, expressing apprehensions about digital technology firms linked to the People's Republic of China (PRC) and/or the Chinese Communist Party (CCP). The legislators fear that these entities might have conceived and potentially integrated counter devices into a multitude of products, potentially overriding U.S. IoT remote controls.
Addressing their concerns, Gallagher and Krishnamoorthi, respectively the Chairman and Ranking Minority Member of the House Select Committee on the CCP, articulated their worries in a public letter to Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel, released on August 8. The congressmen highlighted the ubiquitous use of connectivity modules in various U.S. devices, encompassing consumer smart gadgets, electric vehicles, and FCC-regulated telecom networks.
"Connectivity modules are used in a wide variety of devices throughout the U.S., from consumer ‘smart devices,’ to electric cars, to U.S. telecom networks regulated by the [Federal Communications Commission] FCC," Mr. Gallagher and Mr. Krishnamoorthi told FCC Chairwoman Jessica Rosenworcel in a letter made public August 8.
"Serving as the link between the device and the internet, these modules have the capacity both to brick the device and to access the data flowing from the device to the web server that runs each device. As a result, if the CCP can control the module, it may be able to effectively exfiltrate data or shut down the IoT device. This raises particularly grave concerns in the context of critical infrastructure and any type of sensitive data," the letter said.
The scope of concern goes beyond everyday items; Gallagher and Krishnamoorthi expressed worries about the possible presence of Chinese counter-devices in U.S. military equipment, electric vehicles, an array of agricultural machinery, and even life-saving medical devices, in addition to the FCC's regulatory purview.
A particularly disconcerting aspect is the potential for these counter-devices to not only override IoT remote controls but also to clandestinely copy operational data from IoT-enabled products. Such a prospect ignites significant national security apprehensions, underscoring the urgency to address this issue.
The congressmen's letter also delved into regulatory considerations. They queried whether requiring certification for modules utilized in communication equipment might serve as an effective mechanism to counteract PRC cellular IoT modules infiltrating U.S. networks. Furthermore, the lawmakers inquired whether the FCC sought additional statutory authority to combat the menace posed by PRC cellular IoT modules.
These concerns stem from prior cautionary advisories. Officials have raised alarms about the potential danger of "kill switches" being surreptitiously embedded within U.S. military and infrastructure systems by means of subsystems sourced from Chinese entities. In 2019, then-Secretary of Defense Mark Esper underscored the necessity of safeguarding the integrity of networks, particularly in the face of Chinese technological influence.
The role of Huawei, a prominent Chinese telecommunications corporation, looms large in this narrative. Despite having furnished the U.S. government with cellular phones and communication components worth hundreds of millions of dollars, Huawei and another Chinese tech company, ZTE, faced a ban from further sales in the U.S. by the FCC in 2022.
As the U.S. grapples with the intricate interplay of digital technology, national security, and economic considerations, the vigilant oversight of IoT devices and potential counter-devices becomes paramount. The steps taken by policymakers and regulators in the coming months could significantly shape the trajectory of IoT security and the evolving landscape of technological vulnerabilities.