Earlier this month, the British government discovered something strange inside one of its diplomatic cars. According to a report from the i newspaper, a geo-locating SIM card was found ‘inside a sealed part’ in the vehicle as part of a routine sweep of its diplomatic fleet, placed there by the vehicle’s manufacturer in China. While it wasn’t immediately clear if the component had been broadcasting the car’s movements to the Chinese security services, the idea that such surveillance could be conducted any third party with remote access to the component held dire implications for the operational security of every UK politician or civil servant being driven around in a government vehicle.
“It would be fascinating to know why the security authorities took that up,” says Charles Parton, referring to the leak to the i – though he has an inkling. Earlier this week, the former British diplomat in China-turned-national security analyst published a report identifying the spread of Chinese-made cellular IoT modules as one of the most serious cybersecurity challenges facing Western nations today. Typically small enough to balance on atop a fingernail, these components are instrumental in allowing IoT devices to connect with each other and mainline internet networks. What’s more, nearly half of the global market share for the production of IoT cellular modules is in the hands of three Chinese companies – an enormous risk to Western governments and industry, argues Parton.
China’s IoT ambitions
When Tech Monitor caught up with Parton earlier this week, the analyst was busy promoting the report to policymakers on Capitol Hill. The press coverage was, so far, a little disappointing. “It’s concentrating very much on what happens in the home,” says Parton, “which is probably the least important of the two aspects”.
The other, he says, is the security implications for organisations public and private, both of which deploy IoT systems at scale in a variety of sensitive applications. Cellular IoT modules effectively act as the neurons within these networks, equipped with the miniature circuit board and broadcasting equipment necessary to allow individual devices to connect with each other or to the wider internet. They can also be used as a backdoor by third parties to access data generated by the device itself, or as a bridge back to the device’s wider IoT network – necessary for manufacturers to roll out updates remotely or to facilitate off-site processing, but also boon for your common variety cybercriminal or hostile nation-state equipped with the relevant credentials to access the module.
That’s precisely why Parton finds it so troubling that the majority of these components are made in China. The right of the Chinese state – or rather, he insists, the Chinese Communist Party (CCP) – to access the data generated by these modules is, he explains, codified in its National Intelligence Law. What’s more, there are plenty of cases outside of IoT where Beijing has been interested in collecting such data, from its hacking of US government personnel files in 2015, to the targeting of several governments across Southeast Asia using a compromised digital certificate late last year. The UK government, meanwhile, has intervened not only to ban the acquisition of new Hikvision cameras to monitor sensitive sites but also blocked smart city partnerships between local councils and Chinese technology firms. China’s heavy financial commitment to its IoT sector through various subsidy and grant schemes has additionally allowed it to undercut its international competitors on price, helping to create, Parton argues, new dependencies in the West on Chinese production capabilities and technical expertise.
The implications for Western powers, argues Parton, start with industrial espionage and end with the hoovering up of intelligence vital to Chinese security services. AG525R-GL modules from Quectel, for example, can be found inside Model S Plaid and Model X Plaid Tesla vehicles – a useful tidbit, perhaps, for a third party looking to monitor the location history of a specific car by hacking the module. When asked to comment on the claims outlined in Parton’s report, a spokesperson from China’s embassy in the UK referred Tech Monitor to a previous statement that its government had ‘no need and no interest’ in seeking such data from British vehicles (Tesla did not respond to requests for comment.) ‘We urge Tech Monitor to avoid publishing such an absurd and groundless report,’ the spokesperson added, ‘for your own reputation.’
The report also claims that negotiations are ongoing between Quectel and Axon for the manufacturer to supply the latter with modules for its world-famous police body cameras, having appeared to have already begun delivering components to a Vietnamese subsidiary (neither Quectel or Axon responded to requests for comment.) The risks from installing such components are obvious, argues Parton. “If you know exactly what the bobby on the beat in Brixton is doing, you’re probably not going to be a great threat to our society,” he says. “But if you get all the data from [body] cameras in the White House or Number 10, or in… more sensitive areas of operation, then you do start getting information which could be a threat to our society.”
Not all of the problems with IoT devices made in China are attributable to malign intent, argues Carsten Rhod Gregersen, the founder of IoT communications provider Nabto. China’s IoT sector has had to fend off a series of allegations in recent years of poor cybersecurity hygiene. Ultimately, Gregersen believes, this can be traced back to a culture of prioritising profits over user protections in the sector. “The whole mindset is cost efficiency, cost efficiency, cost efficiency,” he says.
This observation was shared by another source Tech Monitor spoke to in the European IoT sector, who wished to remain anonymous. They had seen “alarming examples” of China-based IoT manufacturers ignoring basic cybersecurity hygiene in the production process, including routinely leaving default access to the device open to anyone. Eventually, their company stopped partnering with all but the largest and most mature Chinese IoT device manufacturers, simply because the material risk to their business in doing otherwise was so high. After a breach, they said, the public “might just see our name and not understand that the people building the solution on top just ignored all our advice.”
Western companies are not wholly free from blame, says Gregersen. Many choose to source components – and carry out manufacturing – in China, largely because it remains an incredibly cost-effective place to do so. Many major Western technology firms also freely hoover up vast amouts of data about individual consumers and businesses, a fact brought home to Gregersen personally when he realised how much information was being broadcast back to the US by his new Tesla.
Parton himself has little patience for comparisons between US and Chinese tech companies. While the analyst concedes his discomfort about the sheer amount of data being sent back from his devices to companies in Silicon Valley, “I’d rather it be in their hands,” he says, given the CCP’s extensive legal oversight over data generated by Chinese companies and the close association of the latter with the former’s ongoing human rights abuses against Uyghurs in Xinjiang (several Chinese multinationals, including Huawei and Hikvision, have denied this claim).
Nevertheless, there are signs that China-based IoT providers are acting on concerns from Western regulators about the cybersecurity of their products. At CES 2023 earlier this month, for example, Tuya made hay in the South China Morning Post about joining Apple and Google in signing up to the new Matter communications standard for IoT devices. “Finally we can get [the IoT] community to agree that we should put security as one of the top priorities,” said its chief operating officer, Alex Yang Yi.
Parton is sceptical that such actions will reassure Western regulators, or that they’re proof IoT providers in China are acting in the interests of US or European consumers. Nor does he believe individual firms could realistically challenge an order from the CCP to share sensitive data collected from cellular IoT modules. “If you’re a Chinese company,” he says, “you really have no choice but to align yourself with the aims, wishes and ambitions of the Chinese Communist Party.”
Might Western regulators act soon, then, to blunt China’s influence in the IoT sector? Parton hopes so, but for now, he’s fighting an uphill battle to convince policymakers there’s a threat in the first place. “When I mention the term ‘cellular IoT modules’ to… almost all government officials,” he says, “you can detect the blank look that says, ‘No, I don’t know about this’,” he says.
There’s also the fact that there’s little public evidence to suggest the Chinese state is actually taking advantage of Chinese-made IoT products in the way that Parton suggests. “It’s quite difficult to give concrete examples of data egress and losses and damage to us of things that have actually happened,” concedes the analyst – in part, Parton argues, because up until now nobody has been looking (though Western spy agencies have been fairly transparent about their likelihood.) It is certainly plausible for China to conduct espionage in this way, Ross Anderson, a professor in security engineering at the University of Cambridge told Tech Monitor, though he doubted the utility of such an approach during a more serious cyber-offensive. “Bear in mind that nation-state actors have got zero-days against most stuff of interest, so they can do targeted attacks in multiple ways,” says Anderson.
There’s also the chance that the next decade may see China’s influence within the IoT sector diminish. For his part, Gregersen has had multiple conversations with other Western IoT providers nervous about their Chinese counterpart’s poor cybersecurity hygiene. “They’re starting to get worried,” he says, with some firms considering moving their manufacturing operations to emerging markets with less controversial reputations, such as India.
There is also growing momentum internationally to tighten IoT governance as it relates to privacy. Gregersen points to the upcoming EU Cyber Resiliency Act, which promises to tighten cybersecurity requirements for all IoT manufacturers, foreign and domestic (similar UK legislation, meanwhile, has already come into force.) It’s a shift in priorities that Chinese device and component manufacturers are almost certain to adapt to, says Gregersen: “They’re going to move, and they’re going to move fast.”
Parton politely disagrees. Only a complete ban on the purchase of new cellular IoT modules made in China, he says, can begin to end the cybersecurity crisis that he believes that the US and its allies have invited upon themselves. Such components, he argues, are cheap, hard to track and vulnerable to malign updates, with many nations lacking the necessary cybersecurity expertise to enforce rigid cybersecurity standards to prevent the wholesale exfiltration of sensitive data. As far as governments are concerned, the only long-term solution as Parton sees it is for the US and each of its allies to devise a list of trusted suppliers of IoT products. He also hopes the debate around cybersecurity in this area moved on from vaguely frivolous suspicions that Beijing could be spying on smart fridges.
“Let’s try and move away from, ‘Is China spying on my kitchen?’,” says Parton. This debate, rather, “is about the dependencies as a nation that we create. And it’s about the egress of enormous amounts of information – which would be made into quite dangerous tools for use against us by a hostile state”.