Securing The IoT From The Threat China Poses To US Infrastructure
Sep 02, 2023
JIUJIANG, CHINA: An engineer inspects servers at a data center run by China Telecom. (Photo credit: ... [+] Feature China/Future Publishing via Getty Images)
The ban on Chinese-manufactured telecommunications and video surveillance equipment, was enacted to secure network infrastructure and monitoring systems here in the US. These bills date back to the US Secure and Trusted Communications Networks Act of 2019, the 2019 Supply Chain Order, and more recently the bipartisan Secure Equipment Act of 2021. These bans even included the “rip and replace” of telecom and networking equipment, with US government subsidies to assist communications and other companies to cover the cost of such an effort.
Now it seems the FCC is setting its sights on securing an even more pervasive network of systems and devices, known as the IoT, or the Internet of Things. However, this time the initiative could impact literally millions of devices and systems already deployed here in the US, from fire and police communications systems, to the automotive industry and critical infrastructure, like public utilities and modern smart city communication networks.
Just imagine if a Chinese state-sponsored threat actor could shut down the entire power grid in a major US city via a backdoor into the communications system of one of these devices. Alarmingly, the threat of this state-of-emergency level of disaster is well within the realm of possibility, and it has raised the antenna of FCC and the Honorable Jessica Rosenworcel, Chairwoman of the FCC.
Why The FCC Is Stepping In To Secure The US IoT
In an August 7th letter to Congress, Rosenworcel details the threat that cellular radio modules manufactured by the People’s Republic of China (PRC), or the Chinese Communist Party (CCP), pose on IoT devices, from cars, trucks and tractors, to medical equipment, other smart devices and more. In closing, Rosenworcel’s letter states “Tackling PRC cellular IoT modules is a natural next step for the FCC, in consultation with appropriate national security agencies. For one, Quectel and Fibocom supply companies whose equipment is already on the FCC’s Covered List. The equipment on this list poses a national security threat to the U.S. and may not receive authorization for importation or sale in the U.S. Similar scrutiny should be considered for any PRC cellular IoT modules in this equipment.”
Fibocom Wireless Radio Module, Made In China
The move seems logical but exactly how these threats could be carried out is where it may get downright scary from the perspective of many US citizens. These radio modules typically consist of either a 4G LTE or 5G modem, along with dedicated controllers and firmware that allow the device to function as a communications link for the host system (IoT camera, car, police equipment, medical or utilities equipment, etc.) to the outside world, through data transfer over the internet. The obvious initial threat is that data communicated over these radios could be exfiltrated and sent back to the manufacturer and country of origin, in this case the PRC or CCP. However, what’s much more alarming is the control these radio modules can have over the host systems they are deployed in.
In her letter to Congress, Rosenworcel details an incident John Deer had with a fleet of tractors. Russia stole about $5 million in farm equipment from a John Deer dealership in Ukraine, in an attempt to bring it back to Russia. Fortunately, the equipment was outfitted with Western-made modules and eventually the module manufacturer was able to brick the tractors and equipment as it crossed the Russian border.
Securing The IoT: The Problem And The Solution
Smart city concept in New York, USA with network communications and internet of things. Credit: ... [+] Getty Images
In discussion with my industry sources, I learned that in fact these modules can indeed be controlled remotely by the module manufacturer, typically for maintenance and security firmware updates, etc. However, the possibility does exist to not only snoop data being communicated over the radio, but also the manufacturer could fairly easily shut down the entire host system, operating on its own and completely out of band. Considering these risks against the backdrop of the install base of these modules, in everything from police body cams, to medical equipment, to your own car and even your local power grid, the security attack surface is both alarming and abundantly present all around us.
The solution here is obvious. The US should immediately investigate banning the import and deployment of Chinese-made cellular radio modules for any devices being sold, shipped and deployed in the US. There are plenty of US alternatives from names like Telit, Sierra Wireless, and U-blox, and all we’d need to do is switch productions lines exclusively to these manufacturers moving forward. In terms of what has already been deployed in the field, the US will probably need to subsidize some retrofitting of systems and devices that can be updated, or issue another rip-and-replace initiative to secure systems already in the market.
Security experts sometimes joke that the best way to secure a device is to just disconnect it from the internet completely. While that’s obviously not possible or practical with respect to the IoT and critical infrastructure systems in the US, securing our connectivity with known, US-made suppliers of these modules is without question a step in the right direction of our collective national security concerns.Why The FCC Is Stepping In To Secure The US IoTSecuring The IoT: The Problem And The Solution