When police, firefighters and other first responders across the U.S. rush to emergencies, they rely on special devices to avoid overwhelmed public networks.
Chinese spies could be listening in.
Chinese-made components in devices certified for use on the federally managed FirstNet public safety network are designed to be able to send information back to servers in China and it’s not clear how effective the security measures to prevent that are, according to engineers and industry sources with knowledge of the equipment who spoke to Newsweek. The components, or cellular connectivity modules, are generally used to connect objects, whether cars or medical equipment, to the internet.
The growing ubiquity of Chinese cellular connectivity modules in these and other devices in the so-called Internet of Things has prompted concerns in Congress, including a letter from the House Select Committee on Strategic Competition between the U.S. and the Chinese Communist Party urging regulators to address the potential security risk. It also promises to open a new front in the increasingly complicated tussle over technology between Washington and Beijing.
“Using these modules may create a backdoor for malign Chinese government actors to access and potentially cripple first-response devices,” Select Committee Chairman Rep. Mike Gallagher (R-WI) told Newsweek.
“It’s just common sense: American critical infrastructure must not be dependent upon CCP [Chinese Communist Party] technology,” Gallagher said. The letter is also signed by select committee ranking member Rep. Raja Krishnamoorthi (D-IL).
Officials from the FirstNet Authority, the federal agency that manages the emergency network, told Newsweek that Chinese modules are used in devices certified for their system, but said their testing and other measures keep them secure. Security experts and former officials said they were much less confident.
The House committee’s letter sent on Monday urges the Federal Communications Commission (FCC) to use the same tools Congress gave it to keep Chinese firms, such as Huawei, out of the 5G infrastructure in the United States. While the measures against those companies drew wide attention—and denials of any harmful activities from the Chinese firms—the concerns over Chinese-made modules in sensitive equipment made by lesser-known companies such as Quectel have been little reported.
Both the U.S. and China see it as vital to dominate emerging technologies. U.S. administrations have sought to restrict China’s imports of cutting-edge technology such as high-performance microchips, and to keep Chinese-made networking equipment out of the newly built 5G backbone in the U.S. China has rejected any suggestion that its companies are a threat to the U.S., but it has also applied its own sanctions on some U.S. firms.
The Internet of Things—”machines talking to machines on the internet”—is a fast-growing technology that extends far beyond secure communications. It is in so-called smart consumer goods such as refrigerators, light bulbs and garage doors, as well as automobiles, medical equipment and aircraft maintenance systems, to name just a few. A smart refrigerator, for instance, would track its contents, send text or email messages to remind you of expiration dates, and order a delivery when you’re low on eggs.
Data from the cellular modules represents a potential “goldmine” for Chinese intelligence, which could analyze information collected from millions of connected devices for insights into what is happening in the U.S. at times of national crisis—or at any other time—according to engineers, former diplomats and intelligence officials.
In addition to questions over the U.S. reliance on Chinese technology in areas such as policing and disaster response, there are also concerns over risks to key infrastructure such as energy and transportation. Chinese Communist Party leaders have repeatedly said they are pursuing global economic, military, scientific and technological preeminence by 2049 while U.S. intelligence services have labeled China as the greatest threat to the country.
Disabling Every Police Bodycam With the Click of a Mouse?
Western experts are especially alarmed because China’s sweeping national security laws compel its technology companies to share any data they have anywhere in the world if requested by the country’s intelligence services, said retired British diplomat Charles Parton, who spent more than two decades working on or in China and is now a fellow at the Royal United Services Institute.
“All the data goes back to China. Data of that kind, at this scale, it’s a goldmine for Chinese intelligence agencies to exploit if Chinese companies dominate the supply of these modules,” Parton said. “Imagine knowing the location, minute by minute, of every police bodycam in the United States or the U.K.”
The sensitive devices the Chinese-made modules are in could even be sabotaged en masse to help destabilize the U.S. in the event of a war, either by switching them off or — more subtly—degrading their performance, experts say.
“Imagine being able to power down every police bodycam in the U.S., disable them with the click of a mouse. China would never need to fight America; they could just turn it off. That is perfectly possible,” said Parton, who researched and wrote a white paper on the vulnerabilities created by Western reliance on these modules.
FirstNet officials and sources close to device manufacturers said that the way Chinese modules are built into FirstNet-certified devices locks them down, and that no data is sent to China.
“Ensuring the security of the FirstNet network is paramount to the success and safety of our public safety users,” FirstNet Authority Communications Director Ryan Oremland told Newsweek in written responses to questions. He said there was “a robust process,” including extensive testing, to ensure “the highest levels of security are maintained on the network and any equipment or devices that are used on the network.”
AT&T, which runs the FirstNet Network under contract from the federal government, audited Chinese-made modules in 2018, the company’s head of FirstNet operations, Scott Agnew, told Newsweek by email, “to ensure they can operate safely and securely on the FirstNet network.”
Before being allowed on the network, devices undergo a battery of more than 3,500 tests, he added, “including examining firmware and data transports.”
Manufacturers of devices used on FirstNet that were approached by Newsweek declined to comment on the risk of data transmission to China.
Security experts and former officials said they did not trust the view of some in the industry that the modules have been engineered into devices in a way that prevents transmission of data. They said the basic capabilities of the modules and the lack of transparency of the companies that manufacture them in China made it impossible to trust them.
Cellular modules are small, matchbox-to-cigarette-pack-sized components, a kind of stripped-down mobile phone. They enable the device which they’re inside, to connect to the mobile phone network and become part of the Internet of Things (IoT). Consumers benefit from the ease that IoT connectivity provides, and companies benefit from the data they can get from the devices—both to improve their products and to sell additional services.
Financial Support from the Chinese State
In 2022, there were 202 million cellular IoT connections in the U.S. and 2.8 billion worldwide, according to Satyajit Sinha, principal analyst at IoT Analytics, a Hamburg, Germany-based company. Those numbers are set to more than double—to 450 million and 5.8 billion respectively—over five years. Two-thirds—4 billion—of those cellular connections will be in China, Sinha said.
The top two cellular module manufacturers in the world in 2022—Quectel and Fibocom—were in China, according to IoT Analytics.
Their close ties to the Chinese Communist Party are clear from the significant state support they receive in the form of financial subsidies, grants, and tax breaks, according to an extensive review by Newsweek of Chinese-language company reports, official documents and state media accounts.
Communist Party leaders make no secret about the role technology will play in their publicly declared goal of global preeminence. IoT was identified as an “emerging strategic industry” as early as 2009. By 2012, the powerful Ministry of Industry and Information Technology—which works closely with the Ministry of State Security—was calling the technology “strategic high ground.” China’s 13th and 14th Five Year plans, running from 2016 to 2025, identified IoT technology as part of the “information flow” along the Belt and Road Initiative, China’s vast push to build a hold on global infrastructure.
Dominating emerging technology markets such as IoT isn’t only an economic goal, say security experts and former officials. China’s leaders believe it is also the key to a new world order that will enable the Communist Party to further consolidate control at home and extend it around the world, according to Liza Tobin, a former national security official who has worked on China issues at the CIA, the Pentagon and the White House. They “understand that the nation which controls the technology…controls the world, and gets to write the rules of the road for the digital economy, and for the information that flows over those networks,” she said.
The ambition to “build a science and technology superpower” was highlighted in Chinese leader Xi Jinping‘s latest book, published in May, and titled On Technology, Self-reliance and Self-improvement.
In 2022, Quectel, which Beijing has designated a “national champion” in IoT technology, reported annual operating revenue of just under $2 billion and owned 38.5 percent of the global market for modules by volume, according to Counterpoint Research. That makes it the backbone of China’s burgeoning dominance in the sector.
Altogether, the dozen or so Chinese manufacturers had 77 percent of the global market by volume last year, although that includes the huge Chinese domestic market. Outside China, Chinese companies expanded to capture 53 percent of all sales by volume last year, Counterpoint’s senior research analyst, Soumen Mandal, told Newsweek.
Contributing to this success has been a variety of direct and indirect financial support from the Chinese state, including export tax rebates, other exemptions and offsets designed to support high-tech businesses, and a preferential tax rate 10 percentage points lower than the regular company tax of 25 percent. Subsidies also come from local governments. Official media reported in May that the ground-breaking ceremony for Quectel’s $175 million new HQ in a state-sponsored special high-tech commercial and R&D zone in Shanghai was attended by senior local and municipal party officials, indicating government backing of the project and the company.
A Newsweek analysis of Chinese-language company reports, official documents and state media accounts shows that Quectel receives hundreds of millions of dollars in direct and indirect support.
But Newsweek was unable to quantify the exact value of state support for Quectel and other module manufacturers. A 2022 report by the Center for Strategic and International Studies found that most estimates of state support to industry in China “understate” subsidies to private sector companies “including ‘national champions’ in high-tech sectors.”
‘A Very Different Ballgame’
Two executives at Western IoT companies told Newsweek that the impact of the subsidies on their marketplace was obvious: Chinese module manufacturers undercut their Western competitors’ prices by 15 or 20 percent while paying their top sales staff four or five times what they would earn at one of those competitors.
One executive noted that Quectel reported a gross margin of 19 percent in 2022, less than half of most Western competitors. The 6,000 personnel that Quectel says it has working in research and development also gives it an edge over Western peers.
For Chinese technology companies, the strategic imperatives of the state were more important than profits, said Tobin.
“It’s a very different ballgame,” she said.
Quectel did not respond to Newsweek’s emailed questions on data transmission, its links to the state, subsidies and financial performance, but in its 2022 annual report, the company acknowledged government backing for its technology.
“Our country has established various policies to speed up the development of intelligentization for different industries,” the report states, using a term that can encompass digital transformation, big data and artificial intelligence. The report says the applications of Quectel modules in IoT technology “are as many as the countless stars in the sky.”
In a recent white paper, Quectel highlighted the benefits of IoT technology from aiding vaccine distribution to feeding the world.
In becoming the dominant global players in IoT modules, Chinese companies would be following the path of other technology companies that became hard to catch once they established an edge—from Microsoft in personal computer software to Huawei in 5G infrastructure.
Meaningless Security Tests?
They’re also in more than 130 devices certified by the FirstNet Authority for use on their dedicated first-responder network.
The problem, say experts, is that the firmware, which controls the modules, can be updated over-the-air by the manufacturer, changing its capabilities, for instance, to upgrade it or fix security flaws.
“If you can update the firmware, you can change the capabilities at any moment,” said Jack Wilmer, former chief information security officer at the Department of Defense.
Over-the-air updates are a powerful security tool, used by companies such as Apple to push fixes for newly discovered vulnerabilities out to hundreds of millions of iPhone users. But a malicious manufacturer, or one acting at the behest of a competitor state such as China, could use that capability to open backdoors in the module, and try to steal data, he said.
“You can test a component, to see if it’s secure,” Wilmer told Newsweek. “But if it can be updated over-the-air, that test is meaningless the minute it’s updated.”
Firmware updates could also be used to “brick” the modules, meaning render them permanently inoperable.
According to the letter sent by the House Committee on Monday, that happened when Russia stole $5 million worth of farm equipment from Ukraine. The John Deere vehicles were made inoperable as the Western-made modules inside were disabled remotely.
Industry sources told Newsweek that many FirstNet-certified device manufacturers hosted the firmware updates for their Chinese-made cellular modules on a U.S.-based portal and were able to check them for any malicious code.
But it is not just the updates that are a problem. Testing also might not find capabilities hidden in the module, said David Klein, an IoT specialist and security analyst for Baltimore, Maryland-based Independent Security Evaluators.
“Maybe it isn’t compromised in a way that it’s always sending traffic,” which would be visible during testing, he said. But the manufacturer could easily build a backdoor in the module, “so that when needed, they can ask it for data. That is a little bit tougher to discover than something that is constantly transmitting.”
Technical issues like that require manufacturers to exercise caution when considering the use of Chinese-made technology such as cellular modules, Eric Goldstein, Cybersecurity and Infrastructure Security Agency (CISA) executive assistant director for cybersecurity told Newsweek via email.
CISA, an agency of the Department of Homeland Security, urges “all organizations to understand and consider the cybersecurity and supply chain risks associated with devices made in China or subject to PRC [People’s Republic of China] data security laws,” he said.
The complexity of the technology and the lack of transparency about the manufacturers make it impossible to trust Chinese-made modules, John Cohen, former acting undersecretary of intelligence at the Department of Homeland Security, told Newsweek.
“You have to assume that data communicated via any IT, computer or communications technology made by a Chinese company can be accessed by Chinese intelligence,” Cohen said.
“Chinese plans to grow their presence in these new technology markets and eventually dominate them aren’t just part of their economic strategy. They know they can access the data these devices produce and they are also a major part of Beijing’s intelligence collection strategies,” said Cohen, now a senior expert at the Argonne National Laboratory as well as an adjunct professor at Georgetown University’s Center for Security Studies.
Cohen said state and local governments were a priority for Chinese intelligence, but that they had more limited capabilities than the federal government to detect any misuse of the modules and were given only limited federal help.
Addressing the risks posed by Chinese-made technologies is a complex problem for policymakers because U.S. businesses have spent decades outsourcing production to China, according to Tobin, who is now at the Special Competitive Studies Project, a think tank set up by former Google CEO Eric Schmidt to focus on the U.S. technological contest with China.
“We forgot it was important to make things,” she said. It was a pattern that had been repeated too many times, she added, giving the examples of Huawei and ZTE in 5G, or DJI, another Chinese tech company, in consumer drones, as well as the markets for solar panels and electric vehicle batteries.
Western competitors do not have the production capacity to make a total ban on Chinese module imports a realistic option, she said, but policymakers needed to consider how to best protect security interests and keep Chinese technology out of vital industries. “Not on Air Force One, not in our electricity grid, not in our water systems,” she said.
“Our critical infrastructure shouldn’t be dependent on a strategic rival,” Tobin said. “This is a country that we’re preparing to go to war with, if we have to.”
Shaun Waterman can be reached at firstname.lastname@example.org. Follow him on Twitter @WatermanReports.
Didi Kirsten Tatlow can be reached at email@example.com. Follow her on Twitter @dktatlow