The writer is director of Penumbra Analysis, a consultancy specializing in geopolitical risk and emerging technologies
The UK’s decision to ban Huawei from its 5G telecom networks has brought debate over the security threat posed by Chinese equipment into the mainstream. There are growing concerns about the West’s exposure to potentially risky technology: Only last month British MPs and colleagues called on the government to stop the use of surveillance equipment from two Chinese companies, Hikvision and Dahua, already blacklisted by Washington. to deal with. However, there is one threat that has remained under the radar: the small components made by Chinese companies in devices connected by the Internet of Things.
IoT products, equipped with data transfer sensors and connected via Wi-Fi networks, have evolved from niche industrial applications to ubiquitous in homes, offices and some vehicles. They are also a crucial part of our national infrastructure. This is the technology that turns our lights on automatically when it gets dark, or powers household surveillance cameras that can perform facial and object recognition. But the same data collected and used by IoT devices, for example on the movements of individuals, could easily be used by a hostile state like China to influence, pressure or threaten an adversary, company or individual.
All these connected functions are made possible by small cellular IoT modules. Unlike semiconductors or 5G base stations, they are rarely marketed as complete products, which somewhat explains why the risk seems to have disappeared in London and Washington.
In a clear parallel with the market dominance of telecom providers such as Huawei and ZTE, three Chinese manufacturers hold more than 50 percent of the global market share of mobile IoT modules. Quectel, Fibocom and China Mobile are jointly supplying modules to a number of Chinese companies, including Huawei, Hikvision and DJI, which have been linked to the oppression of Uyghurs in Xinjiang (although the three companies have disputed these links). While the products of the latter three companies are already being investigated or actively restricted in the US, UK or Europe, the same underlying mobile IoT modules are also being used by Western manufacturers, including Tesla, Intel, Dell and Parrot.
This is worrying because we are increasingly coming into contact with IoT devices: the smart plug of your coffee machine switches on just before you wake up in the morning, and the power consumption is collected and quantified by your smart meter. The lighting and heating systems in your office adapt to the presence of employees or changes in the weather. Taken separately, these are relatively innocuous episodes of your day. But collectively, and over a longer period of time, this data gives a rich and deep impression of your lifestyle that could prove highly lucrative for a private company, or a powerful tool for the Chinese government looking to shape, blackmail and blackmail the behavior of its overseas diaspora. espionage targets, or to exert influence.
Some IoT devices are increasingly being shown to be insecure, not by design per se, but by poor manufacturing. Recently, CISA, the US cybersecurity agency, warned of critical vulnerabilities in China-made GPS-enabled IoT devices in cars and motorcycles. They were found to contain hard-coded administrator passwords and other flaws that would allow Chinese suppliers not only to remotely monitor the location of these devices, but also potentially cut off fuel supplies while vehicles were in motion. We in the west are starting to rely on technology that is at best not up to our high cybersecurity standards and at worst is intentionally designed with “bug doors” that allow manufacturers to access it if they want to.
When Chinese companies are challenged because of poor coding or product quality, the response from Chinese companies is often conciliatory. Commitments are made on improvements and investment in training to ensure the issues are resolved. But, as reports from the Huawei Cyber Security Evaluation Center in the UK show, these changes are often slow to get started and rarely resolve the underlying issues.
Individuals should inform themselves about how their data may be used, where it is stored and processed and who has access to it. Governments in the US, UK and Europe must take action. The use of these devices and the data they can collect poses a clear risk to national and economic security – and threatens to undermine the commitment to human rights and privacy that we hold dear.