Chinese technology companies are supplying components used in a wide range of industrial and domestic smart devices that could expose businesses and governments to electronic spying by the Chinese state.
China’s development of cellular internet of things (IoT) modules, which are widely used in smart devices in agriculture, manufacturing, transport and CCTV, poses a serious but largely unrecognised risk, according to a study published today.
The study by Charlie Parton, a leading expert on China with 37 years in the diplomatic service, warns that in the long term, reliance on Chinese made modules in the IoT, poses a greater risk than China’s 5G technology, which was supplied by Huawei – until it was banned in December 2020.
Parton told Computer Weekly that the UK and other countries should ban equipment from companies which ae not trusted suppliers, but said that removing existing IoT devices was not probably practical.
“I would say that the UK, along with other free and open countries, should institute a ban on companies which are not trusted suppliers,” he said.
“I don’t advocate “rip and replace”, which would be impractical, given the number of cellular IoT modules already installed, except in the case of the most sensitive defence and security equipment and processes,” he added.
“Less sensitive areas could be subject to a time limit, after which equipment containing modules from these companies would disqualify a product or company from supplying to government and public users,” he said.
Parton argues that the threats are real. For example, in January, government officials discovered a Chinese cellular IoT module, used as a tracking device in a car used by senior ministers, that had been hidden in parts from Chinese suppliers, according to a report in the i newspaper.
Growth of Chinese IoT suppliers
China’s two dominant IoT module suppliers, Quectel and Fibocom Wireless, supply IoT modules to a range of Chinese technology companies. They include surveillance camera manufacturer HikVision; HiSilicon, which designs silicon chips; DJI, a drone manufacturer; and telecoms equipment supplier ZTE – each of which are subject to export controls in the US.
Fibocom has expanded into Canada and the US, through acquisitions, and has won contracts to supply PC manufacturers such as Lenovo, Dell and HP, which use Fibocom modules in their computers.
Qualtec is targeting the US and Latin America and is trying to break into the overseas automotive market.
Like other Chinese companies, Quectel and Fibocom are bound by China’s national security laws, which require them to comply with requests from the Chinese state.
The report warns that the Chinese Communist Party (CCP) could use IoT modules to harvest data for intelligence purposes.
This could include using IoT modules embedded in supply chains and logistics systems used by defence manufacturers to build up a picture of how many spare parts and weapons systems have been delivered and to where.
Data from IoT modules could also be used to identify individuals who might be susceptible to recruitment by Chinese intelligence agencies.
By combining data from a wide range of sources, it would be possible to identify key government workers and their potential vulnerabilities.
China’s industrial policy aims to ensure Chinese companies dominate new technologies and industries.
What Parton calls “venture communism” encourages Chinese companies to buy out foreign firms, particularly startups which are not protected by the UK’s National Security Investment Act, to grow, obtain technology and intellectual property, or to reduce competition.
He argues that China could access data from IoT modules in logistics, manufacturing and transport systems to monitor industrial supply chains.
That data would provide insights into productivity, the quantity of supplies used by companies and their efficiency.
A malicious actor could use the information to “tune” their bids for infrastructure projects or bids for competitors, says Parton, or to gain other strategic advantages over their competitors.
Privacy risks to individuals
The Chinese Communist Party could also compromise the privacy of the public by gathering data from Chinese-made IoT modules used in, for example, wearable devices such as smartwatches, smart kitchen devices, door cameras, and electricity and gas meters.
By collecting data generated as people interact with IoT devices, particularly electronic payments and travel information, it is possible to work out who has been meeting with whom and where.
Combined with machine learning, it will be possible to predict where a person might be or how they might act at a certain time.
“Such a capability is a threat not just to individual liberty and freedom of choice, but to security through the increased risk of effective blackmail campaigns,” the report says.
Technology from Chinese suppliers underpins the development of smart cities, which provide city authorities with better ways to manage their transport and infrastructure.
However, it is built on the back of work commissioned by the Chinese Communist Party to police minority populations such as the Uighurs, who have been subjected to internment camps in China.
The National Cyber Security Centre, a branch of GCHQ, warned councils in 2019 that smart city technology suppliers may come under pressure to exfiltrate data from the intelligence services in their countries.
Bournemouth County Council dropped plans for a smart city project with Chinese supplier Alibaba following government intervention, while Milton Keynes cancelled a smart city project with Huawei, the Financial Times reported.
According to the report, three Chinese companies have over half of the international market, including the large Chinese domestic market, for cellular IoT modules.
Because China regards the internet of things as a strategic technology, these companies benefit from access to subsidies, preferential pricing, and a domestic market that excludes international competition.
If Chinese companies continue to increase global market share and to edge out foreign competitors, other companies will become dependent on China for cellular IoT modules.
“Given the immense importance of these modules to modern industry and life, this would make other countries highly vulnerable to a threat to withhold supplies,” said the report published by the Washington-based consultancy OODA.
Countries need to take action
Parton argues that western countries need to take action to preserve their IoT manufacturers in the face of Chinese competition, having already taken action over 5G and semiconductors.
“The longer the delay in limiting Chinese cellular IoT modules, the more difficult and expensive it becomes to replace them. The window of opportunity is closing, but it is still open,” he says.