The writer is director of Penumbra Analysis, a consultancy specialising in geopolitical risk and emerging technologies
The UK’s move to ban Huawei from its 5G telecoms networks has brought the debate about the security threat from Chinese equipment into the mainstream. There are increasing concerns about western exposure to potentially risky technology: only last month, British MPs and peers called on the government to crack down on the use of surveillance equipment from two Chinese companies, Hikvision and Dahua, which have already been blacklisted by Washington. However, there is one threat that has gone under the radar: the tiny components made by Chinese companies in devices connected by the Internet of Things.
IoT products, which are fitted with data-transmitting sensors and connected over WiFi networks, have evolved from niche industrial applications to being ubiquitous in homes, offices and some vehicles. They are also a critical component of our national infrastructure. This is the technology that will automatically turn our lights on when it gets dark, or power domestic surveillance cameras capable of facial and object recognition. But the same data collected and used by IoT devices — on individuals’ movements, for instance — could easily be used by a hostile state such as China to influence, pressure or threaten an adversary, company or individual.
All these connected functions are enabled by tiny cellular IoT modules. Unlike semiconductors or 5G base stations, they are rarely marketed as complete products, which goes some way to explaining why the risk appears to have been lost on London and Washington.
In a clear parallel with the market domination of telecoms suppliers such as Huawei and ZTE, three Chinese manufacturers hold over 50 per cent of the global market share of cellular IoT modules. Between them Quectel, Fibocom, and China Mobile provide modules to a number of Chinese companies including Huawei, Hikvision and DJI, which have been linked to the repression of Uyghurs in Xinjiang (although the three companies have disputed these ties). While the products of these latter three companies are already either under scrutiny or actively restricted in either the US, UK, or Europe, the same underlying cellular IoT modules are also used by western producers including Tesla, Intel, Dell and Parrot.
This is of concern because we are interacting with IoT devices increasingly regularly: the smart plug on your coffee machine comes on just before you wake up in the morning, and the power usage is collected and quantified by your smart meter. The lighting and heating systems in your office adapt to the presence of workers or changes in the weather. Taken separately, these are relatively innocuous episodes in your day. But collectively, and over a longer period of time, this data provides a rich and deep impression of your lifestyle that could be highly lucrative to a private company, or a powerful tool for the Chinese government seeking to shape the behaviour of its overseas diaspora, blackmail espionage targets, or to exert influence.
Some IoT devices are increasingly being shown to be insecure, not necessarily by design, but by dint of poor manufacture. Recently, CISA, the US cyber security agency, warned of critical vulnerabilities in Chinese-made GPS-enabled IoT devices in cars and motorcycles. They were found to contain hard-coded admin passwords and other flaws that would not only allow Chinese suppliers to monitor the location of these devices remotely, but to potentially cut off the fuel supply while vehicles were in motion. We in the west are beginning to rely on technology that at best fails to live up to our high cyber security standards and at worst has been intentionally designed with “bug doors” through which manufacturers can gain access if they want to.
When challenged over poor coding or product quality, the response from Chinese companies is often conciliatory. Promises are made of improvements and investment in training to ensure that the problems are fixed. But, as reports from the UK’s Huawei Cyber Security Evaluation Centre show, these changes are often slow in coming and rarely solve the underlying issues.
Individuals should educate themselves about how their data can be used, where it is stored and processed and who has access to it. Governments in the US, UK and Europe should take action. The use of these devices and the data they can collect poses a clear risk to national and economic security — and threatens to undermine the commitment to human rights and privacy that we hold dear.
Source: Economy - ft.com
