Lawmakers press FCC for action on Chinese-made cellular modules
Leaders of the House’s panel on China have asked the Federal Communications Commission (FCC) to help combat the threat posed by Chinese-manufactured cellular connectivity modules embedded in Internet of Things (IoT) devices.
The lawmakers cited an incident last year to illustrate the ease with which the modules can be intercepted and shut down from afar. Russian troops stole $5 million worth of John Deere tractors from Ukraine only to have the Illinois-based manufacturer reportedly disable them once they crossed the Russian border by attacking the Western-made connectivity modules, the lawmakers told FCC Chair Jessica Rosenworcel in a letter sent this week.
“Because the modules can be controlled remotely and the vehicles require internet connectivity to operate, remotely shutting down the module allows the module provider to shut the vehicle down,” Reps. Mike Gallagher (R-WI) and Raja Krishnamoorthi (D-IL) wrote. The lawmakers lead the Select Committee on the Chinese Communist Party.
Disabling the modules effectively turned the John Deere vehicles into “bricks,” they noted.
Gallager and Krishnamoorthi asked Rosenworcel for the FCC’s plans for confronting the threat, saying connectivity modules are used in many devices popular in the U.S., ranging from consumer products to telecommunications hardware regulated by the FCC.
In addition to disabling devices, cellular connectivity modules can “access the data flowing from the device to the web server that runs each device,” the letter said.
The committee leaders said they worry that if the Chinese Communist Party (CCP) can control the modules it can not only shut down devices without warning but also exfiltrate data.
“This raises particularly grave concerns in the context of critical infrastructure and any type of sensitive data,” the letter said, noting that the CCP is aware of the IoT modules’ capabilities and has pumped resources into its cellular IoT industry.
Read more: NSA chief: Chinese cyber spies continue to improve — but haven't surpassed US
Companies that manufacture cellular modules in China include Quectel and Fibocom. The technology is used by top international companies to power smart cities, drones, and even U.S. first responder body cameras.
As with all Chinese companies, Quectel and Fibocom are forced to provide the CCP with information, including for data stored abroad. More worrying, the letter said, is that both companies appear to be “closely integrated” with the PRC military and state security.
Fibocom’s website even cautions users that the platform “shall comply with … the laws of the People’s Republic of China,” which the lawmakers’ letter said “implies that Americans using a device with a Fibocom module can be surveilled pursuant to PRC law.”
Gallager and Krishnamoorthi praised Rosenworcel for leading the FCC in countering the influence of CCP-controlled technology in American telecom networks by adding equipment and services made by Chinese companies such as Huawei, ZTE and Hikvision to the agency’s “Covered List,” which prohibits targeted firms from receiving equipment authorizations from the commission.
The letter points out that in contrast to Huawei, many American firms still compete with Quectel and Fibocom, meaning that limiting their access to the U.S. market will not hurt companies’ ability to acquire the technology they need.
The congressmen asked Rosenworcel to provide information about whether it keeps tabs on the presence of Quectel, Fibocom, and other PRC-provided cellular IoT modules in the U.S. and whether the FCC shares their concerns on the issue.
The letter also notes that the FCC is reportedly considering whether to require measures to address “individual component parts” and questions if Rosenworcel is considering whether to use the Covered List to go after PRC cellular IoT modules being used in the U.S.
Finally, the congressmen’s letter asks Rosenworcel if she needs or would like more statutory authority to combat the threat.
The FCC recently announced it will oversee an IoT labeling effort to help consumers assess which smart products are safest from a cybersecurity standpoint.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.