US homes and infrastructure are increasingly outfitted with Internet-connected “smart” devices that are vulnerable to hackers — and lawmakers claim beefed-up security standards will be necessary to address growing threats from criminals and hostile governments alike.
Public fears about cybersecurity were stoked by ransomware attacks on the Colonial Pipeline and meat producer JBS in 2021, as well as federal warnings of foreign attacks on the US power grid. Closer to home, hackers have used Ring cameras to spy on kids and even lure them into creepy conversations.
Rep. Mike Gallagher (R-Wis.), chairman of the House Select Committee on China, is among a growing group of policymakers focused on so-called “Internet of Things,” or IoT devices, which generally are understood as non-computer devices with a web connection.
Examples range from smart TVs, wearable fitness trackers, doorbell cameras, and thermostats to control systems for factories and power plants. A key cause for worry, according to the congressman, is the fast-growing use of Chinese-made cellular modules that allow smart devices to connect to the Internet.
It sounds like science fiction, but with widespread control of those modules, China could steal US data or remotely shut down critical infrastructure in a conflict scenario, according to concerned lawmakers. Hackers could crank up AC units en masse to cause power brownouts, or take control of self-driving cars or even medical devices like pacemakers – as former Vice President Dick Cheney once feared.
In a statement to The Post, Gallagher said “modules sourced from [People’s Republic of China] companies like Quectel pose a security risk in any US technology, but especially in government hardware, critical infrastructure, and life-saving first response systems.
“Using these modules may create a backdoor for malign Chinese government actors to access and potentially cripple our devices,” Gallagher added. “It’s just common sense: American critical infrastructure must not be dependent upon CCP technology.”
In August, Gallagher and the committee’s top Democrat, Rep. Raja Krishnamoorthi, asked FCC Chairwoman Jessica Rosenworcel to examine the use of Chinese-made cellular modules.
The lawmakers’ letter said the Chinese Communist Party has “given extensive state support” to the industry and singled out two Chinese firms, Quectel and Fibocom, as major producers of modules widely used in US products ranging from smart cities and drones to US first responder body cameras.
The lawmakers cited Russia’s recent theft of $5 million in farm equipment from a John Deere dealership in Ukraine – only for the vehicles to be rendered useless after their modules were remotely disabled.
Last month, Rosenworcel followed up on the lawmakers’ request by asking the Justice Department, the FBI and other federal agencies to consider whether the use of components made by Quectel and Fibocom poses a national security threat.
A Quectel spokesperson said the company’s “IoT modules do not pose any risk to national security or privacy” and noted that it has “proactively engaged with regulators, government agencies, and industry stakeholders to address any concerns they might have.”
“Quectel is an independent public company and makes its own business decisions,” the spokesperson said. “It is neither owned nor controlled by the Chinese government. Quectel does not and has not shared, transferred, or publicly disclosed data with the Chinese government. The Chinese government has never requested any data from Quectel.”
Fibocom did not immediately return a request for comment.
FCC Commissioner Nathan Simington, a Republican, said the threat of a state-sponsored attack on key infrastructure such as industrial installations, public utilities or law enforcement should be taken “totally seriously.”
Any company or operator potentially at risk should be “engaged with its regulators on an ongoing basis and should develop more of an accountability plan,” he added.
“In a lot of ways, we’re lucky that a lot of the hacks so far have just been criminal activity,” Simington said. “At the end of the day, criminals are way less resourced than the Chinese NSA or the Russian NSA.”
For consumers, Simington is backing the FCC’s current push for a “US Cyber Trust Mark” label for smart devices that voluntarily adhere to “widely accepted cybersecurity standards,” including regular software updates over a disclosed period of time after the device is released.
In an August statement in support of the FCC’s labeling effort, Simington warned that “attacks on unpatched devices are becoming more frequent and more dangerous” and cited the risk of “botnets,” or networks of hijacked devices utilized in major cyberattacks.
Simington — who last month took the unique step of soliciting feedback on the popular “Hacker News” forum — said the label set to debut next year isn’t a solution, but a rather a first step to help businesses without creating a costly, plodding bureaucracy.
“There are lots of Americans buying devices every day – we’re talking millions of units a year – they’re buying them on the expectation that those devices are secure,” Simington told The Post.
“If those expectations are violated, the American people are going to have some pretty legitimate questions about what exactly we were doing in DC all that time.”
Source