US FCC chair says China’s IoT cellular components makers Quectel, Fibocom may pose national security risks

The FCC chairwoman has written to the FBI, the Justice Department, the National Security Agency, the Defence Department and other agencies on the matter
US lawmakers are concerned that if China ‘may be able to effectively exfiltrate data or shut down’ IoT devices using Chinese cellular modules

US-China tech war

Reuters

Published: 11:30am, 7 Sep 2023

Why you can trust SCMP

Federal Communications Commission chairwoman Jessica Rosenworcel asked US government agencies to consider declaring that Chinese companies including Quectel and Fibocom Wireless pose unacceptable national security risks, according to letters seen by Reuters.

The Republican chair of the House of Representatives China Select Committee, Mike Gallagher, and the top Democrat on the panel Raja Krishnamoorthi, asked the FCC last month to consider adding to its so-called Covered List the two companies that produce cellular modules that enable Internet of Things (IoT) devices to connect to the internet.

Federal funds cannot be used to purchase equipment from companies on the list, and the FCC will not authorise new equipment from companies deemed national security threats.

Rosenworcel wrote the FBI, the Justice Department, the National Security Agency, the Defence Department and other agencies on September 1, forwarding the request from the lawmakers.

She said in the previously unreported letters the FCC welcomes the opportunity to collaborate “in addressing this threat, including consideration of the inclusion of this equipment from Quectel and Fibocom on the Covered List.”

Jessica Rosenworcel speaks during an oversight hearing to examine the FCC in Washington in June 2020. Photo: AFP via Getty Images

A US spokesperson for Quectel said once modules are delivered “Quectel customers own the data, and we have no access to any of the data collected”.

Remote device management “is achievable solely through the (original equipment manufacturer) device management platform”, the spokesperson added, noting the company had recently retained security firm Finite State to audit and test the security of its modules.

Fibocom did not immediately respond to a request for comment.

Rosenworcel told the lawmakers in a separate letter Tuesday “the issues you raise with respect to connectivity modules merit continued attention. To this end, the commission is examining additional steps it should take to protect US networks”.

She added the FCC can update the Covered List “only at the direction of national security authorities”.

The FCC previously placed 10 Chinese entities and one Russian company on the Covered List including Huawei Technologies, ZTE, Hytera Communications Corp, Hangzhou Hikvision Digital Technology and Zhejiang Dahua Technology.

The FCC previously placed Huawei Technologies on the US Covered List. Photo: Reuters

The lawmakers warned that US medical equipment, vehicles and farm equipment using Chinese cellular modules could be accessed and controlled remotely from China.

Noting they are typically controlled remotely and are the necessary link between the device and the internet, the lawmakers said that if China “can control the module, it may be able to effectively exfiltrate data or shut down the IoT device”.

The FCC has taken other steps to bar Chinese telecoms companies from US networks. Last year, the FCC voted to revoke China Unicom’s US unit, Pacific Networks and ComNet’s authorisation to operate in the United States, citing national security concerns.

Rosenworcel said the list “provides all companies making purchasing decisions clear signals about the security of products in the marketplace”.

The Chinese embassy in Washington did not immediately comment on Wednesday, but last year it said the FCC “abused state power and maliciously attacked Chinese telecoms operators again without factual basis”.