Is the IoT module debate about security, competition or xenophobia?

Earlier this month, two US lawmakers raised concerns about the Chinese companies supplying cellular IoT modules into the US market.

"Serving as the link between the device and the Internet, these modules have the capacity both to brick the device and to access the data flowing from the device to the web server that runs each device," wrote Mike Gallagher and Raja Krishnamoorthi, of the House of Representatives China Select Committee. "As a result, if the CCP [Chinese Communist Party] can control the module, it may be able to effectively exfiltrate data or shut down the IoT device. This raises particularly grave concerns in the context of critical infrastructure and any type of sensitive data."

Gallagher, the Republican chair of the committee, and the panel's top Democrat, Krishnamoorthi, voiced their concerns in a letter to FCC Chairwoman Jessica Rosenworcel. "Is the FCC ... able to track the presence of Quectel, Fibocom and other cellular IoT modules provided by PRC [People's Republic of China]-based companies in the US? Can the FCC provide further information about these modules in US networks?"

According to Reuters, the FCC said it would investigate the matter.

Undoubtedly that investigation will look at the security situation surrounding those modules. But it might also be worth looking at the wider trade struggle between the US and China, and how that struggle affects policies, competitive positioning and politics on both sides of the Pacific Ocean.

Here we go again

If this all sounds familiar, it is. These kinds of security concerns are how US lawmakers ultimately managed to block Huawei and ZTE from the US market, partly via an FCC ruling designating the Chinese vendors as "national security threats."

And it's the same argument that's now motivating US allies to block the Chinese companies from international markets stretching from India to Germany.

Of course, security sits at the heart of that debate. But it's also about the geopolitical jostling between the US and China.

For lawmakers and executives in the US, the situation is clear: The Chinese government is helping Chinese vendors dominate industries with impossibly cheap products. And it's potentially doing so to create backdoors allowing Chinese spies into US communications networks. The US is wary of China's rise as a global superpower.

But for Chinese vendors like Huawei and ZTE, it looks more like the US using its clout to stymie global competition. As Reuters noted, the Chinese Embassy in Washington last year said the FCC "abused state power and maliciously attacked Chinese telecom operators again without factual basis." The Chinese vendors generally argue that their products don't pose a threat.

An uneven expansion

Regardless, the ban against Huawei and ZTE has opened the doors to other, similar concerns. For example, there's now a concerted push against Chinese drone makers like DJI.

Similarly, Huawei's smartphones have largely been blocked from US networks over security concerns.

But those same security concerns apparently haven't stretched onto other Chinese smartphone vendors like TCL and OnePlus, which continue to sell phones in the US market. Nor do they cover Apple iPhones, many of which are manufactured in China.

Regardless, fears over Chinese espionage are now shifting into the market for cellular Internet of Things (IoT) modules. (It's worth noting that analysts like Tantra Analyst's Prakash Sangam have been discussing this topic for years).

According to Counterpoint Research, more than 40 percent of the cellular IoT modules shipped into the US are from leading Chinese brands such as Quectel, Fibocom and Simcom.

In response to questions from Light Reading, Counterpoint analyst Neil Shah wrote that such modules sit in everything from cellular laptops to security cameras, point-of-sale terminals, smoke detectors and connected cars. For example, Tesla uses Quectel modules in its electric cars. The modules typically connect to 4G networks via NB-IoT and LTE-M technologies. But in the future, they may also support newer IoT technologies, including RedCap on 5G.

"So far there is no clear evidence of any security risks as these modules are certified by US carriers in their labs and most of them sport either Qualcomm or MediaTek chipsets," Shah wrote.

Qualcomm is based in San Diego, while MediaTek is headquartered in Taiwan. And operators like AT&T, Verizon and T-Mobile generally test and certify the devices connecting to their networks, including cellular IoT devices.

Into the IoT market

As noted by Counterpoint's Shah, the cellular IoT market is in a state of upheaval. Telit Cinterion is the company that recently stepped out from the merger of Thales' IoT business and Telit. Telit Cinterion, headquartered in California, is now the largest non-Chinese IoT module provider globally.

But Telit Cinterion isn't the only new face in the market. Semtech, based in California, recently bought Canada's Sierra Wireless. And Tokyo's Renesas Electronics recently said it would acquire Sequans Communications, based in Paris.

This consolidation is partly driven by competition from Chinese heavyweights like Quectel and Fibocom. Executives in the industry complain that the Chinese government is helping Chinese module vendors sell equipment at irrationally low prices. Newsweek recently reported on some of the ties between Quectel and the Chinese government.

According to executives in the industry, who asked to remain anonymous, it's the same strategy employed by Huawei and ZTE roughly a decade ago when they worked to break into the US market. The companies offered equipment at prices far below those of their competitors. And now, the US wireless network operators that bought that low-cost Chinese equipment are removing it – under the auspices of the FCC.

Heightening all these concerns is that modules from the likes of Quectel and Fibocom connect to some very important equipment. According to Counterpoint, the top application globally for cellular IoT modules is to connect the smart meters inside electrical grids.

The concerns

Thus, it's no surprise that Chinese-made modules are causing concerns. "Quectel provides modules to leading international firms. They are used in smart cities, drones and US first responder body cameras. Fibocom, meanwhile, targets individual collaborations with major tech players," Gallagher and Krishnamoorthi wrote in their letter to the FCC. "PRC law requires companies to comply with the Party's commands, including requests for data whether it is stored in the PRC or elsewhere. In addition, observers have expressed concerns that both companies are closely integrated into the PRC military and state security. Fibocom even states on its website that people using Fibocom's Platform 'shall comply with…the laws of the People's Republic of China,' which implies that Americans using a device with a Fibocom module can be surveilled pursuant to PRC law."

Newsweek, in its article on the topic, quoted security experts in the US voicing concerns about the capabilities of Chinese-supplied IoT modules.

"If you can update the firmware, you can change the capabilities at any moment," Jack Wilmer, former chief information security officer at the Department of Defense, told the publication.

"Our critical infrastructure shouldn't be dependent on a strategic rival," added Liza Tobin, a former national security official. "This is a country that we're preparing to go to war with, if we have to."

But the companies selling such gadgets – including AT&T and FirstNet – argued that they thoroughly vet such devices. AT&T's Scott Agnew told Newsweek that the company conducts thousands of tests "including examining firmware and data transports."

The other side

Semtech, Telit Cinterion and Renesas have plenty to gain from stoking fears of their Chinese rivals. A savvy strategy would involve blocking the market's low-cost leaders in a market where price is king.

Companies like Nokia, Ericsson, Adtran and Ciena have already benefited by selling equipment into the gap created by security concerns over Huawei and ZTE.

Nowhere is this clearer than in rural parts of the US, where Nokia, Ericsson and Mavenir have been winning contracts with smaller US wireless network operators like Union Wireless and Viaero Wireless. The FCC requires such companies to remove equipment from Huawei and ZTE and replace it with "trusted" equipment.

Further, it's politically expedient in the US to be viewed as "tough on China." Trump fostered the sentiment, but President Biden has certainly worked to maintain an anti-China position.

Indeed, pushing against China might be one of the only political activities where both Republicans and Democrats cooperate.

There are plenty of reasons for US lawmakers to take that stance. China has a long history of technological theft, and in recent years it has reportedly engaged in a substantial amount of cyberattacks. Further, Chinese President Xi Jinping appears keen to increase the CCP's oversight over China's economy rather than relaxing regulations in a way that would favor capitalism.

Ultimately, it's unclear whether a US political move against Chinese IoT module makers like Quectel and Fibocom will succeed. It's also not clear what kind of actions regulators could take against the companies. Already the FCC has debuted an IoT "trust mark," but that's intended for consumer markets, not IoT modules.

Millions of Chinese-built IoT modules are currently connected to US wireless networks, and removing them would seem financially improbable.

But those were some of the same concerns raised before the FCC's "rip and replace" program, which seeks to remove Huawei and ZTE equipment from US communications networks. That program went into effect in 2020, and the FCC has begun making payments to operators in the program.

However, the "rip and replace" program remains underfunded to the tune of around $3 billion. And that financial shortfall is forcing some companies in the program to make some tough decisions.

The trials and tribulations surrounding the FCC's "rip and replace" program may stand as a warning to the opponents of Chinese vendors like Quectel and Fibocom. Government interventions aren't always smooth or effective.

Related posts:

— Mike Dano, Editorial Director, 5G & Mobile Strategies, Light Reading | @mikeddano