A House committee is scrutinizing LiDAR and IoT cyber risks from China

A House of Representatives panel focused on national security issues between the U.S. and Beijing is putting Chinese-made light sensing modules and internet of things components in its crosshairs amid concerns the equipment is laying groundwork for enhanced intelligence-gathering and cyberattacks on critical infrastructure.

The Select Committee on the Chinese Communist Party is seeing growing Chinese market dominance in light detection and ranging technologies — known as LiDAR — and has assessed that the dynamic poses security risks to several U.S. critical infrastructure sectors, according to a committee aide with direct knowledge of the matter.

In parallel, IoT devices — which include everyday household appliances that connect to the internet — are a more immediate national security concern because billions of devices in the U.S. have a Chinese-made IoT module installed that may be accessible to Chinese cyber operatives, said the aide, who spoke on the condition of anonymity to be candid about the committee’s thinking.

A potential cyberattack could involve a coordinated digital offensive that would overwhelm areas of the U.S. power grid by remotely turning on troves of IoT devices at the same time, they said, citing past research on cyberattacks that aim to manipulate electronics’ wattage output.

Details on efforts to curtail use of the tech components were not immediately available, though the committee may choose to draft legislation that would restrict their acquisition. An amendment that prohibits the Department of Defense from procuring LiDAR hardware made by foreign adversaries has already been slotted into a must-pass defense policy package due by year's end.

Chinese-made LiDAR modules give Beijing an added leg-up in intelligence gathering, said Nathan Picarsic, a senior fellow at the Foundation for Defense of Democracies focusing on China’s military strategy.

The technology — designed to map out terrain by rapidly bouncing light off of objects to image their shape and dimensions — is already used in autonomous vehicles, geographic information systems and various other distance measuring applications.

“It’s a much more rich feed of information. And it gives you a much richer target set and attack surface,” Picarsic said.

National security officials are already grappling with a pervasive Chinese hacking collective dubbed Volt Typhoon that’s said to be burrowing into troves of U.S. critical infrastructure in preparation for potential U.S. military conflict with China. Light ranging technology likely helps with those efforts further, he added.

“[LiDAR systems] are connected into the broader network of whatever the thing they’re working with is, which means that there’s the intelligence piece where they’re collecting and transmitting information, but it also can be a backdoor to execute vulnerabilities,” he said.

Cybersecurity experts in December detected a slew of new attack vectors where a hacker could disrupt the sensory systems of autonomous vehicles, which rely heavily on LiDAR to operate. Transportation Secretary Pete Buttigieg last year said he has national security concerns about China-linked AV technology and that the U.S. needs to better understand its AV tech suppliers.

Chinese firm Hesai predominates much of the LiDAR sensor market. There’s concern the company’s influence within much of the supply chain will stop the U.S. from standing up a domestic LiDAR competitor in the next few years and force American customers to shop for potentially exploitable equipment, said the House aide.

The Department of Defense in February listed Hesai and several other firms on a roster that accused the companies of working on behalf of Beijing’s military, following bipartisan concerns from the House China panel on why the company was not placed on any restriction lists. Hesai responded by filing a lawsuit against the U.S. last month in federal district court on grounds that the accusations were false. 

China’s national security laws and its state-centered economy enable its government to compel tech companies to act on behalf of intelligence interests, though no recent public evidence has specifically linked Hesai to such activities.

Though China’s prevalence in the LiDAR market presents targeted security concerns, IoT security risks span a much larger attack surface because they are used in both common consumer household appliances and several critical infrastructure sectors, said Nick Nilan, a former Verizon public sector executive who managed the telecom giant’s IoT portfolio.

Mapping out the entire U.S. IoT asset inventory would be a gargantuan undertaking, spanning smart meters, monitoring devices and building management systems, said Nilan, now CRO at Fortress Information Security, a firm focused on supply chain and critical infrastructure cybersecurity.

Most IoT devices have a connection back to China, he said, citing a company analysis released in January that showed hundreds of pieces of power grid software had code contributions from foreign adversaries, including China. 

Such software is over two times more likely to have known exploitable vulnerabilities in it, he added. “Whether that’s just bad coding or whether that’s malicious is really not certain, but it certainly is impactful,” Nilan said.

Moreover, China has penetrated multiple layers of the IoT supply chain. Even if all cyber risks are mitigated, China could cease supplying the U.S. with IoT components at any time of its choosing, he said. The nation pulled a related move last year in response to U.S. curtailment on advanced semiconductor sales to China by restricting exports of its critical minerals needed for chip hardware.

China-backed IoT players include Da Jiang Innovations drones that are used frequently in power plant inspections, as well as Contemporary Amperex Technology, or CATL, a battery manufacturer, said Nilan. Notably, many utilities are installing CATL batteries into their grids, based on confidential assessments conducted with Fortress customers, he said.

DJI, arguably the world’s largest drone manufacturer, was called out by former NSA cybersecurity directorate leader Rob Joyce in an op-ed published last week, saying China uses its industry dominance in the space to its intelligence-gathering advantage. The Federal Communications Commission, which did not respond to a request for comment for this story, may soon be forced to fully ban DJI if a bill under consideration in Congress makes it to the president’s desk. 

The agency has previously put Chinese firms Quectel and Fibocom in its crosshairs, asking officials to assess if the FCC should add the companies to its list of technologies that pose national security risks because they produce cellular modules for IoT devices.

The Cybersecurity and Infrastructure Security Agency declined to comment on the House committee’s activity. It published a whitepaper early this year saying Chinese-made unmanned aerial vehicle systems pose a risk to critical infrastructure, arguing they can enable covert data transfers and compromise security controls.