Quectel response to FCC about IoT module security
The facts about IoT modules and how they are utilized in device design and deployed in the market – Quectel refutes concerns being raised about the security of its modules.
Vancouver, Canada, 7th September 2023 – Quectel Wireless Solutions, a global IoT solutions provider, today commented on the recent letter and response being published by the FCC and the Select Committee of the US Congress questioning if Quectel’s IoT modules represent a potential security risk.
“We welcome the opportunity to work with the FCC and other U.S. government entities to demonstrate our compliance and best practice device security approach, says Norbert Muhrer, President and CSO, Quectel Wireless Solutions. “We are committed to contributing to the advancement of a smarter world by delivering best-in-class and secure products. This commitment is evidenced by our extensive device OEM customer base and our constant focus on providing our customers with the best and most secure modules in the industry.”
The Select Committee to the US Congress’ letter to the FCC had several misconceptions about how Quectel modules work. Quectel’s clarification regarding the statements made in the letter is as follows.
Committee letter: “Connectivity modules are typically controlled remotely and are the necessary link between the device and the internet.”
Quectel’s U.S. customers or their customers’ third-party suppliers/service providers handle device and data management exclusively. Firmware updates are managed and controlled by the device original equipment manufacturer (OEM), not Quectel.
Committee letter: “Serving as the link between the device and the internet, these modules have the capacity both to brick the device and to access the data flowing from the device to the web server that runs each device”
The control of Quectel modules resides with the microcontroller unit (MCU) or central processing unit (CPU) embedded within the customer’s device. Quectel itself does not possess any control; instead, this authority rests solely with the OEM – the entity responsible for developing the device. Remote management of the device is achievable solely through the OEM’s device management platform. A notable instance of this, referred to in the letter, is the widely covered case involving John Deere agricultural equipment, where just the OEM typically can disable the equipment by accessing and shutting down its own MCU’s controlling the machine.
Committee letter: “As a result, if the CCP can control the module, it may be able to effectively exfiltrate data or shut down the IoT device.”
Once Quectel modules leave the factory and are delivered to its customers, Quectel customers own the data, and Quectel has no access to any of the data collected. The ownership, control, storage, and modification of the data generated by IoT devices within the market firmly rest with the OEM device makers and its customers. Even in the rare cases outside of the U.S. where Quectel resells the connectivity service of a wireless carrier, Quectel does not have access to the device data.
Committee letter: “This raises particularly grave concerns in the context of critical infrastructure and any type of sensitive data.”
Applications that require high security, such as critical infrastructure, typically use private access point names (APNs) and other methods which strictly control and monitor network access. This can be used to control and monitor any data flowing to and from the device. Critical infrastructure is meticulously fashioned with a multi-tiered security approach defined and implemented solely by the device OEM, not Quectel.
The cellular industry is heavily regulated and requires intensive testing and accreditation. Carrier and regulatory certifications are executed by trusted third-party labs and carrier labs, assuring that the module complies with strict technical requirements. The Quectel modules have obtained certifications from the FCC, PCS Type Certification Review Board (PTCRB) and major carriers throughout the world, which underlines Quectel’s commitment to meeting rigorous industry standards.
In addition to cellular modules, Quectel also provides Wi-Fi, Bluetooth and GNSS modules and antennas. As a GSMA member, Quectel and its carrier partners comply with all cellular industry regulations and applicable standards to ensure that end customer data is securely transmitted between customer device and mobile network operator. Quectel does not have access to ANY of the device data.
Quectel is committed to delivering high-quality, best-in-class, secure modules and go above and beyond industry standard practices by conducting independent third-party cyber security audits. More recently Quectel also retained the security firm Finite State, which is auditing and penetration testing the security of its modules through rigorous security testing, improved software supply chain visibility, and comprehensive software risk management. Quectel is also participating in the formulation of new industry security certification standards, such as the CTIA Cybersecurity Certification Working Group and pursuing additional cyber security certifications from various U.S. entities as new standards are formulated and adopted.
Qualcomm manufactures the chipsets and software platforms that are at the core of the Quectel modules. “Our Qualcomm partnership underlines the importance we place on working with well-trusted and secure partners from across the ecosystem to deliver high-quality solutions globally,” Mr. Muhrer continues. “Quectel’s impact on the global IoT industry is profound. We supplied millions of cellular modules to support the distribution of Covid-19 vaccines for leading U.S. and global organizations including Pfizer, Johnson & Johnson, and other leading suppliers of vaccines. This underscores our commitment to playing a pivotal role in critical global initiatives.”
For more information, please visit: quectel.com, LinkedIn, Facebook, and X (formerly known as Twitter).
Media contact: media@quectel.com