Image Source: Getty
According to recent reports, the Indian government has put the Internet of Things (IoT) modules manufactured by Chinese companies under scrutiny. These modules, part of the telecom network, enable wireless communication between IoT devices within the network. They can potentially be used for surveillance and espionage. With growing concerns over data vulnerabilities and potential foreign access, the Indian government is now acting against these devices, which had previously avoided scrutiny related to Chinese hardware.
As India advances its digital transformation, IoT devices have become a foundation of innovation in sectors such as healthcare, agriculture, smart cities, and industrial automation.
This scrutiny of IoT devices mirrors earlier government restrictions on Chinese apps and telecom equipment but its implications go beyond the telecom network. As India advances its digital transformation, IoT devices have become a foundation of innovation in sectors such as healthcare, agriculture, smart cities, and industrial automation. Yet even as they enhance efficiency and drive progress, these modules also introduce significant risks, particularly regarding cybersecurity and privacy breaches, highlighting the need to safeguard digital infrastructure. Therefore, the government’s latest move impacts critical IoT applications, including smart metres, Point-of-Sale payment systems, and telematics.
Vulnerabilities of IoT devices
The risk posed by IoT devices is not new. Anecdotal evidence from the authors and cybersecurity researchers has noted several vulnerabilities involving consumer IoT devices and services, including some in India.
One of the most notable examples of IoT vulnerability is that of a security flaw in IoT doorbells widely used for home security. Research has pointed out that several widely commercially available devices are riddled with vulnerabilities. A proof-of-concept demonstrated how attackers could gain complete control over the device. As a result, the compromised doorbell could not only be weaponised as part of a botnet but also leveraged for unauthorised access and surveillance. This could enable snooping activities, undermining the privacy and security of individuals and organisations alike. Likewise, in July 2023, the Computer Emergency Response Team-India (CERT-In) detected a vulnerability in the IoT doorbell products sold by Qubo. According to CERT-In, successfully exploiting this vulnerability could allow a local attacker to perform unauthorised activities on the targeted device.
One of the most notable examples of IoT vulnerability is that of a security flaw in IoT doorbells widely used for home security.
In a more alarming incident in November 2023, a critical security vulnerability was identified in the telematics systems used by several prominent Indian automobile manufacturers. This breach led to the compromise of over 600 internet-connected vehicles. Researchers demonstrated their ability to track the real-time location of each compromised vehicle and, more alarmingly, highlighted a proof-of-concept for remotely controlling the connected vehicle. This exploit targeted vulnerabilities within the vehicles’ internal communications networks, highlighting the risks associated with IoT deployments that have not been secured.
As a final case study, in May 2024, a major security vulnerability was discovered in a prominent Indian parking solutions company that serves over 8 million users and manages more than 6 million registered vehicles. The flaw, identified by a cybersecurity researcher and confirmed by the company (as noted by the CERT-In), allowed unauthorised access to sensitive user data in real time. The exposed information included names, mobile numbers, email addresses, license plate numbers, parking locations, and FASTag details. This serious privacy breach created significant security risks, as malicious actors could potentially exploit the vulnerability to track individuals' movements and monitor their activities remotely.
Digital infrastructure and geopolitics
The implications of IoT vulnerabilities extend beyond conventional cybersecurity concerns, taking centre stage in national security and geopolitics. As nations increasingly integrate IoT devices into critical national infrastructure such as healthcare systems, port sectors and strategic defence networks, these vulnerabilities present credible threats to a country’s security and stability. A compromised IoT infrastructure can lead to disruptions in essential services, economic instability, and breaches of classified military systems. Several examples from around the world demonstrate that this threat is plausible and credible. For instance, in 2024, Ukraine’s SSU Cyber Units uncovered Russian threat actors exploiting IoT devices to gather intelligence, which was then used to coordinate Russian air strikes.
The Chinese tech companies’ dominance in the supply chain for a variety of light-sensing modules and critical IoT components, including those used in autonomous vehicles, drones, and batteries, creates significant cybersecurity vulnerabilities.
As the recent case of the IoT modules in the Indian telecom sector shows, this threat particularly extends to Chinese hardware. The Chinese tech companies’ dominance in the supply chain for a variety of light-sensing modules and critical IoT components, including those used in autonomous vehicles, drones, and batteries, creates significant cybersecurity vulnerabilities. In the United States (US), the military establishment and sections of the US Congress have raised concerns that the Shanghai-based company Shanghai Zhenhua Heavy Industries’ cranes installed at US port facilities, which are essential for cargo handling, could potentially be leveraged for espionage or the disruption of critical supply chains. Similarly, the popular Chinese network equipment brand TP-Link is facing potential scrutiny and a potential ban due to cybersecurity concerns after a recent Microsoft report revealed that compromised TP-Link devices were exploited in ransomware operations, raising alarms about the company’s involvement in enabling cyber threats. Previously, in the United Kingdom (UK), vulnerabilities have been detected in Chinese company Hikvision’s IP cameras, enabling them to capture video or audio and subsequently transfer this data to servers located in China.
These incidents underscore how foreign-manufactured equipment poses risks to national security by providing avenues for data collection, surveillance, or cyber vulnerabilities, thereby necessitating stricter oversight and diversified sourcing strategies.
Mitigating IoT-related threats
To counter the threat posed by Chinese and generally foreign-manufactured IoT devices, the Indian government must adopt a comprehensive strategy to enhance national security and safeguard critical infrastructure. While the government is actively addressing this issue, particularly in the telecom sector, a more comprehensive approach is necessary, encompassing other critical sectors.
A key measure would be exploring the establishment of a national task force for IoT devices, comprising experts from cybersecurity, intelligence, telecommunications, and industry. This task force could lead efforts to formulate and enforce regulations, conduct security audits, and monitor the integration of IoT devices in India’s critical national infrastructure. It would also focus on identifying high-risk devices, analysing their supply chains, and collaborating with international allies to exchange intelligence and best practices.
Indian IoT companies should be mandated to provide a Software Bill of Materials and a Bill of Materials for each device they manufacture.
The government could also introduce stringent restrictions on using Chinese-manufactured IoT devices in sensitive areas such as defence installations, power grids, transportation networks, and public utilities. In parallel, Indian IoT companies should be mandated to provide a Software Bill of Materials and a Bill of Materials for each device they manufacture. These documents would enhance transparency, enabling authorities and consumers to understand the components and software dependencies of IoT products. The Standardisation Testing and Quality Certification Directorate, under the Ministry of Electronics and Information Technology, could be pressed into mandating that IoT devices deployed in critical sectors adhere to stringent cybersecurity norms and undergo rigorous testing and certification.
India is slowly ramping up its hi-tech manufacturing capabilities under the Production Linked Incentive scheme. The government can extend this measure to incentivise domestic production of secure IoT alternatives. Public awareness initiatives could also educate businesses and consumers about the risks associated with unverified IoT devices, fostering a security-first mindset. Combined, these measures would strengthen India’s resilience against potential cybersecurity threats linked to foreign IoT technologies.
Sameer Patil is the Director of the Centre for Security, Strategy and Technology at the Observer Research Foundation.
Ayyappan Rajesh is a cybersecurity professional specialising in wireless security and cyber-physical systems.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.