Skip to content
.ca
sign in
4 minmedium

LABScon25 Replay | Please Connect to the Foreign Entity to Enhance Your User Experience

This article summarizes a LABScon 25 presentation by Joe FitzPatrick on the systemic risks introduced by foreign-manufactured networked devices in critical infrastructure and consumer markets. It highlights issues such as undocumented cellular radios, mandatory product activation, and the ineffectiveness of import bans, advocating instead for hardware bills of materials and right-to-repair legislation.

Conf:lowAnalyzed:2026-05-07Google

Authors: Joe FitzPatrick, SentinelLABS

IoTSupply ChainInfrastructureHardware Security

Source:SentinelOne

Detection / HunterGoogle

What Happened

A recent cybersecurity presentation highlighted the hidden dangers in everyday electronics and infrastructure equipment made overseas, like solar inverters, drones, and 3D printers. Many of these devices secretly connect to foreign networks or require online activation to work, affecting small businesses and critical infrastructure. This matters because current import bans fail to stop these risky components from entering the supply chain. To fix this, experts recommend laws that guarantee devices can work offline, require clear lists of all internal components, and protect consumer privacy.

Key Takeaways

  • Foreign-manufactured networked devices are deeply embedded in US infrastructure and small businesses due to affordability and functionality.
  • Undocumented cellular radios and mandatory product activation ('phoning home') introduce significant, often unmanaged, security risks.
  • Import bans are largely ineffective due to hardware relabeling and the use of FCC-certified modular components.
  • Recommended solutions include right-to-repair legislation with offline use guarantees, hardware/firmware bills of materials, and comprehensive privacy laws.

Affected Systems

  • IoT Devices
  • Solar Inverters
  • Drones
  • 3D Printers
  • Critical Infrastructure

Attack Chain

The presentation describes a systemic supply chain risk rather than a specific tactical attack chain. Foreign-manufactured hardware, such as solar inverters or consumer electronics, is imported and integrated into domestic infrastructure. These devices often contain undocumented cellular radios or require mandatory online activation, establishing unauthorized outbound connections to foreign entities. This connectivity bypasses traditional perimeter security, allowing potential remote access or data exfiltration by the manufacturer or third parties.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article, as it discusses strategic hardware supply chain risks.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on embedded IoT hardware, solar inverters, or proprietary drone firmware. Network Visibility: Medium — Network monitoring can detect unauthorized outbound connections over corporate networks, but out-of-band cellular radios bypass these controls entirely. Detection Difficulty: Hard — Undocumented cellular radios communicate out-of-band, making them invisible to standard enterprise network monitoring.

Required Log Sources

  • Firewall Logs
  • DNS Logs
  • NetFlow/Zeek

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Identify IoT devices and infrastructure equipment making unexpected outbound connections to foreign IP space or unregistered domains.Firewall and DNS logsCommand and ControlHigh

Control Gaps

  • Out-of-band cellular communication
  • Lack of Hardware Bill of Materials (HBOM)
  • Inability to inspect proprietary firmware

Key Behavioral Indicators

  • Unexpected outbound network traffic from IoT VLANs
  • Devices refusing to operate without internet connectivity

Recommendations

Immediate Mitigation

  • Isolate IoT and infrastructure devices on dedicated, restricted VLANs.
  • Block outbound internet access for devices that do not strictly require it for core functionality.

Infrastructure Hardening

  • Implement strict network segmentation for all operational technology (OT) and IoT devices.
  • Conduct physical inspections of critical infrastructure hardware for undocumented cellular modems or antennas.

User Protection

  • Require offline functionality guarantees during the procurement process for new hardware.

Security Awareness

  • Educate procurement teams on the risks of mandatory product activation and foreign-manufactured hardware dependencies.
  • Advocate for Hardware and Firmware Bills of Materials (HBOM/SBOM) from vendors.

MITRE ATT&CK Mapping

  • T1195 - Supply Chain Compromise
  • T1200 - Hardware Additions

Related