Made in China—Hacked Everywhere? What Organizations Need to Know Now

The stories sound like something out of a cyber-thriller: a city tests a Chinese-made electric bus in a decommissioned mine to see if it can be remotely shut down. U.S. ports discover hidden cellular modems inside massive cargo cranes. A common hospital patient monitor reveals an undeclared backdoor that allows remote file execution. And yes—even robot dogs are quietly transmitting data overseas.

None of this is fiction. These are real incidents revealed over the past year, and taken together, they paint a sobering picture: global supply chains have become deeply entangled with remote-access capabilities, hidden communication paths, and opaque firmware, especially in products manufactured in China.

For CISOs, cybersecurity leaders, and risk managers, this is no longer an abstract policy debate. These are operational risks, already inside your environment, often connected to critical systems you depend on every day.

“When a device can update its firmware over the air, that means someone out there has remote access to it,” said Matt Durrin, Director of Training at LMG Security. “Could that be abused? Yeah–absolutely.”

This article breaks down what’s happening, why it matters, and how your organization can protect itself—without grinding procurement to a halt.

The Remote-Controlled Bus That Sparked a Global Conversation

In November 2025, researchers from Oslo quietly conducted one of the most striking security tests of the year: they drove a Chinese-made Yutong electric bus into an underground mine to isolate it from all external signals and analyze its behavior. Their findings? The bus contained a Romanian SIM card that allowed the manufacturer to remotely shut off its power—an alleged “safety feature,” but one that could be misused to disable public transportation fleets.

That discovery triggered investigations in Denmark and the UK, where lawmakers have raised concerns about “dual-use kill switches” in foreign-made transit systems. Over-the-air (OTA) updates aren’t inherently bad—they’re crucial for security patches. But when OTA channels are opaque, undocumented, or controlled by entities in countries with compulsory data-access and cybersecurity laws, organizations must reassess the risk.

As Sherri Davidoff noted in the “Made in China” Cyberside Chats episode, “We need to be able to do remote updates… but we also don’t want China to remotely shut down our infrastructure.” It’s a balance every modern organization must strike: enabling legitimate maintenance and innovation without opening the door to unchecked or opaque external control.

Hidden Modems in Port Cranes: A Case Study in Supply Chain Blind Spots

A bipartisan U.S. congressional report revealed that ZPMC—the Chinese manufacturer responsible for ~80% of U.S. ship-to-shore cranes—had embedded unauthorized cellular modems in some cranes. These modems were not requested by port authorities, not documented in purchase contracts, and not part of maintenance specifications.

Why does this matter? Because a remote-access path into the mechanical systems that load and unload cargo isn’t just a cybersecurity risk—it’s a national economic risk. A coordinated disruption at major ports could halt shipping, trigger shortages, and cripple logistics.

The manufacturer claimed it used the modems to monitor equipment health across its global fleet. But as Matt pointed out in Cyberside Chats “Made in China,” that monitoring means “there is now a cellular transmitter on the device that can potentially disable it… You could bring shipping to a halt.”

It’s a stark reminder that your vendors’ convenience can become your vulnerability.

Solar Inverters, Power Grids, and One Software Update Away from Disaster

Solar inverters—essential hardware that converts DC power from solar panels into AC power—represent another growing concern. In late 2025, EU lawmakers warned that Chinese-made inverters (led by Huawei in market share) could be exploited to destabilize national grids. They weren’t speaking hypothetically.

Europe had already experienced a major blackout across Spain and Portugal earlier this year, caused not by an attack but by a small grid glitch that cascaded out of control. If benign faults can trigger massive outages, what could an intentional exploit accomplish?  On top of this, U.S. officials announced in May that “rogue communication devices” had been discovered in some Chinese-manufactured solar power inverters.

LMG’s commentary in the Cyberside Chats episode was blunt: “The power grid is not as resilient as we want it to be… Even a small issue can have these really big ripple effects.”

Solar farms rely heavily on remote management platforms. Without tight controls on who can update firmware, access APIs, or issue commands, the grid becomes dangerously exposed.

Medical Devices With Backdoors—and Thousands Deployed in U.S. Hospitals

In February 2025, the FDA and CISA issued a rare joint advisory about a widely used Chinese-made patient monitor (the Contec CMS8000). They confirmed the device contained a backdoor that allowed:

• Download and execution of unverified remote files
• Overwriting of system files, preventing hospitals from validating software
• Connections to an unexplained third-party IP address

Hospitals often lack the budget to rip and replace devices across hundreds of beds. As Sherri reminded the audience, “We have such a decentralized procurement system… often you have to just move forward with what you have.”

For hospitals, segmentation, strict outbound filtering, and continuous monitoring are essential stopgap measures.

Caught in the Cyber Crossfire

China has long accused the U.S. of embedding backdoors in global technology products, citing Snowden-era revelations about alleged NSA interception of foreign hardware. These claims fuel Chinese regulators’ scrutiny of U.S. chips and networking gear.

Either way, organizations get caught in the cyber crossfire. Nation-states treat supply chains as strategic assets, and attackers may target foreign-made technology simply because it’s there—not because they’re after you.

That leaves your systems vulnerable to conflicts that have nothing to do with your mission. The solution: visibility, transparency, and tight control—not blind trust in where a device was made.

What Organizations Can Do—Starting Now

You don’t need to rip out every device sourced from China (or any other country). You do need to understand your exposure and systematically reduce it.

During the Cyberside Chats live episode, LMG offered several practical steps—here they are distilled into five core actions:

1. Require an Access Bill of Materials (ABOM) from every vendor.

Most organizations don’t know who can access their devices—or how.

An ABOM lists all remote access paths, cloud services, SIMs/radios, update servers, and key holders. It’s the fastest way to discover hidden or undocumented connectivity.

2. Treat hardware procurement like software supply chain risk.

Ask the same questions you’d ask of a SaaS provider:

Where is the data stored? Who can access the device? How is firmware signed and updated? Are subcontractors involved?

LMG has a good primer on this approach—check out “9 Tips to Streamline Your Vendor Risk Management Program.”

3. Create a simple, enforceable smart-device procurement policy.

Keep it short:

• No undisclosed radios, SIMs, or cloud connections
• No unmanaged remote access
• No EOL firmware in new purchases
• Mandatory security review for any “smart” device

4. Segment first, replace later.

You can mitigate most risks quickly by:

• Isolating high-risk devices
• Blocking unexpected outbound traffic
• Turning off vendor remote access
• Requiring approval for OTA updates

As one listener asked, “How do we spot unexpected data exposure?” Sherri’s answer was simple: “Turn on Wireshark and watch where the packets go.”

5. Strengthen TPRM for vendors that ship connected equipment.

Extend your third-party risk assessments to include:

• Firmware integrity practices
• Hosting jurisdictions
• Remote access mechanisms
• Logging and incident reporting

This framework scales from small organizations to large enterprises.

Conclusion: Don’t Wait for Hidden Access to Become a Breach.

Whether it’s a bus, a crane, a medical device, or an energy system, if it’s connected, it’s part of your attack surface. Chinese-made products illustrate the risks vividly, but the lesson is universal: organizations need visibility, guardrails, and accountability in every layer of their supply chain.

If your team needs support evaluating connected devices, developing procurement controls, or strengthening third-party risk management, contact our LMG Security team. We help with IoT/OT security assessments, vendor risk reviews, and hands-on testing, and more. Take control of your remote access points before attackers do.