Chinese IoT ‘kill switches’ could disable Britain’s critical systems and infrastructure, MPs warn
"When one country controls the overwhelming supply of a technology, that is by its nature a structural risk."
Internet-of-things components made in China could contain hidden “kill switches” capable of disabling British energy systems, transport networks, medical devices and other critical infrastructure.
That was the warning made during a Commons debate on the Cyber Security and Resilience Bill, where parliamentarians urged ministers to widen the proposed legislation beyond conventional cyberattacks and ransomware to cover the risk posed by communications modules hidden inside connected machines.
The MPs focused on the dangers posed by cellular IoT modules, or CIMs, which are small components that allow devices to connect to mobile networks. These modules, often smaller than a postage stamp, are used in cars, buses, smart meters, traffic lights, CCTV cameras, industrial machinery, the energy grid and many other critical systems.
Graeme Downie, Labour MP for Dunfermline and Dollar, said: “[These devices] are the connective tissue of our modern digital economy, and we all rely on them every day. Despite their importance, however, very little is known publicly about what they do and the potential harm that they could cause.”
He warned that more than 70% of global cellular IoT modules were manufactured in China, creating what he described as a “strategic vulnerability” for the UK.
“When one country controls the overwhelming supply of a critical technology, that is by its nature a structural risk,” Downie added.
He argued that a hostile manufacturer, or one subject to foreign state pressure, could use firmware updates to insert a backdoor, push malicious code, or disable systems remotely.
“That could mean vehicles being turned off, cranes and industrial machinery being halted mid-operation, or financial terminals suddenly going offline,” he said.
He added that failures could also affect “NHS refrigeration, affecting drugs and blood supply”.
“[An attack] might not happen overnight or be something we immediately see,” Downie warned. “It could be hidden for a number of weeks or months in different technologies and across different parts of our economy, and it would be incredibly difficult—nigh on impossible—to prove exactly what had happened and who had done it, and to tie it to any one state actor with certainty.”
Vulnerabilities at the heart of British industry
Sir Iain Duncan Smith, the former Conservative leader, warned that imported IoT devices could contain kill switches that would allow adversaries to “devastate” British industries, naming energy as a sector facing a particular risk.
He said: “There was lots of talk under the previous Administration about Downing Street cars being searched for IOTs. We know about the huge imports from bad actors, such as China and other countries—that is really what we should be worried about.”
Dame Chi Onwurah, Labour MP for Newcastle upon Tyne Central and West, said the risk was not limited to obvious hostile action.
READ MORE: China’s Red Menshen “sleeper cell” spies caught hiding deep inside global telecoms networks
She warned that companies could simply stop providing software updates, leaving devices unsupported, more vulnerable to hackers and more likely to fail.
Onwurah said cellular IoT modules embedded in cars could transmit location and route information, as well as video of drivers or passengers. She warned that the implications of such systems being “switched off or turned to hostile uses” were obvious.
“Chinese attempts to corner the global market in CIMs could have significant national security implications,” Onwurah advised.
Early signs of a growing systemic private risk
There have already been a number of high-profile incidents involving remote disablement technology.
For example, when Russia invaded Ukraine in 2022 it tried to steal more than two dozen John Deere tractors and ship them to Chechnya. To stop this, the US manufacturer remotely disabled the vehicles, rendering them useless.
MPs also cited concerns raised in Norway about remote access capabilities in Chinese-made buses, a particularly sensitive issue given claims that around 500 Chinese buses have been ordered or are already operating on the streets of London.
READ MORE: China's secret surveillance tool has a strange limitation
The United States has moved faster than the UK on connected vehicle security. In January 2025, the Department of Commerce finalised rules restricting Chinese and Russian software and hardware in connected vehicles, citing the risk that foreign adversaries could exploit sensitive data or interfere with vehicles.
Those rules are now forcing automakers to rethink supply chains, with prominent manufacturers seeking US government licences for China-built models affected by the restrictions.
Meanwhile, China has tightened its grip on global IoT supply chains, rolling out new supply-chain security rules and expanding export controls on technologies critical to next-generation connected devices.
Beyond the internet of things
The debate also expanded into a broader sovereignty argument. Onwurah warned that the UK public sector was heavily dependent on Amazon Web Services and Microsoft Azure, which together account for a dominant share of the public cloud market.
She argued that Britain’s reliance on a small number of US-owned providers created a systemic risk, especially where public services and government data were locked into long-term contracts.
That issue is separate from Chinese IoT modules but part of the same larger concern: modern states increasingly rely on digital systems they do not fully control or even understand.
READ MORE: El Niño is a "systemic shock" that could wreck semiconductor supply chains, the WEF warns
The Government’s challenge is that many of the most serious cyber risks no longer look like traditional security problems, lurking in buses, fridges and cars rather than enterprise systems.
That is why the phrase “kill switch” has suddenly become politically useful. It captures the fear that Britain’s physical economy could be disabled through digital dependencies that were built cheaply, imported quietly and never properly audited.
It should be noted that no MP presented evidence that China had used such a kill switch against UK infrastructure. Nor is every remote update system sinister. Modern vehicles, medical devices and industrial machines need remote diagnostics and security patches to operate safely.
But the warning from Parliament was clear: if Britain does not know where these modules are, who made them, what data they transmit, how they are updated and who can ultimately control them, then the country may already have accepted a level of strategic risk it cannot measure or mitigate.
As Downie put it, most threats are “theoretical until they are not”.
