In this LABScon 25 presentation, Joe FitzPatrick explores how networked devices manufactured overseas have quietly become indispensable to everything from small-business prototyping labs to roadside infrastructure. He argues that the safeguards meant to manage the risks these devices introduce are, in practice, largely ineffective.
Starting with recent reports of undocumented cellular radios found in solar inverters used in U.S. highway infrastructure, Joe notes that adding that kind of connectivity to a device with an exposed serial port takes minutes and can be done by anyone: the manufacturer, the installer, or someone who came along later.
From there he covers the familiar mechanisms by which banned hardware finds its way into supply chains anyway, through relabeling and FCC-certified modular components, before turning to mandatory product activation in consumer devices like drones and 3D printers, and what it actually takes to use them without phoning home.
The deeper problem is that small businesses and infrastructure operators are genuinely dependent on imported hardware because it works and it’s affordable. A significant amount of it runs on devices that connect to foreign entities by default, and there’s no clean domestic alternative.
Joe concludes that import bans don’t fix problems that exist equally in domestic products, and that trade policy is the wrong tool for what is fundamentally a consumer safety problem. His preferred alternatives are right to repair with offline use guarantees, hardware and firmware bills of materials, and comprehensive privacy legislation.
This talk is essential viewing for security practitioners concerned about hardware supply chain risks, the unexpected connectivity of critical infrastructure, or the US’s deep dependence on foreign-manufactured consumer electronics.
About the Author
Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.
LABScon 2026 | Call For Papers
Submission Deadline: June 19, 2026
LABScon is a unique venue for original research to be shared among peers. The benefit of an invite-only audience of researchers is that there’s no need for long preambles or introductions – speakers are encouraged to dive right into their technical findings.
- Original content only.
- Talks are 20 minutes long + 5 minutes for Q&A.
- Workshops are 90 minutes long.
- LABScon is primarily a threat intelligence and vulnerability research conference but we keep an open-mind.
About LABScon
This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.
Keep up with all the latest on LABScon here.
Facts Only
* Undocumented cellular radios were found in solar inverters used in U.S. highway infrastructure.
* Adding connectivity to a device with an exposed serial port can be done quickly by multiple parties (manufacturer, installer, later actors).
* Banned hardware enters supply chains through relabeling and FCC-certified modular components.
* Mandatory product activation is used in consumer devices such as drones and 3D printers.
* Small businesses and infrastructure operators are dependent on imported hardware because it is functional and affordable.
* Import bans do not fix problems existing in domestic products.
* Trade policy is presented as the wrong tool for consumer safety problems.
* Preferred alternatives include right to repair with offline use guarantees, hardware/firmware bills of materials, and comprehensive privacy legislation.
Executive Summary
Full Take
The narrative shifts the focus from immediate regulatory bans to the structural reality of hardware supply chains and systemic dependency. The central assertion—that import bans fail to solve consumer safety issues—challenges the simplistic application of trade policy as a solution to technical and security risks. This framing subtly redefines the problem: it is not simply illegal importation, but the embedded vulnerability inherent in relying on foreign-manufactured components and default connectivity protocols. The argument moves from a specific, visible threat (hardware in infrastructure) to a systemic problem of consumer sovereignty and operational dependency.
This position leverages the established fear of foreign supply chain risks to validate a broader call for legislative action that prioritizes physical and digital sovereignty over economic policy. The proposed alternatives—right to repair, open bills of materials, and privacy legislation—are not merely technical fixes; they represent a demand for operational control over the devices upon which safety and privacy depend. The underlying assumption is that true safety is achieved not through external sanctions, but through localized control, transparency, and the ability to manage embedded software and hardware autonomously.
Patterns detected: ARC-0043 Motte-and-Bailey, ARC-0024 Ambiguity
Sentinel — Human
This text reads like a professionally written summary of a technical presentation, grounded in specific domain expertise, and exhibits the logical flow and idiosyncratic emphasis typical of human academic or industry communication.