A user on X recently posted something that's been bouncing around security circles for years, but with a new edge: he'd used Claude to help reverse-engineer some consumer electronics and found that a power inverter from a large U.S. company was routinely communicating with servers in China. The Bluetooth chip was Chinese. The app was a rebranded OEM package. And the network scans showed traffic flowing overseas with nothing obvious preventing remote control.
Using Claude to reverse-engineer some devices I have, and one thing is clear:
— Benjamin De Kraker (@BenjaminDEKR) May 13, 2026
A huge number of things -- common electronics from Amazon etc -- "phone home" to China in the background.
Will post some longer thoughts on this, but assume Beijing can control anything that has…
The post, from @BenjaminDEKR, spelled out the implication bluntly: "Assume Beijing can control anything that has Bluetooth and an app."
This is not paranoia. It tracks with what security researchers have been documenting for years and what U.S. energy officials confirmed in May 2025 when they revealed that undocumented communication devices, including hidden cellular radios, had been found embedded in Chinese-manufactured solar inverters deployed across American infrastructure. These components were not listed in product documentation. They could bypass utility firewalls. One anonymous source told Reuters that the discovery meant "there is a built-in way to physically destroy the grid."
The Legal Framework Nobody Talks About
What makes Chinese-manufactured IoT hardware different from, say, a German router with a vulnerability? China's 2017 National Intelligence Law requires all organizations and citizens to "support, assist, and cooperate with national intelligence efforts." The law's scope is deliberately ambiguous. According to a Canadian Security Intelligence Service analysis, Chinese companies operating abroad remain subject to these obligations. A U.S. Department of Homeland Security advisory warned that under this framework, Chinese firms "are required to secretly share data with the PRC government or other entities upon request."
That's the legal architecture sitting behind your smart plug.
We've Already Seen the Kill Switch Work
In November 2024, users of solar inverters manufactured by Chinese company Deye woke up to find their systems bricked. Screens displayed messages like "This inverter is not allowed use at: USA." Reports came from Arizona, Puerto Rico, Canada, and beyond. The inverters had been remotely deactivated.
Deye later claimed this was an automatic authorization check, not a deliberate shutdown. But the mechanism existed, and it worked. The company demonstrated, accidentally or not, that it could turn off power equipment across multiple countries simultaneously. Sol-Ark, the U.S. distributor that white-labels Deye hardware, offered affected customers discounted replacements through the end of 2024. The utility grid wasn't affected because the bricked units were primarily behind-the-meter residential systems. But the capability was proven.
The Botnet Problem
Beyond intentional backdoors, there's the sheer vulnerability of cheap IoT devices. In September 2024, the FBI announced it had disrupted a botnet called Raptor Train, operated by the Chinese state-sponsored group Flax Typhoon. The botnet had compromised over 260,000 devices worldwide, including cameras, video recorders, and network storage units. About half were located in the United States. A joint advisory from CISA, the FBI, and allied agencies noted that many infected devices were still within their support window. The problem wasn't just end-of-life hardware.
Forescout researchers found 46 vulnerabilities in solar equipment from major manufacturers including Sungrow and Growatt. Eighty percent were classified as high or critical severity.
What This Actually Means
The scenario @BenjaminDEKR outlined is worth restating: imagine tensions between superpowers escalate, and a significant portion of American power inverters go offline simultaneously. Or surge. The grid isn't designed to handle coordinated disruption at that scale. Large transformers take months to replace.
This isn't theoretical infrastructure fiction. It's the logical endpoint of a system where cost optimization has pushed manufacturing to China, app development to the lowest bidder, and security to somewhere around the bottom of the priority list.
Florida Power & Light has already begun sourcing non-Chinese inverters. The Senate introduced legislation in February 2025 to ban Homeland Security from buying batteries from six Chinese companies by 2027. But the installed base of potentially compromised equipment is enormous, and consumers have no practical way to audit the devices they've already purchased.
The broader issue isn't that Chinese companies are uniquely malicious. Every connected device is a potential vector. The problem is that when the legal framework of the manufacturing country explicitly authorizes intelligence cooperation, and when we've seen remote kill switches actually deployed, the risk calculation changes. The cheap inverter from Amazon might work fine for years. It might also be waiting for instructions.
