PRC Smart Television Risks and Ecosystem ‘Enmeshment’
John Costello
Executive Summary:
Ecosystem enmeshment is transforming a bounded device-level risk into an open-ended one: smart television manufacturers in the People’s Republic of China (PRC) are leveraging scale in commodity hardware to build durable control points across adjacent product categories, companion platforms, interoperability standards, and upstream component supply chains.
Chinese smart television manufacturers retain privileged control over firmware, middleware, and over-the-air update pipelines, capabilities that could be leveraged for intelligence collection, behavioral modification, or network exploitation if engineers operating under PRC jurisdiction are directed or co-opted by state intelligence services.
Supply chain opacity—through joint ventures, original design manufacturing, and brand licensing—systematically obscures the identity of the firm exercising lifecycle authority over devices sold to U.S. consumers. This undermines every regulatory instrument that depends on identifying who controls what.
The United States has no centralized federal authority establishing baseline cybersecurity or provenance requirements for consumer connected devices; existing tools govern transactions and specific entities, not the conditions under which firms sell into the domestic market. As enmeshment deepens, risks are compounding, while the window for early, lower-cost action narrows.
Editor’s Note: This is the final installment in a five-part series exploring security risks associated with connected devices manufactured in the People’s Republic of China. The previous four articles can be read here, here, here, and here.
In early February, the Chinese Communist Party (CCP) Central Committee and the State Council jointly released their first policy opinion of the year. Referred to commonly as “Document Number One” (一号文件), this document traditionally focuses on agriculture, rural areas, and farmers—a reminder of the Party’s rural roots and supposed commitment to the masses (Xinhua, February 4). This year’s was no different. But in a sign of the Party’s growing push to diffuse advanced technology throughout the economy, the document’s fourth section (out of 27) focused on “enhancing the effectiveness of agricultural science and technology innovation” (提升农业科技创新效能). For the first time, this section included a mention of the Internet of Things (IoT; 物联网) as a key part of pursuing new quality productive forces in the agricultural sector.
The inclusion of the Internet of Things in such an important policy document indicates the increasing prominence the Party is affording the technology as part of its desire to integrate digital interconnectivity into all aspects of society. This desire is not just confined to the Party’s domestic ambitions, either. As recent Party media has noted, CCP General Secretary Xi Jinping has spoken about leveraging IoT as part of plans to “cultivate an independent, controllable, and continuously evolving platform ecosystem” (培育自主可控、持续进化的平台生态) overseas (People’s Daily, February 12).
From a cybersecurity standpoint, the prospect of a global, connected, platform ecosystem that the government of the People’s Republic of China (PRC) can control is concerning. But in many ways, it is already being realized. Smart televisions manufactured in the PRC provide a useful lens for understanding the potential scale of the problem. The technical architecture of these TVs, which includes the device stack, service models, data flows, and lifecycle control points, coupled with their increasing ecosystem enmeshment within the United States, creates a compounding set of risks that the U.S. governance system is not currently configured to confront.
The Compounding Risk
The risk posed by PRC-connected smart televisions is not a fixed quantity to be measured once and managed thereafter. It is a function of three interacting variables: original equipment manufacturer (OEM) leverage over firmware and update authority; the legibility of the supply chain to regulators and consumers; and the expansion of a bounded consumer product into an integrated ecosystem. These variables are mutually reinforcing. As the installed base grows, control over lifecycle updates persists, and branding detaches from technical authority. As a result, the television assumes the characteristics of infrastructure, at which point the risk is no longer discrete, but compounding.
OEM Leverage: Capability Beyond Data Collection
Public debate centers on data collection, which is the visible surface of cybersecurity risk. But the more consequential issue is capability: what a manufacturer could do with its privileged position in firmware, middleware, and update authority if directed, pressured, or quietly co-opted by PRC state intelligence. This is the capability prong of the intent–access–capability framework introduced in Part 4, and it is where the service model distinctions outlined there become operationally significant (China Brief, February 20).
If the engineers who design and maintain firmware operate in PRC jurisdictions, they exist within a legal and political environment shaped by the 2017 National Intelligence Law (国家情报法) and the 2021 Data Security Law (数据安全法). Formal statutory obligation is only part of the picture. The informal capacity of the state to apply pressure, monitoring, and consequences without judicial process is more powerful. An engineer in Shenzhen or Qingdao does not need to be served with a court order to be co-opted. The organizational and political environment is itself the enforcement mechanism. [1] Every major PRC manufacturer examined in this series maintains its primary firmware and middleware engineering operations in the PRC mainland. U.S. offices exist—Hisense in Alpharetta, Georgia; TCL in Irvine, California; and Skyworth in Cypress, California—but none publicly discloses how many of its U.S. employees work on firmware, middleware, or telemetry code versus marketing, business development, and hardware sourcing. Where lifecycle software control resides inside the PRC system, structural exposure remains intact regardless of marketing footprint in the United States.
The manifestation of such exposure would not resemble a dramatic, easily discoverable backdoor. A more plausible construct is an intentional vulnerability embedded to appear as ordinary software error—a “bugdoor.” [2] Firmware complexity provides natural camouflage. On a proprietary operating system like Hisense’s VIDAA, the OEM controls the entire validation chain from bootloader through application layer, and there is no external audit layer. On a Google-certified Android TV build, the vendor partition is approved at certification time but not continuously monitored, and the depth of what Google actually inspects in an OEM’s proprietary middleware is deal-specific and opaque. Attribution would be uncertain by design.
The decisive access point is the over-the-air (OTA) firmware update pipeline. The OEM generally controls signing authority, build systems, server infrastructure, rollout staging, and rollback policy. On Android TV, the OEM signs and hosts updates within Android’s OTA mechanisms using OEM-controlled keys. Platform constraints limit arbitrary device takeover, but the capacity to modify behavior silently, post-sale, and at scale has few parallels in conventional intelligence collection. The critical unknowns—key custody, hosting location, update granularity, and rollback protections—are themselves risk multipliers. The less that is publicly documented about the update pipeline, the harder it is for external observers to assess whether it has been tampered with.
Capability does not require demonstrated exploitation to matter. It requires a structural position—and that position exists. Moreover, as the installed base expands, the leverage embedded in that pipeline expands with it.
Supply Chain Opacity: Who Controls What You Buy
Technical leverage deepens when the identity of the firm exercising it becomes obscured. Although firms do not disclose the distribution of their work divisions, it is common across the industry for firmware authority, update control, and engineering to remain in PRC jurisdictions, while branding and retail presence appear Western-facing. Nothing at the point of sale indicates this to the buyer.
The pattern is well established. In January 2026, Sony and TCL announced plans to form a 51/49 joint venture to operate Sony’s home entertainment business, covering the end-to-end chain from product development and design through manufacturing, sales, logistics, and customer service, with operations targeted for April 2027 (Sony Corporation; The Verge, January 20). Sony will retain its brand and proprietary image processing technology, but the device itself—hardware, firmware integration, and update pipeline—will be managed by the TCL-controlled entity. Senator Jim Banks (R-IN) raised national security concerns over the arrangement in February 2026. But as of this article’s publication, no CFIUS review has been announced (U.S. Senate, February 2). In a separate example, Hisense acquired Sharp’s North American TV operations in 2015 for $23.7 million, controlling the full device stack on Sharp-branded televisions for approximately four years before Sharp reclaimed the brand (EE Times, July 31, 2015). And as noted previously, the firm TongFang (同方), which is part-owned by the enterprise responsible for the PRC’s civilian and military nuclear programs, manufactures televisions sold under the Westinghouse and Element brand names in the United States (CNBC, January 4, 2017; Consumer Reports, March 19, 2022; China Brief, February 20). Most recently, Skyworth has signed a deal with Panasonic to sell TVs to the North American and European markets (Sina, February 27). No consumer-facing indication of the device’s provenance exists for any of these arrangements.
This is a governance-blinding problem. Any regulatory instrument, such as labeling, entity-list enforcement, ICTS review, that depends on identifying the firm responsible for firmware, update authority, or data routing is structurally undermined when brand identity is decoupled from technical control. The less legible control becomes, the harder it is to assess the scope of lifecycle authority embedded within the market.
From Device to Ecosystem
For now, platform partnerships with Google, Amazon, and Roku impose partial constraints on PRC manufacturers that mitigate some of the risks. Certification processes, app store governance, and operating system-level architecture limit unilateral OEM modification of certain layers of the stack. Automatic content recognition (ACR) data collection, while extensive, flows in most cases through U.S.-based advertising intermediaries rather than directly to PRC servers. At the regulatory level, attention is arriving, if belatedly, through consumer protection enforcement. As a result, the risk today is serious but not yet unconstrained. But the trajectory is integrative.
The growing expansion of PRC technology firms into the U.S. ecosystem could best be termed “ecosystem enmeshment.” This phenomenon is a structural outcome of the intersection between PRC industrial-scale manufacturing policy and platform-mediated technology markets. The PRC’s focus on cornering the market in consumer devices and IoT is far reaching. Scale in ostensibly commodity devices creates an installed base and a set of lifecycle control points—updates, apps, certifications, and service layers—that function as market infrastructure. Once embedded, that infrastructure lowers the barriers to entry into adjacent product categories and service layers, allowing low-margin penetration to translate into higher-leverage positions over time.
What begins as price competitiveness in commodity hardware becomes leverage over ecosystem architecture. Although enmeshment is not a coordinated conspiracy, it is the predictable byproduct of state-backed industrial scale combined with the economics of IoT and smart-device markets. Its cumulative effect is to create dependence as a byproduct of interoperability and convenience. Vendors with dominance in foundational consumer devices thus gain expanding influence across adjacent sectors, deeper into the stack, and across an increasing share of household and commercial environments.
This trend is visible in the smart TV sector, where devices are increasingly sold as part of an integrated smart home or app ecosystem. This transforms them from discrete data collection devices into something qualitatively different. Persistent behavioral monitoring infrastructure, when embedded in the household, becomes capable of capturing not just viewing preferences but security states, appliance usage patterns, environmental conditions, movement through the home, and network traffic across connected devices under the same control layer or within a potential lateral move.
Chinese manufacturers are actively pursuing this expansion strategy. TCL now offers robot vacuums, air purifiers, smart locks, and security cameras, all managed through the TCL Home app and controllable via the television as a household hub (TCL, accessed February 27). [3] Hisense’s ConnectLife platform, meanwhile, integrates kitchen, laundry, air conditioning, and living room appliances under a unified control layer. At the technology trade show CES 2026, the company branded its strategy as a “full-scenario smart home ecosystem” (全场景智慧家庭生态) and announced expanded support for Google Home and Matter integration (LEDinside, January 8; Hisense, December 18, 2025). The deepening of stack position runs in parallel: Hisense has invested approximately $240 million to acquire a controlling stake in the Qingdao-based LED chipmaker Changelight to secure its display component supply chain (Yicai Global, February 1, 2023). Firms are also pursuing diversification beyond consumer electronics. Hisense’s TransTech subsidiary provides AI-powered urban governance and traffic management systems; and both TCL and Hisense are entering automotive displays and semiconductor manufacturing (Hisense USA, December 18, 2024; OFweek, June 28, 2023). With expanding footprints across multiple sectors, these technology firms are compounding the governance challenge.
This challenge is further exacerbated by the ongoing disaggregation of responsibility for provenance. OEM licensing agreements, ODM arrangements, and white-label partnerships embed PRC-engineered software stacks in devices sold under other brands, attracting little public scrutiny even as the aggregate footprint expands. Companion apps aggregate data from across the ecosystem into single collection points. For instance, Hisense’s ConnectLife app collects location, personal information, and usage data. TCL’s Connect app does the same (Google Play, accessed February 27, [1], [2]). An adjacent challenge is that interoperability standards and cross-device coordination layers raise the cost of switching away from an ecosystem once a household is inside it. PRC state media have reported approvingly on this trajectory: Xinhua’s coverage of CES 2025 emphasized Hisense’s AI-powered innovations across display, smart home, and automotive domains (Xinhua, January 8, 2025). Its coverage of this year’s event similarly highlighted PRC manufacturers demonstrating cross-device coordination and AI-driven automation across product categories (Xinhua English, January 10). The growth is largely silent, and it is accelerating.
The U.S. Response to Device Risk
Because this ecosystem expansion advances dynamically—through integrated platforms, interoperability standards, and white-label arrangements rather than discrete, legible transactions—it largely bypasses a U.S. regulatory apparatus designed to govern static products and identifiable firms. The tools available are oriented to discrete firms, identifiable transactions, and static product categories. Enmeshment, meanwhile, operates across categories, through iterative post-sale integration, and partially below the visibility threshold of any existing disclosure regime.
The Governance Void
The United States has no centralized federal authority establishing baseline cybersecurity requirements for consumer connected devices. Cybersecurity, consumer privacy, and digital device governance have never been designated as areas principally regulated by federal agencies—outside sector-specific cases such as healthcare, financial services, and telecommunications, they are left to the states. Every comprehensive federal privacy bill introduced to date has stalled in Congress (IAPP, accessed February 27). The statutes that are powerful in trade and commerce touch on the domestic device market only adjacently: CFIUS governs foreign acquisitions, the Entity List restricts exports, and the Federal Communications Commission’s Covered List addresses telecommunications infrastructure. None sets market requirements for a set of firms offering a class of devices to U.S. consumers, and none addresses the embedded firmware and middleware risks at the device level. They govern transactions, not products. By late 2025, the Entity List had swelled to over 1,000 Chinese firms (Reuters, September 29, 2025). But no firm has been listed for the aggregate risk its consumer devices pose to the domestic digital ecosystem. The narrower tools that can directly address the domestic supply chain—the ICTS authorities under Executive Order 13873, federal procurement prohibitions such as NDAA Section 889, and CISA Binding Operational Directives—set requirements on when and how specific transactions or agencies may act, but they do not impose baseline conditions on firms or products as a condition of market access.
Consumer labeling has been the most frequently proposed market-shaping alternative. But while it might help to reduce supply chain opacity, it is the least effective at changing consumer behavior, as a 2025 study on the FCC’s new Cyber Trust Mark has shown (ACM, April 2025). [4] This finding is consistent with the underlying economics: device security compromise is about national-level data aggregation and infrastructure vulnerability, not individually threatening events. Consumers discount abstract, impersonal risk because the cost of compromise falls on third parties—a negative externality in which neither the purchaser nor the manufacturer bears the consequences (Lawfare, April 7, 2025). Civil enforcement actions can change the interpretation of existing law, as the FTC’s 2017 settlement with Vizio, the Texas Attorney General’s 2026 agreement with Samsung show (FTC, February 6, 2017, FOX 7 Austin, February 26). But they do not create new law—they merely bind the parties to the agreement, and cannot manifest authority that does not already exist within a statute’s bounds. Federal agencies require a legal predicate to compel disclosure of data practices or firmware provenance, and the complexity of the modern device stack outpaces any static disclosure regime.
A national security risk determination does not require demonstrated exploitation to be legally or practically useful. But absent the institutional capacity to identify the risk in the first place, even that authority goes unexercised. In this vacuum, governance defaults to prohibition by exception. Specific firms or product categories are restricted once risk reaches national-security salience. The Kaspersky prohibition (June 2024), the ICTS final rule on connected vehicles (Federal Register, December 6, 2024), and the Huawei and ZTE equipment bans each address a specific firm or product category through targeted restriction rather than through baseline requirements applied to the broader class of devices or suppliers at issue. The structural vulnerability in this approach is that a problematic firm or device class can continue its penetration of the U.S. market relatively unchecked until its scale, impact, or visibility is sufficient to warrant national security attention—if it ever does. This model is reactive. It addresses visible manifestations of scale rather than the structural conditions that produced them.
Ecosystem enmeshment is antithetical to this approach, by providing few direct, targeted areas where risks and ecosystems are bounded enough to make prohibition enforceable and meaningful. As a result, the PRC’s strategy of low-cost manufacturing, which leads to indispensability in commodity ICT devices and components, is translating into greater market power and deeper embedding in U.S. homes and infrastructure. This makes dependence on PRC-origin technology stacks unavoidable, difficult to identify, and costly to reverse. The logic is explicit in Chinese policy commentary, which emphasizes deep market integration and raises the cost of restriction to the restrictor (CCTV News App, October 16, 2024; Economic Herald, January 2, 2025). Targeted bans do not address such sweeping forces.
The Closing Window
Enmeshment alters the cost curve of intervention. When lifecycle authority is concentrated in a small installed base, regulatory action can operate at the level of firms or product lines. Once that authority is distributed across millions of devices, companion applications, interoperability standards, and adjacent product categories, disentanglement becomes a systemic challenge rather than a discrete one.
The telecommunications precedent illustrates the point. The FCC identified tens of thousands of pieces of Huawei and ZTE equipment across thousands of carrier locations in the United States, and Congress appropriated $1.9 billion for a reimbursement program (SDxCentral, February 11, 2022). But even with a finite and identifiable inventory of network equipment, removal proved underfunded and slow. The Commission has estimated that almost $5 billion is needed, and roughly 40 percent of recipients have reported they cannot complete replacement without additional funding (Reuters, May 2, 2024). While that case involved thousands of nodes, the consumer IoT ecosystem involves tens of millions—embedded in private homes, coupled to cross-device platforms, and integrated through shared applications. There is no equivalent of a rip-and-replace program for distributed household infrastructure. [5]
Enmeshment will make intervention harder over time, as identifying the scope of U.S. dependence on PRC-origin technology and addressing instances where that dependence proves unacceptable becomes increasingly difficult. As PRC vendors expand from televisions into smart-home devices, companion apps, and cross-device platforms, they deepen their footholds across an ever more diverse set of applications and market segments. All the while, U.S. regulatory tools remain oriented toward discrete transactions and firm-specific prohibitions, with no mechanism for continuous visibility into firmware provenance or update-chain control across an evolving ecosystem. The longer integration proceeds, the more expensive correction becomes. Early action can operate at the level of market-entry conditions and transparency requirements. But late action requires prohibitions and large-scale unwinding. This kind of intervention, as seen in the telecom and social media cases, is disruptive and politically fraught. Once an ecosystem becomes infrastructural, policy no longer shapes its development—it reacts to consequences. The smart television ecosystem is at that inflection point now.
Conclusion
The combination of PRC state policy, organizational control through CCP institutional ties, and the technical capability assessed across the fourth and fifth parts of this series creates a system of risk, not a collection of isolated incidents. That system is compounding: OEM leverage deepens as installed bases grow, supply chain opacity thickens as joint ventures and ODM arrangements proliferate, and ecosystem enmeshment transforms a bounded device-level concern into an open-ended one.
The U.S. governance architecture, as presently configured, is structurally oriented to discover this problem late and address it expensively. But the window for governing the risk while it remains tractable has not yet closed. The smart television ecosystem is a live case study—and a preview of the challenge that will recur across every category of PRC-origin connected device entering American households. The way forward does not necessarily require total risk transparency or prescriptive regulation on the model of the EU’s Cyber Resilience Act. But the current U.S. disposition is one of structural inertia, in which the aggregate risks of the devices Americans use are being shaped by Chinese industrial policy and a market that is largely blind, indifferent, or confused by its own dependence on PRC-origin technologies.
The United States will either develop the institutional capacity to see and shape ecosystem enmeshment while the market is still forming, or it will continue to inherit successive cases as late-stage prohibition. These will each prove costlier to impose, easier to retaliate against, and further from the underlying problem than the last. That choice has not yet been foreclosed, but the window in which it remains a choice is narrowing.
This article originally appeared in China Brief. Check it out here!
John Costello is a Senior Analyst for Cyber and East Asia at Flashpoint. He is a Cybersecurity Fellow for New America and former Congressional Innovation Fellow for the majority staff in the U.S. House of Representatives Committee on Oversight and Government Reform. John is also a U.S. Navy veteran and former NSA Analyst, and he is fluent in Mandarin Chinese.
Notes
[1] For a detailed treatment of the organizational and political mechanisms through which PRC state intelligence leverages technology companies, see Parts 1–3 of this series (China Brief, July 25, 2025, August 7, 2025, September 19, 2025).
[2] The term “bugdoor” refers to an intentional vulnerability embedded in code and designed to be indistinguishable from an accidental software bug. Unlike a traditional backdoor, which is a discrete, identifiable access mechanism, a bugdoor exploits the inherent complexity and imperfection of software to provide deniable access.
[3] As an aside, recent revelations that an individual was able to simultaneously access thousands of robot vacuum cleaners manufactured by another PRC firm, DJI, is only the latest example of the potential cybersecurity risks such ecosystem-integrated devices pose. In the DJI case, the individual was able to remotely control the robovacs, look and listen through their live camera feeds, and even generate a complete 2D floor plan of device owners’ homes (The Verge, February 14).
[4] Caven, Peter, Ambarish Gurjar, Zitao Zhang, Xinyao Ma, and L. Jean Camp. “Usability, Efficacy, and Acceptability of the U.S. Cyber Trust Mark.” In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI ’25), Article 1096, 1–35. New York: Association for Computing Machinery, 2025. https://doi.org/10.1145/3706598.3713463.
[5] TikTok illustrates the same dynamic at the application layer: enforcement was repeatedly delayed through 2025, and the eventual resolution required a complex ownership and governance structure rather than a clean prohibition (Reuters, January 23).