Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

“All your base are belong to us” – A probe into Chinese-connected devices in US networks

Forescout Research - Vedere Labs | April 2, 2024

What does a classic internet meme of a poor English translation of a 1990s video game (Zero Wing) have to do with the potential for state-sponsored cyber-attacks? In the game, a starship captain receives a transmission from an ‘alien’ overlord: “All your base are belong to us.”

Unlike the game, the surprise of being overtaken by a threat actor is not a joke. But like becoming a meme, cyber-attacks have the potential to go viral.

Over the past five years, concerns have grown throughout the world about the use of Chinese-manufactured devices and software connected to the internet based on the potential for abuse via backdoors, supply chain implants and tampering to aid in espionage or disrupt critical infrastructure.

Today, these concerns are amplified by the variety and proliferation of these devices within networks – something we’re watching very closely. In 2019, Forescout researchers found more than 2,000 Chinese-manufactured cameras in US government networks ahead of an initial ban on those devices.

Since popular Chinese-made devices now go well beyond IP cameras and are deployed in many networks other than government agencies, we expanded our research to investigate the full scope of Chinese-manufactured devices in enterprise networks in the US today.

Key Findings: Despite Official Bans, US Networks See +40% YoY Growth in Chinese-Made Devices

  • Critical infrastructure organizations use high numbers of IoT devices
  • Despite being banned, IP cameras remain connected to networks
  • VoIP phones are present in the thousands
  • There are YoY increases/decreases in other countries too:
    • Singapore: +67%
    • Australia: +25%
    • Canada: -14%
    • Germany: -25%
  • Notable YoY growth by vertical:
    • Manufacturing: +105%
    • Healthcare: +47%
    • Financial Services: +40%
    • Government: +30%
    • Utilities/ Oil & Gas: +20%

Recent government actions on Chinese devices

At the end of February, the Biden administration signed an executive order to evaluate cybersecurity risks to US ports from the use of Chinese-manufactured shipping cranes. The following week, the Commerce Department announced an investigation into similar risks posed by data collected by Chinese-manufactured connected cars. These developments came after reports in early February that an energy utility was decommissioning Chinese-manufactured battery energy storage systems due to congressional concern over cybersecurity risks.

One notable development was the FCC ban in 2022 on the sale of equipment made by Huawei, ZTE, Hikvision, Dahua and Hytera in the US citing “unacceptable risks to national security.” This type of ban is not restricted to the United States:

Official government equipment bans, orders or not, our research shows Chinese-manufactured connected devices are expanding – especially in the US.

Identifying Chinese-manufactured devices

We first identified 5,070 unique vendors registered with a Chinese address on the database of Organizational Unique Identifiers (OUIs) of the IEEE registration authority. Those include known brands of consumer and enterprise electronics – such as Xiaomi (“Beijing Xiaomi Electronics Co., Ltd.”) and Hikvision (“Hangzhou Hikvision Digital Technology Co., Ltd”) – as well as manufacturers of wireless modules, SoCs and other components used by system integrators and third parties, such as Espressif and Hi-Flying.

Armed with this list of manufacturers, we searched the Forescout Device Cloud – a proprietary repository of connected enterprise device data containing information from over 19 million IT, OT, IoT and IoMT devices from Forescout customer networks – for devices with MAC addresses assigned by those vendors.

We used a few subsets of data on Device Cloud to allow for time and geographic comparisons:

  • US Feb. 2024: 7.5 million devices
  • US Feb 2023: 6.7 million devices

Compared with devices in the UK:

  • UK Feb. 2024: 500,000 devices
  • UK Feb. 2023: 250,000 devices

The who, what and where of Chinese-manufactured devices in the US

We saw close to 300,000 devices from 473 different Chinese manufacturers in US networks in February 2024 which is 3.8% of all devices. Interestingly, this represents a 41% growth from roughly 185,000 devices from February 2023 (2.7% of devices at that time). The number of Chinese-manufactured devices in the UK also grew from 10,000 in 2023 to 20,000 in 2024, but the percentage of devices remained at 4%.

This means that although the US and the UK have almost the same percentage of Chinese-manufactured devices in enterprise networks in 2024, the number in the US is growing faster both in absolute and relative terms. Figure 1 summarizes these data points.

Figure 1 – Total Chinese-manufactured devices in the US and UK in February 2023 and 2024

Globally, we see (Feb. 2024):

  • Australia has 4.5% of Chinese devices predominantly in government which grew from 3.2% in 2023 for a year-over-year increase of 37%.
  • Canada has 2.1% of Chinese devices predominantly in educational institutions which decreased from 2.5% in 2023 for a year-over-year decrease of 14%.
  • Germany has 5.4% of Chinese devices predominantly in manufacturing which decreased from 7.2% in 2023 for a year-over-year decrease of 25%.
  • Singapore has 9.5% of Chinese devices mostly in technology which grew from 5.6% in 2023 for a year-over-year increase of 67%.

Figure 2 shows what these devices are — with a majority (88%) in the IT category which is decreasing relative to the number of extended IoT (XIoT) devices (which is increasing). In 2023, IoT represented 6.5% of Chinese-manufactured devices in the US. Today, IoT is 9%. The UK has an even larger percentage of Chinese-manufactured IoT — with almost 20%.

Looking more closely into the specific function of these devices, we see:

  • Computers: 50% of devices
  • Mobile equipment, smartphones and tablets: 9%
  • IP cameras and surveillance equipment: 4%
  • VoIP and video conferencing: 2%
  • Networking equipment: 2%

Other types of devices that make the top ten list include physical access control systems, servers, medication dispensing systems, industrial control systems and smart TVs.

Figure 2 – Distribution of Chinese-manufactured devices per category and top 10 functions in the US and UK

Figure 3 shows who manufactures these devices. Most of them come from brands that are now known to the public. Some of the lesser-known brands, such as Wistron, Advantech and Inventec, design and manufacture equipment to be sold under other brand names which is known in the electronics industry as an original design manufacturer (ODM). Wistron and Advantech are both headquartered in Taiwan, but they have OUIs registered in China (“Wistron InfoComn (Kunshan) Co., Ltd.” and “Advantech Technology (CHINA) Co., Ltd.”) for devices manufactured there and those are the ones we count here.

Figure 3 – Top 10 Chinese device manufacturers in US and UK networks

Figure 4 shows where these devices are deployed. Critical infrastructure industries such as healthcare (33% of devices), manufacturing (32%) and government (9%) are among the top verticals using Chinese-manufactured devices in the US. Even more concerning is the year-on-year growth of Chinese-manufactured devices in some of these industries. Manufacturing organizations more than doubled the number of these devices between 2023 and 2024, while healthcare saw an increase of 47%, financial services grew 40%, and government expanded 30% where espionage and disruption concerns are the greatest.

Figure 4 – Top 10 Industries Using Chinese-Manufactured Devices in the US and UK

Figure 4 – Top 10 industries using Chinese-manufactured devices in the US and UK

A deep dive into government networks

Since government organizations are so critical and have been the focus of previous legislative and regulatory action in the US and abroad, we decided to drill down into the most popular specific devices seen in these networks. See Figure 5.

Figure 5 – Most popular Chinese-manufactured devices in US Government networks

The most popular devices (11.5% of all Chinese-manufactured devices in US government networks) are IP cameras and surveillance equipment produced by Honeywell Security China. Like other companies, Honeywell is not headquartered in China, but they have an OUI (“Honeywell Security (China) co., ltd.”) for devices manufactured there. Other popular cameras are from Hikvision and Dahua which have been banned by the FCC. Other popular devices in the government include Yealink VoIP phones, smartphones from several brands including OnePlus, Xiaomi and Huawei, and TPV smart TVs.

Other devices that caught our attention include smart whiteboards, video conferencing systems, smart TVs from several other brands, and robot vacuum cleaners.

Internet exposure of Chinese-manufactured devices

To have an idea of how many Chinese-manufactured devices in the United States are exposed directly to the Internet – which could open them up to remote attacks – we queried the Shodan search engine for products from five of the most popular Chinese manufacturers: Hikvision, Huawei, Xiaomi, TP-Link, Dahua, and ZTE. See Figure 6.

Out of a total of more than 375,000 devices, close to 300,000 (80%) are Hikvision IP cameras, close to 69,000 (18%) are Dahua IP cameras or network video recorders (NVRs), 4,800 (1.3%) are Huawei networking equipment, and 1,800 (0.5%) are TP-Link, Xiaomi or ZTE IoT devices.

Figure 6 – Chinese-manufactured devices exposed to the Internet throughout the United States

Looking at the organizations where these devices are deployed, we quickly identified 43 that are small energy, water or gas utilities throughout the country. Collectively, these 43 hosted 885 Chinese-manufactured devices exposed to the Internet. On average, each organization had 20. But the one with the most devices – a company providing electricity, natural gas, water and. wastewater to a county in Georgia – had 97. Almost all exposed devices in these organizations were Hikvision and Dahua IP cameras with a few examples of Huawei, TP-Link and Xiaomi IoT equipment.

The status quo is unsustainable

Even after five-plus years of discussion and action to contain the explosion of Chinese-manufactured devices in US networks, the volume continues to grow faster than in other countries.

IoT devices show the highest growth. Though cameras and smartphones are among the most popular, devices used for communications, physical access control and building automation, as well as networking equipment are also growing in popularity.

Critical infrastructure organizations are among those that use the highest numbers of such devices and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year.

One vertical of interest is the government where Hikvision and Dahua cameras, despite being banned, remain connected to networks. Other devices, including Yealink VoIP phones, are also present in the thousands.

Beyond the government, we see dozens of small utilities exposing hundreds of IP cameras directly to the Internet. But what is the actual risk of all those devices? The main concern is the possibility that the Chinese government allows them to access and tamper with the devices remotely. Plus, software vulnerabilities discovered in China give them enough time to exploit those on targeted organizations.

Despite lingering misconceptions, IP cameras and IoT devices are critical to securing networks. Here’s why:

  1. Vulnerabilities in IP cameras are one the most exploited devices.
    CVE-2021-36260 affecting Hikvision cameras was among the most exploited by Chinese APTs in 2022, according to CISA. Other IoT devices have also been targeted by Chinese APTs such as Volt Typhoon to form botnets that conceal hacking of critical infrastructure.
     
  2. IP cameras are often placed on highly sensitive networks where they can serve as an initial access point.
    In the recent hack of the Aliquippa, Pennsylvania water authority, the network hosting PLCs also included “several security cameras”. Reports of Chinese attacks to the Indian power grid also include the use of IP cameras and NVRs for command and control. Vedere Labs showed how IP cameras can be used to carry out ransomware, cryptominer and physical attacks in our R4IoT research.
     
  3. IoT devices are used in espionage.
    Chinese APTs have been long known for espionage and many XIoT devices provide ample opportunity for that. Recent reports about Russian IP cameras in Ukraine sending traffic to Russian servers for years make us wonder if the same could happen with Chinese cameras in the US. Similarly, our past research into smart TV and video conferencing vulnerabilities showed how easy it is for attackers to use those to exfiltrate sensitive information.

Organizations must pay attention to every asset on their network, be it IT, IoT, IoMT or OT, because they all can present cyber risks. Devices that carry additional risk due to where they were manufactured must be inspected even more closely.

Demo Request Forescout Platform Top of Page