Forescout research finds surge in Chinese-manufactured devices on US networks, including critical infrastructure

Researchers from Forescout Vedere Labs revealed that U.S. networks have experienced a significant 40 percent year-on-year increase in Chinese-made devices, despite official bans. Critical infrastructure organizations are among those that use the highest numbers of such devices and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year. One vertical of interest is the government where Hikvision and Dahua cameras, despite being banned, remain connected to networks. Other devices, including Yealink VoIP phones, are also present in the thousands.

The data also showed growth in other countries, with Singapore seeing a 67 percent increase and Australia experiencing a 25 percent rise. In contrast, Canada reported a 14 percent decrease, while Germany noted a 25 percent decline. 

“The main concern is the possibility that the Chinese government allows them to access and tamper with the devices remotely,” Forescout Vedere Labs said in a Tuesday blog post. “Plus, software vulnerabilities discovered in China give them enough time to exploit those on targeted organizations.”

Forescout Vedere Labs, the research arm of Forescout Technologies, has revealed a sector-wise breakdown showing a notable 105 percent increase in the manufacturing sector and a 47 percent rise in healthcare. Financial services reported a 40 percent increase, government sectors saw a 30 percent rise, and the utilities/oil and gas sector registered a 20 percent increase. 

When it comes to where these devices are deployed, the researchers detailed that critical infrastructure industries such as healthcare (33 percent of devices), manufacturing (32 percent), and government (9 percent) are among the top verticals using Chinese-manufactured devices in the U.S. 

The researchers added that they “saw close to 300,000 devices from 473 different Chinese manufacturers in US networks in February 2024 which is 3.8 percent of all devices. Interestingly, this represents a 41 percent growth from roughly 185,000 devices from February 2023 (2.7 percent of devices at that time). The number of Chinese-manufactured devices in the UK also grew from 10,000 in 2023 to 20,000 in 2024, but the percentage of devices remained at 4 percent.”

Furthermore, it added, “This means that although the US and the UK have almost the same percentage of Chinese-manufactured devices in enterprise networks in 2024, the number in the US is growing faster both in absolute and relative terms.”

Globally, in February this year, Forescout researchers observed that Australia has 4.5 percent of Chinese devices predominantly in government which grew from 3.2 percent in 2023 for a year-over-year increase of 37 percent. Canada has 2.1 percent of Chinese devices predominantly in educational institutions which decreased from 2.5 percent in 2023 for a year-over-year decrease of 14 percent.

Additionally, Germany has 5.4 percent of Chinese devices predominantly in manufacturing which decreased from 7.2 percent in 2023 for a year-over-year decrease of 25 percent. Singapore has 9.5 percent of Chinese devices mostly in technology which grew from 5.6 percent in 2023 for a year-over-year increase of 67 percent.

The data further identified that these “devices are — with a majority (88 percent) in the IT category which is decreasing relative to the number of extended IoT (XIoT) devices (which is increasing). In 2023, IoT represented 6.5 percent of Chinese-manufactured devices in the US. Today, IoT is 9 percent. The UK has an even larger percentage of Chinese-manufactured IoT — with almost 20 percent.”

Forescout initially identified 5,070 unique vendors registered with a Chinese address on the database of Organizational Unique Identifiers (OUIs) of the IEEE registration authority. “Those include known brands of consumer and enterprise electronics – such as Xiaomi (Beijing Xiaomi Electronics Co., Ltd.) and Hikvision (Hangzhou Hikvision Digital Technology Co., Ltd) – as well as manufacturers of wireless modules, SoCs and other components used by system integrators and third parties, such as Espressif and Hi-Flying.”

Armed with this list of manufacturers, “we searched the Forescout Device Cloud – a proprietary repository of connected enterprise device data containing information from over 19 million IT, OT, IoT, and IoMT devices from Forescout customer networks – for devices with MAC addresses assigned by those vendors,” the researchers added.

Addressing device manufacturers, Forescout disclosed that “Most of them come from brands that are now known to the public. Some of the lesser-known brands, such as Wistron, Advantech, and Inventec, design and manufacture equipment to be sold under other brand names which is known in the electronics industry as an original design manufacturer (ODM).” 

Besides, “Wistron and Advantech are both headquartered in Taiwan, but they have OUIs registered in China (‘Wistron InfoComn (Kunshan) Co., Ltd.’ and ‘Advantech Technology (CHINA) Co., Ltd.’) for devices manufactured there and those are the ones we count here.” the post added.

Given the critical nature of government organizations and their history of legislative and regulatory scrutiny in the U.S. and globally, the Forescout researchers chose to delve deeper into the most commonly used devices within these networks. 

“The most popular devices (11.5 percent of all Chinese-manufactured devices in US government networks) are IP cameras and surveillance equipment produced by Honeywell Security China,” the post identified. “Like other companies, Honeywell is not headquartered in China, but they have an OUI (‘Honeywell Security (China) Co., Ltd.) for devices manufactured there. Other popular cameras are from Hikvision and Dahua which have been banned by the FCC. Other popular devices in the government include Yealink VoIP phones, smartphones from several brands including OnePlus, Xiaomi, and Huawei, and TPV smart TVs.”

It added that “other devices that caught our attention include smart whiteboards, video conferencing systems, smart TVs from several other brands, and robot vacuum cleaners.”

The researchers also queried the Shodan search engine for products from five of the ‘most popular’ Chinese manufacturers – Hikvision, Huawei, Xiaomi, TP-Link, Dahua, and ZTE. “Out of a total of more than 375,000 devices, close to 300,000 (80 percent) are Hikvision IP cameras, close to 69,000 (18 percent) are Dahua IP cameras or network video recorders (NVRs), 4,800 (1.3 percent) are Huawei networking equipment, and 1,800 (0.5 percent) are TP-Link, Xiaomi or ZTE IoT devices,” they added.

Looking at the organizations where these devices are deployed, Forescout identified 43 that are small energy, water, or gas utilities throughout the country. “Collectively, these 43 hosted 885 Chinese-manufactured devices exposed to the Internet. On average, each organization had 20. But the one with the most devices – a company providing electricity, natural gas, water and. wastewater to a county in Georgia – had 97. Almost all exposed devices in these organizations were Hikvision and Dahua IP cameras with a few examples of Huawei, TP-Link, and Xiaomi IoT equipment,” it added.

Forescout observed that despite lingering misconceptions, IP cameras, and IoT devices are critical to securing networks. Vulnerabilities in IP cameras are one the most exploited devices, such as CVE-2021-36260 affecting Hikvision cameras that were among the most exploited by Chinese APTs in 2022, according to CISA. Other IoT devices have also been targeted by Chinese APTs such as Volt Typhoon to form botnets that conceal hacking of critical infrastructure. 

It also identified that IP cameras are often placed on highly sensitive networks where they can serve as an initial access point. “In the recent hack of the Aliquippa, Pennsylvania water authority, the network hosting PLCs also included ‘several security cameras.’ Reports of Chinese attacks on the Indian power grid also include the use of IP cameras and NVRs for command and control.” 

Vedere Labs showed how IP cameras can be used to carry out ransomware, cryptominer, and physical attacks in its R4IoT research.

Lastly, Forescout detailed the use of IoT devices in espionage. “Chinese APTs have been long known for espionage and many XIoT devices provide ample opportunity for that. Recent reports about Russian IP cameras in Ukraine sending traffic to Russian servers for years make us wonder if the same could happen with Chinese cameras in the US. Similarly, our past research into smart TV and video conferencing vulnerabilities showed how easy it is for attackers to use those to exfiltrate sensitive information.”

In conclusion, the researchers called upon organizations to pay attention to every asset on their network, be it IT, IoT, IoMT, or OT, because they all can present cyber risks. Devices that carry additional risk due to where they were manufactured must be inspected even more closely.

Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning to increase awareness of potential threats associated with Chinese-manufactured Unmanned Aircraft Systems (UAS). They also provided recommendations for cybersecurity measures to help protect networks and sensitive data for critical infrastructure entities, as well as state, local, tribal, and territorial (SLTT) partners.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.