Why Chinese-made IoT devices are growing in the US despite bans
Between 2023 and 2024, Chinese-made IoT devices in US networks grew by 40+%, as reported in our recent research. Why have banned Chinese-devices grown over the last year in the US and in other regions?
Elisa Costante and Rik Ferguson explore this question in detail.
In the wake of notable attacks in the EU and the US, securing critical infrastructure is top of mind for public and private sector officials. Chinese devices are not alone in known vulnerabilities, but they are in the spotlight because of politics, IoT product volume – and official government bans with lackluster adherence.
Exploring the reasons behind the growth in Chinese-made devices
First, Elisa Costante, VP of Research at Vedere Labs, believes procurement cycles are often behind official executive orders and government bans. Contracts are often awarded in advance based on pricing and bidding agreements already in place.
Secondly, white-labelled hardware and systems introduce another layer of complexity. An organization may buy custom hardware to match performance and hardware specifications laid out in request for proposals and bidding. Yet, within that hardware, the components may have banned Chinese devices without the buyer knowing it.
What can help? For starters, more detailed software and hardware bill of materials. Plus, better visibility and flagging between asset inventories and threat detection capabilities with the latest threat intelligence. And if your country bans products from specific countries, follow the guidance or regulation.
Vedere Labs is paying close attention to the risks posed by Chinese-connected devices. Here’s why:
- IoT devices are frequently targeted and used in espionage.
Chinese APTs have been long known for espionage and many XIoT devices provide ample opportunity for that. Recent reports about Russian IP cameras in Ukraine sending traffic to Russian servers for yearsmake us wonder if the same could happen with Chinese cameras in the US. Similarly, our past research into smart TV and video conferencing vulnerabilities showed how easy it is for attackers to use those to exfiltrate sensitive information. - IP cameras exist on highly sensitive networks and are often initial access points for attackers.
In the recent hack of the Aliquippa water authority (near Pittsburgh), the network hosting PLCs also included “several security cameras”. Reports of Chinese attacks to the Indian power gridalso include the use of IP cameras and NVRs for command and control. Vedere Labs showed how IP cameras can be used to carry out ransomware, cryptominer and physical attacks in our R4IoT research. - IP camera vulnerabilities linger and are one the most exploited device types.
CVE-2021-36260 affecting Hikvision cameras was among the most exploited by Chinese APTs in 2022, according to CISA. Other IoT devices have also been targeted by Chinese APTs such as Volt Typhoon to form botnets that conceal hacking of critical infrastructure.
Why Chinese-made devices are in the cybersecurity spotlight
In January 2024, the US government announced it had thwarted a major botnet-based attack from China. The focus of the attack? Embedding malware in water treatment plants, transportation systems and the electrical grid – or what experts call “pre-positioning.”
Pre-positioning is all about the set up within critical infrastructure – in water, power, transportation, and supply chain systems – to “enable disruption or destruction of critical services,” CISA writes in a recent fact sheet.
This attack is not isolated. CISA warns critical infrastructure leaders of the “urgent risk posed by Volt Typhoon and provides guidance on specific actions to prioritize the protection of their organization from this threat activity.”
Unfortunately, these kinds of attacks are not always thwarted.
Last November, a water treatment facility near Pittsburgh was hacked by what appears to be an anti-Israeli hacktivist group. Denmark’s energy sector was hit hard last May. Ukraine has also been a major target for several years.
Before a House Select Committee in January, Jen Easterly, Director of CISA, told Congress some hard truths about known problem areas:
“While the PRC (People’s Republic of China) is a sophisticated cyber adversary, many of its methods to break into our critical infrastructure are not. They don’t have to be. Why? Because we’ve made it easy for them. The truth is that, in many cases, the PRC is taking advantage of known product defects.”
Consequently, the US government is expanding additional oversight, bans and investigation into Chinese-made devices in new areas, including shipping cranes in US ports and vehicles made in China. Plus, Easterly is calling on technology manufacturers to create products with security by design.
Yet, government organizations themselves are not unscathed by Chinese-made devices in its networks. Our research finds Chinese devices in government networks grew by 30% year over year. And other key vertical industries grew even more, including manufacturing, healthcare and financial services.
For a deeper dive into all the data and its impact on OT security and critical infrastructure, read our latest research “A probe into Chinese-connected devices – ‘All your base are belong to us’”.