By Richard Orange, Regional Director of UK&I at Forescout
Connected devices continue to transform the way organisations operate in every industry. From healthcare and retail to manufacturing and financial services, Internet of Things (IoT) devices are omnipresent and positively impact the bottom line of many organisations. But an increase in connected devices also means an increase in the potential attack surface for bad actors who are constantly on the lookout for vulnerabilities to exploit.
This threat is very real. Almost half of UK businesses reported a cyber security breach or attack between March 2019 and March 2020, the Department for Digital, Culture, Media & Sport has revealed. Organisations often focus their cyber security efforts on protecting well-known connected devices like laptops, mobile devices or tablets. But cyber defences are only ever as effective as their weakest link and all it takes is for one connected device to be compromised in order for bad actors to wreak havoc. The danger is particularly big around OT devices that are still running old operating systems, that are often not properly monitored and that were never intended to be connected to a network in the first place.
Some devices are much more susceptible to attacks than others. So, after analysing over 8 million connected devices, here are the 10 types of IoT devices that pose the biggest cyber security risk to organisations today:
- Physical Access Control Solutions
These devices are used to open or close door locks in the presence of authorised badges. In our research, they were often found configured with open ports (including Telnet port 23), connected to other risky devices and containing serious reported vulnerabilities.
- HVAC Systems
These devices were also found configured with critical open ports (including Telnet), connected to other risky devices and containing a couple of critical vulnerabilities that allow a complete takeover of a device (CVE-2015-2867 and CVE-2015-2868).
- Network Cameras
These IP cameras have dozens of serious vulnerabilities associated with them (e.g., CVE-2018-10660), they are usually configured with critical ports such as SSH port 22 and FTP port 21 enabled, and they are connected to risky devices.
The PLCs identified have serious vulnerabilities associated with them (e.g., CVE-2018-16561) and their potential impact is very high, since PLCs control critical industrial processes. (The infamous Stuxnet malware, for instance, targeted S7 systems used for uranium enrichment.) Still, these devices are ranked lower than the first three since, in our sample, they have fewer ports open and reduced connectivity.
- Radiotherapy Systems
There are no vulnerabilities reported for these devices, but they were found configured with many critical ports open (including Telnet) and connectivity to other risky medical devices. The impact of exploitation of these devices is inherently high.
- Out-of-Band Controllers
This refers to an out-of-band controller for servers that are integrated into the main board, which provides an interface to manage and monitor server hardware. It contains its own processor, memory, network connection and access to the system bus. Relevant vulnerabilities have been found in these devices, such as CVE 2015-7272, which can be exploited via SSH (port 22 was open in all of these devices found in our dataset) to achieve a denial-of-service attack and CVE-2019-13131, which can be exploited via SNMP (port 161 was open in most iDRAC devices found in our dataset) to achieve remote code execution.
- Radiology Workstations
This workstation is commonly connected to many peripheral systems in healthcare delivery organisations, such as Radiology Information Systems, PACS, Electronic Health Records systems and so on. As in the case of radiotherapy systems, there are no reported vulnerabilities. However, these devices were found configured with many critical ports open and connectivity to risky devices. The exploitation impact is also very high since it is a workstation where common attacker tools can be easily adapted to achieve persistence or to pivot within a healthcare network.
- Picture Archiving and Communication Systems (PACS)
PACS are medical imaging systems that provide storage, retrieval, management, distribution and presentation of medical images. Our research found vulnerabilities associated with these systems (e.g., CVE-2017-14008 and CVE-2018-14789). They have a similar risk profile to other medical devices in our research sample due to their place in the network and their use context.
- Wireless Access Points
These contain many critical vulnerabilities, including CVE-2017-3831 and CVE-2019-15261, and are often connected to multiple risky guest devices.
- Network Management Cards
These cards are used to remotely monitor and control individual UPS devices. Besides the presence of known vulnerabilities (e.g., CVE-2018-7820), high connectivity and open ports, these devices have the interesting capability of supporting the BACnet/IP and Modbus/TCP protocols, which again highlights the convergence of smart building technology with IT infrastructure.
What is abundantly clear from this list is that these devices are typically unmanaged. Only if organisations achieve full visibility and control of all the devices connected to their networks can they adequately address and manage these vulnerabilities. On top of that, network segmentation offers an additional layer of protection, limiting the access devices have and preventing bad actors from moving laterally within a network in case of a breach. With these solutions in place, organisations will be able to reduce the risk of cyber attacks and, importantly, continue to reap the full benefits IoT devices have to offer.