The extended Internet of Things (XIoT) now covers a full range of business devices, from convenience items to mission-critical applications. Though this integration into business environments is now widespread, a new report from security firm Phosphorous finds that XIoT devices are not being properly taken care of and are rife with security risks.
Among other issues, organizations do not have a location inventory for the majority of their XIoT devices, and most of them have some sort of high-risk or critical vulnerability present. And nearly all of them, a whopping 99%, do not have passwords that are secure enough to meet industry standards.
Certain XIoT devices more commonly neglected, left vulnerable than others
At many businesses, XIoT devices are now integrated into everything from security and access control systems to industrial machines that present the possibility of real-world damage should they go haywire. There is thus an equally broad range of security risks, but Phosphorous’s five-year study finds that these are not yet being taken seriously.
To illustrate the scale of the problem, the study finds that there are now more XIoT devices in use than there are people in the world (multiple times over, at about 50 billion devices total as of a 2020 count). The average organization has three to five XIoT devices per employee. And passwords are the biggest individual security risk, with an estimated 99% not meeting industry best practices and 50% simply set to whatever the default password is that the device ships with.
Even if organizations keep on top of their password strength requirements, XIoT devices are laden with additional security risks. Another major issue is that 68% have a known vulnerability with a CVSS score of at least 8; 18% are carrying a vulnerability of at least 9.
This is admittedly a broad field, as just about any smart device with some internet connectivity could be counted among XIoT devices. And some are obviously not as risky as others in terms of what they could potentially provide access to. In some cases, organizations seem to be underestimating the security risks that certain XIoT devices create. For example, the study notes that it did not find one door control system in the wild that was not using its default password. This could allow an attacker to lock employees in, create business interruptions or open doors for a physical incursion. If the system is internet-connected and interfaces with other components of the company network, it could also create an opening for privilege escalation.
There are also certain other categories of device that are very commonly left with a default or weak password, presumably out of assumption that an attacker cannot do much with them or that they cannot be reached from the outside. These include UPS power devices, A/V equipment, the VoIP phone handsets that sit at desks, and VoIP servers that control exchange systems via use of open source software.
As Casey Ellis (Founder and CTO at Bugcrowd) notes, this is a longtime industry trend that is still far from being fully shaken: “xIoT as a consumer category went from being nascent, to hyped, to ubiquitous over a very short space of time. Speed, or more specifically haste, is the natural enemy of security, resulting in generally more “lax by default” design and development considerations when it comes to cybersecurity and user protection.”
Security risks often embedded by design in devices
The security risks in XIoT devices often stem from the fact that the device simply cannot be fully secured, as a matter of fundamental design. Sometimes this is simple cost-cutting or oversight by manufacturers, but in other cases it may be a matter of intent.
The potential intent of assorted Chinese hardware manufacturers (such as Huawei and ZTE) led to a 2018 ban on use of their equipment by federal agencies. These devices remain widely in use in private organizations, however, and sometimes banned devices slip through dragnets via the process of “white labeling” (or banned manufacturers handing off their assembled hardware to another firm to be given a fresh coat of paint and a new name).
Organizations also often do not have visibility into the code that XIoT devices run on. When these devices draw on third-party firmware libraries, several possible security risks emerge. One is simply that the vendor will abandon support for the device, no longer issuing security patches to address emerging vulnerabilities. Another is that the code may be maintained by open source developers, who have the capability to insert malicious elements or even abandon or spike the project unexpectedly.
A simple problem that has dogged XIoT devices from the very beginning also remains; the manufacturers are often not tech outfits and thus are not familiar with security by design elements, and/or do not have the budget in place to add them and still come in at their desired price points in competitive markets. And while smart devices largely now ship with some sort of password system, they often limit the length and complexity of possible passwords, or do not prompt the user to change the stock password it ships with.
At the IT staff end in organizations, XIoT devices have become an unruly mess that are often put into place quickly and without proper documentation or testing. 80% of surveyed organizations say they could not necessarily name or find the majority of the devices they have in place, and about 50% say that their inventory counts are way off; unsurprising considering that Fortune 100 companies now have hundreds of thousands to millions of these devices on premises. And 26% of devices in the wild have reached end of life and are no longer officially supported, leaving it to IT staff to locate and deal with them manually (if it even remains possible to update or secure them) to mitigate security risks. More are rapidly approaching end of life, with the average firmware age sitting at six years (and expected life cycles generally shorter than that).
Phosphorus is in the business of providing a monitoring platform for XIoT devices, so naturally that is what is focused on in the report’s conclusion. But security experts add that there are more elements to consider than a “magic bullet” contracted solution. As Bud Broomhead, CEO at Viakoo, observes: “The issues identified by Phosphorus are genuine, but the solution to these issues is not as simple as they are making it out to be. For example, knowing through service assurance that IoT devices are functioning properly is also a component of hardening and securing devices. There must also be a focus on providing a path to zero trust on IoT devices through comprehensive certificate management … More focus is needed on adding unique IoT and IoT application data to discovery solutions and configuration management database solutions, so that records of historical operations can be used in hardening and securing IoT systems. Many enterprise IoT devices are tightly-coupled to their applications, which is another layer of complexity to securing them. Understanding the differences with loosely-coupled and tightly-coupled IoT devices is required to secure them in a way that enables the entire IoT workflow to be restored after firmware, password, and certificate updates.”
And Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, sees this as a call for XIoT certification: “Whether it’s OT, ICS, IIoT or IoT, the broader xIoT space benefits from application of the same standard security practices used in IT. Those best practices include regular firmware/software upgrades, frequent patching and vulnerability remediation, as well as implementing strong encryption and secure authentication. Ideally, there should be a security framework or certification under which xIoT vendors would have to certify their products as secure. This type of certification would give consumers and businesses a level of assurance that the xIoT products they are utilizing are, in fact, secure.”
Source: CPO Magazine
