IoT Vulnerabilities Skyrocket, Becoming Key Entry Point for Attackers

Summary:
The number of vulnerable Internet of Things (IoT) devices has surged by 136% over the past year, according to Forescout's report, "The Riskiest Connected Devices in 2024." This study, which analyzed data from nearly 19 million devices, revealed that the proportion of IoT devices with vulnerabilities increased from 14% in 2023 to 33% in 2024. The most vulnerable device types include wireless access points, routers, printers, VoIP devices, and IP cameras. Rik Ferguson, VP of Security Intelligence at Forescout, noted that threat actors primarily target IoT devices connected to enterprise systems, such as IP cameras and building management systems, rather than consumer smart products. These endpoints provide significant opportunities for attackers to infiltrate and exit organizational systems undetected. Underground forums offer tutorials on compromising these devices for lateral movement, data exfiltration, and command and control, often making them invisible to enterprise security measures.

The report also highlighted the significant risks associated with the Internet of Medical Things, with 5% of these devices found to have vulnerabilities. The riskiest IoMT devices include medical information systems, electrocardiographs, DICOM workstations, PACS, and medication dispensing systems. Documented cases have shown that ransomware attacks on dispensing systems can delay patient treatment. IoMT has now surpassed operational technology in terms of device riskiness compared to Forescout's 2023 report. Network equipment emerged as the riskiest IT device category, with IT devices accounting for 58% of vulnerabilities in this year's report, down from 78% in 2023. Network infrastructure devices, including routers and wireless access points, were identified as the most vulnerable, surpassing endpoints. Ferguson observed a shift in attacker focus towards unmanaged devices like wireless access points and routers. Hypervisors have also been notable entry points for major compromises, with ransomware specifically targeting these devices. In OT environments, the five riskiest device types were uninterruptible power supplies (UPS), distributed control systems, programmable logic controllers (PLC), robotics, and building management systems. The use of robots is increasing in industries such as electronics and automotive manufacturing, but many of these robots share the same security issues as other OT equipment, including outdated software and default credentials.

Security Officer Comments:
The industries with the highest average device risk scores were technology, education, manufacturing, and financial sectors. Interestingly, healthcare, which was the riskiest industry in 2023, is now the least risky according to the latest report, attributed to significant investments in device security and reducing exposure to vulnerabilities like Telnet and RDP. On a global scale, China had the highest average device risk score, followed by the Philippines, Thailand, Canada, and the US. The UK had the lowest risk score among the countries analyzed. Risk scores are based on device configuration, behavior, and function, with each device assigned a score between 1 and 10.

Suggested Corrections:
Forescout recommends the following mitigations to defend this expanded attack surface:

  • Organizations need new security approaches to identify and reduce risk. As the threat landscape continues to evolve and more organizations adopt cybersecurity only for traditional endpoints, threat actors are consistently moving to devices that offer easier initial access.
  • Modern risk and exposure management must encompass devices in every category to identify, prioritize and reduce risk across the whole organization. Solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack. For example, IoMT-only solutions will not effectively assess risk for IT devices. At the same time, IT-only solutions will miss the nuances of specialized devices.
  • Beyond risk assessment, risk mitigation should use automated controls that do not rely only on security agents but apply to the whole enterprise, not individual siloes.

Link(s):
https://www.infosecurity-magazine.com/news/iot-vulnerabilities-entry-point/


PDF: https://www.forescout.com/resources/2024-riskiest-connected-devices/