Cyber criminals and cybersecurity professionals have been at war for many years; battles are hard fought, damages have been significant, and there is no quick end to what is clearly a prolonged conflict. One advantage that cyber criminals have on their side is the accumulated remediation deficit that has built up within organizations. There are over 170,000 known vulnerabilities that are tracked by NIST in the national vulnerability database; 58% of them with either critical or high severity. Thankfully, many of them can be remediated using traditional IT cybersecurity solutions for password, patch, and certificate management. But what about those IoT systems where traditional solutions don’t apply? Roughly half of known vulnerabilities can be exploited on IoT devices. That’s where the stage is set for significant damage from cyber criminals from distributed and unmanaged IoT systems.
The trend line is clear: a few years ago IoT cyber vulnerabilities caused minor inconveniences and happened rarely. The past year has seen water supplies tampered with, pipelines impacted, and ransomware delivered with vigor. Follow that trend line and it is leading to loss of life and serious consequences.
IoT devices are attractive targets for cyber criminals. They often are connected to a network 24/7, don’t have human interaction or supervision, were not designed with security in mind, and often contain enough memory and computational power to host and launch attacks from. IT teams typically don’t manage them – organizations like facilities, physical security, or manufacturing run them, leading to lack of IT skills to secure them. This is why, despite being on a segmented or firewalled network, these devices can often “punch through” to the corporate network.
Cyber criminals can use these security flaws to launch attacks that traditional IT systems are well protected from. A recent example (leveraging vulnerabilities in ThroughTek chipsets) is using IoT devices to launch “man-in-the-middle” attacks (MITM); these attacks have declined for traditional IT systems as effective solutions against them have been widely deployed, but for IoT systems this older threat profile still is a major concern (for more detail, check out Viakoo’s MITM webinar).
IoT devices inherently are hard to patch:
- Products are long lived, and many devices remain in operation well after their product development has ceased
- Processes to update them are often manual, and take significant human resources if performed at scale
- Traditional IT solutions relying on agents don’t apply to IoT systems which do not accept agents, and may have unique operating systems and communication protocols
According to a study published in October 2020 by Frank Ebbers of Goethe-Universität Frankfurt am Main, most IoT devices are running old and vulnerable firmware. 40% of devices in use had never had a firmware update, and an additional 10% the operators of the devices did not know what firmware was. Across different types of devices (printers, IP cameras, smart home, etc) all but a few were running firmware more than a year old; across all device types there was a 19 month difference between the latest firmware version and what the device was running.
More recently, Brian Kreb’s website “KrebsOnSecurity” reported on September 10, 2021 that they were hit by an IoT botnet named Meris, whose primary vehicle for attacks was MikroTik routers. In analyzing firmware versions, only 1.4% of devices were on the current version, with the majority on versions from more than a year ago.
So where does this put us? Every day more IoT devices are being network connected and operational, expanding the attack surface. The amount of effort to remediate vulnerabilities equally is increasing, creating a remediation deficit that makes IoT an even more attractive target for cyber criminals. No surprise that recent books (“2034”, “The President is Missing”, and others) highlight how IoT cyber vulnerabilities may literally cause the end of the world as we know it. The stakes cannot be higher.
Here are steps every operator of IoT devices can and should take to bring their remediation deficit under control:
- Know what devices you have and their vulnerabilities: many powerful discovery and threat assessment solutions exist that apply to IoT devices
- Use an automated firmware updating and patching solution: the scale of IoT devices prevents using manual methods to keep them up to date
- Use certificates to authenticate IoT devices: using 802.1x/TLS certificates prevents MITM attacks, encrypts device traffic, and helps move towards a Zero Trust environment for IoT
- Extend and enforce corporate governance policies to IoT devices: all network connected devices should be subject to security policies; if they are not, they should have a clear process to become exempted from them
- Incorporate IoT devices into organization-wide risk assessments and prioritization: as the attack surface of vulnerable IoT devices grows it becomes an imperative to incorporate IoT vulnerability remediation and repatriation into overall planning.
In summary, now is the time to take action in putting solution in place to remediate IoT vulnerabilities, and establishing governance that incorporates the risk from IoT vulnerabilities. Waiting can be deadly – it should not take loss of life, disruption of business, or company reputations being destroyed to take action. Viakoo is ready to help now with your IoT security journey and prevent more serious consequences.