Organisational use of Enterprise Connected Devices

Enterprise Connected Devices (ECDs) offer significant benefits for organizations; however, many devices currently available in the market have been identified as lacking essential security measures. Threat actors aim to exploit this gap by leveraging technical vulnerabilities and inadequate cybersecurity practices to compromise ECDs. This situation becomes especially concerning if manufacturers neglect to rectify these issues and users fail to implement necessary updates.

Most Internet of Things (IoT) devices possess limited processing and storage capabilities compared to traditional enterprise computing platforms. This limitation hampers the deployment of security applications that could safeguard them, such as antivirus solutions. While updates and patches are often provided for IoT devices, many older models were not designed with security in mind and lack the capacity to receive remote patch updates. Additionally, some organizations do not have adequate processes to track and manage the support status of their ECDs. Concurrently, the ease and lower cost with which criminals can obtain tools to execute high-volume, low-sophistication attacks increases the risk for poorly secured devices.

The potential attack surfaces within ECD systems and applications, where threats and vulnerabilities can emerge, include:

• Devices – Devices often serve as the primary initiators of attacks. Vulnerabilities may arise from various components of a device, including its storage firmware, application software, physical interfaces, web interfaces, and network services. Attackers can exploit insecure default configurations, outdated components, and unsecure update processes, among others. Some hardware vulnerabilities cannot be patched like software flaws and may require complete physical replacements to secure.
• Communication Channels – Attacks may originate from the communication pathways connecting ECD components. Protocols utilized within various ECD systems may have security flaws that jeopardize the entire system. Many ECD frameworks are also vulnerable to well-known network threats such as denial of service attacks and spoofing.
• Applications and Software – Vulnerabilities in network services and associated software for ECDs can lead to system compromises. Network services may be exploited to steal user credentials or deliver harmful firmware updates.

Case Study: Ripple20
In June 2020, researchers unveiled 19 zero-day vulnerabilities impacting millions of devices associated with the Treck embedded IP stack, utilized by over 50 vendors across numerous devices, including critical healthcare equipment and infrastructure. Dubbed “Ripple20,” these vulnerabilities highlighted the far-reaching consequences of exploiting these weaknesses across various industry products.
The Ripple20 vulnerabilities impacted essential IoT devices, such as printers, networking equipment, IP cameras, video conferencing systems, and building automation devices. By taking advantage of these software library flaws, attackers could remotely execute malicious code and gain access to sensitive data. The situation is further complicated by Ripple20 being categorized as a supply chain vulnerability, making it difficult to track all devices relying on this library.

Supply Chain

ECDs introduce additional vulnerabilities in the supply chain. Typically, supply chain attacks take place prior to devices being integrated into organizational networks. However, as witnessed in the SolarWinds incident, compromised software updates can also be a significant threat vector for deployed devices. Supply chain attacks involving ECDs often entail the installation of compromised software on specific ECDs, such as routers or cameras. Additionally, an ECD supply chain attack can refer to modified hardware that alters a device’s functionality.

Supply chain attacks can have severe consequences since the compromised device or software may become a singular flaw impacting the security of multiple organizations.

In 2020, a series of Shodan searches sampled 37 specific models from 18 vendors (including printers, IP cameras, video conferencing systems, and networking tools) and revealed around 15,000 internet-connected instances of these vulnerable devices, potentially accessible to anyone on the internet.

*Shodan is a search engine designed for discovering internet-connected devices.

Bots

While threat actors continue to exploit compromised traditional computers, they are increasingly utilizing IoT devices to build bot armies. Most IoT botnets have been employed for coordinated DDoS attacks, though some also possess the capability to exfiltrate sensitive information, as demonstrated by the Torri botnet. As the number of ECDs expands rapidly, IoT botnets will continue to represent a unique and substantial threat.

Case Study: Mirai-Inspired IoT Botnet
In 2020, documents leaked by a Russian hacking group, known as Digital Revolution, claimed to originate from a subcontractor working on cyber tool development for the FSB, Russia’s domestic intelligence agency. The documents outlined a project initiated in 2017 aimed at creating an IoT botnet inspired by the infamous Mirai botnet of 2016. Plans indicated that the primary targets would be security cameras and network video recorders. Each infected device within the botnet would be programmed to conduct password attacks on other devices, thereby sustaining and expanding the botnet’s reach. A sufficiently large botnet enables attackers to launch formidable DDoS attacks. Both state and non-state actors are likely to exploit vulnerabilities in IoT devices, including CCTV cameras, for malicious activities such as attack infrastructure development and DDoS assaults.

Unpatched IoT Devices on Enterprise Networks

Over the years, the security of commonly used enterprise infrastructure devices—such as desktops and laptops—has improved significantly through the advancement of operating systems and endpoint security solutions. However, security measures for network devices like enterprise printers often receive little attention, which increases the potential for exploitation and compromise by malicious actors seeking to establish a durable presence within target organizations.
Cyber adversaries typically seek out any vulnerable ECD to gain unauthorized access to enterprise systems. The prevalence of unpatched devices poses a common risk; lacking the latest security updates leaves such devices exposed to previously recognized vulnerabilities. This can grant threat actors privileged access to corporate networks, potentially leading to data breaches, information exposure, manipulation of other assets, server access, malware deployment, or even physical disruption of operations.

Case Study: Enterprise Printer Vulnerabilities
In 2019, researchers conducted a six-month investigation to identify vulnerabilities associated with devices from six leading enterprise printer manufacturers. The research unearthed weaknesses that could open devices to DDoS attacks, but the more pressing concern is the capability of those devices to serve as entry points into corporate networks, facilitating remote code execution (RCE) and bypassing security protections. A major printer manufacturer has stated that cybercrime poses a $445 billion global crisis impacting printers, PCs, and other mission-critical IoT endpoints.

Personal Connected Devices on Enterprise Networks

Personal IoT devices that employees bring into office settings may be permitted to access some enterprise networks. Given the growing number of personal devices connected to enterprise infrastructures, these devices are increasingly targeted for unauthorized network access.

The deployment of ECDs within large organizations in the UK likely presents a different threat profile compared to personal consumer devices. Organizations typically possess greater knowledge, responsibility, and control over their networks and cybersecurity than the average consumer. In contrast, the Department for Digital, Culture, Media & Sport (DCMS) has undertaken extensive efforts to enhance the security of consumer connected products, successfully introducing legislation in Parliament to further this objective in 2021.