Enterprise Connected Devices (ECDs) offer significant advantages for organizations; however, many devices currently available lack essential security features. Cybercriminals are quick to exploit technical vulnerabilities and inadequate cybersecurity measures to infiltrate ECDs. This poses serious concerns, especially if manufacturers do not address these vulnerabilities, and users neglect to apply necessary updates.
Most Internet of Things (IoT) devices have less processing power and storage capacity compared to traditional enterprise computing systems, making it challenging to deploy protective security applications like antivirus software. Moreover, while patches are available for various IoT devices, many legacy models were designed without security in mind and lack the capability to receive remote updates. Additionally, some organizations may not have the mechanisms in place to monitor and manage the support status of their ECDs. Consequently, it has become increasingly easy and affordable for cybercriminals to acquire tools that facilitate high-volume, low-sophistication attacks, effectively compromising large quantities of poorly secured devices.
The potential attack surface areas within ECD systems, where threats and vulnerabilities may arise, include:
- Devices – Devices often serve as the initial point of attack. Vulnerabilities may exist within their storage firmware, application software, physical and web interfaces, and network services. Attackers may exploit insecure default settings, outdated components, and vulnerable update mechanisms. In some cases, hardware vulnerabilities are irreparable and require complete device replacement to secure.
- Communication Channels – Attacks may originate from communication pathways connecting ECD components. The protocols used in various ECD systems can harbor security weaknesses that jeopardize the entire system. Many ECD configurations are also susceptible to commonplace network attacks, such as denial of service and spoofing incidents.
- Applications and Software – Vulnerabilities in the network services and software associated with ECDs may lead to compromised systems. For example, network services can be manipulated to steal user credentials or deploy malicious firmware updates.
Case Study: Ripple20
In June 2020, researchers announced a set of 19 zero-day vulnerabilities affecting millions of devices through the Treck embedded IP stack, utilized by over 50 vendors. These vulnerabilities, collectively referred to as “Ripple20,” pose a significant risk to a wide array of products across various sectors, including critical healthcare devices, data centers, and vital infrastructure. Ripple20 vulnerabilities affect integrated IoT devices such as printers, networking gear, IP cameras, video conferencing systems, and building automation devices. By leveraging flaws in the software library, attackers could remotely execute code and access sensitive data. The impact is magnified by the fact that Ripple20 is a supply chain vulnerability, complicating the tracking of devices utilizing this library.
Supply Chain
ECDs amplify vulnerabilities within supply chains. While supply chain attacks predominantly occur prior to devices being integrated into organizational networks, instances like the SolarWinds attack illustrate that compromised software updates can also act as vectors once devices are operational within a network. Often, supply chain threats involve maliciously altered software installed on specific ECDs, such as routers or cameras. A supply chain attack may also encompass hardware that has been illicitly modified to alter device functionality.
Supply chain assaults can have profound implications, as the compromised software or devices may create a single point of failure, jeopardizing the security of multiple entities.
A 2020 inquiry using Shodan* to search for 37 specific device models from 18 different vendors, including printers, IP cameras, video conferencing systems, and networking equipment, revealed approximately 15,000 internet-connected instances of these vulnerable devices potentially expose to exploitation by anyone online.
*Shodan is a search engine facilitating searches for internet-connected devices.
Bots
While malicious actors still exploit compromised traditional computers, their bot armies are increasingly composed of IoT devices. The majority of IoT botnets have been utilized for coordinated Distributed Denial of Service (DDoS) attacks, although there are instances where IoT botnets also exfiltrate sensitive information, such as the Torri botnet. Given the expanding number of ECDs, IoT botnets present an ongoing and unique challenge.
Case Study: Mirai-inspired IoT Botnet
In 2020, documents leaked by a Russian hacking group named Digital Revolution indicated a plan to replicate the infamous Mirai botnet from 2016, focusing on security cameras and network video recorders. The project, which started in 2017, aimed to morph each infected device into a tool for conducting password attacks on additional devices, thereby sustaining and enlarging the botnet. A sufficiently large botnet could empower attackers to launch formidable DDoS assaults. Both state actors and criminals are expected to exploit IoT vulnerabilities, including those found in surveillance systems, to establish botnets for malicious activities.
Unpatched IoT Devices on Enterprise Networks
While the security of standard enterprise devices such as desktops and laptops has evolved over the years with advancements in operating systems and endpoint security measures, network devices like enterprise printers are often overlooked, presenting greater risks for exploitation by threat actors seeking to establish a foothold in target organizations. Cybercriminals continuously search for vulnerable ECDs to compromise enterprise systems. Using unpatched devices heightens this danger—lacking the latest security updates, these devices remain susceptible to known vulnerabilities, allowing cybercriminals to gain privileged access to corporate networks. Unpatched devices can lead to severe repercussions such as data breaches, unauthorized manipulation of assets, server access, malware deployment, or even operational disruptions.
Case Study: Enterprise Printer Vulnerabilities
In 2019, researchers conducted an extensive six-month study aimed at identifying vulnerabilities associated with devices manufactured by six leading enterprise printer companies. They discovered weaknesses that rendered these devices vulnerable to DDoS attacks, with severe implications arising from their potential use as access points to corporate networks, permitting remote code execution (RCE) and evasion of security measures. According to a prominent printer manufacturer, cybercrime represents a staggering $445 billion global issue affecting printers, PCs, and other critical IoT devices.
Personal Connected Devices on Enterprise Networks
Personal IoT devices brought into the workplace may be permitted to connect to certain enterprise networks. Given the growing number of personal devices accessing these networks, it is likely that these devices will be prime targets for obtaining entry into the enterprise environment.
Deployments of ECDs within large UK organizations will typically exhibit different threat profiles compared to personal consumer devices. Organizations are generally more informed, accountable, and capable of managing network security than the average consumer. To address this disparity, the Department for Digital, Culture, Media and Sport (DCMS) has undertaken significant efforts to enhance the security of consumer connected products, including the introduction of legislative support in Parliament in 2021.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/report/organisational-use-of-enterprise-connected-devices
