Organisational use of Enterprise Connected Devices

Enterprise Connected Devices (ECDs) offer remarkable advantages for organizations; however, a significant portion of today’s devices are found to be lacking essential security features. Cybercriminals often exploit technical weaknesses and inadequate cybersecurity measures to breach ECDs. This situation is concerning if manufacturers fail to address these issues and users neglect to apply necessary updates.

Most Internet of Things (IoT) devices have limited processing and storage capabilities compared to conventional enterprise computing platforms. This limitation complicates the deployment of security applications, such as antivirus software, that could enhance their protection. While patches for IoT devices are released, many older models were designed without consideration for security and lack the ability to receive remote updates. Moreover, several organizations do not have the means to track and manage whether an ECD is adequately supported. At the same time, it has become increasingly easier and more affordable for criminals to obtain tools that facilitate high-volume, low-sophistication attacks, which can effectively compromise large numbers of inadequately secured devices.

The vulnerability landscape of ECDs comprises various attack surfaces, including:

• Devices: ECDs can be the primary vectors for attacks. Vulnerabilities may exist in various components, such as storage firmware, application software, physical interfaces, web interfaces, and network services. Attackers can take advantage of insecure default configurations, outdated components, and unreliable update mechanisms. Sometimes, hardware vulnerabilities cannot be patched in the same way as software, necessitating a complete physical replacement for resolution.
• Communication channels: Attacks can arise from the communication channels that connect different components of ECD systems. The protocols employed in various ECD systems can exhibit security flaws that may compromise the entire setup. Many ECD systems are also vulnerable to known network attacks like denial of service and spoofing.
• Applications and software: Weaknesses in network services and related software for ECDs can lead to system compromises. For instance, attackers can exploit network services to steal user credentials or deliver malicious firmware updates.

Case Study: Ripple20
In June 2020, researchers revealed 19 zero-day vulnerabilities that affected millions of devices utilizing the Treck embedded IP stack. This stack is employed by over 50 vendors and millions of devices, including ones critical to healthcare, data centers, and essential infrastructure. The collective vulnerabilities were dubbed “Ripple20” due to the extensive impact their exploitation could have across various industries.

Ripple20 impacts crucial IoT devices, including printers, networking equipment, IP cameras, video conferencing systems, and building automation devices. By leveraging these software library vulnerabilities, attackers could execute code remotely and access sensitive data. The risk posed by these vulnerabilities is heightened by the fact that Ripple20 constitutes a supply chain vulnerability, making it challenging to trace all devices utilizing this library.

Supply Chain Vulnerabilities

ECDs exacerbate existing supply chain vulnerabilities. Such attacks often occur before devices are integrated into organizational networks. However, as demonstrated by the SolarWinds incident, compromised software updates can also serve as an attack vector. Supply chain attacks on ECDs often involve the installation of compromised software in various devices, such as routers and cameras. Additionally, they may refer to manipulated hardware that alters a device’s functionality.

Supply chain attacks significantly threaten security, as compromised software or devices can create a single point of failure affecting multiple organizations.

In 2020, a series of searches on Shodan* for 37 specific device models from 18 vendors uncovered around 15,000 internet-connected instances of these vulnerable devices, which could be at risk from any internet user.

*Shodan is a search engine designed for finding internet-connected devices.

Bots and IoT Threats

While cybercriminals continue to exploit traditional computers, their bot armies are increasingly formed from IoT devices. Most IoT botnets have been deployed in coordinated DDoS attacks, but there are also botnets capable of exfiltrating sensitive information, such as the Torri botnet. With the rapidly growing number of ECDs, IoT botnets present a unique and escalating threat.

Case Study: Mirai-inspired IoT Botnet
In 2020, a Russian hacking group known as Digital Revolution leaked documents purportedly obtained from a subcontractor working on cyber tools for the FSB, Russia’s domestic security agency. The leaked documents indicated that a project had begun in 2017 to develop an IoT botnet inspired by the notorious Mirai botnet. The documents revealed plans targeting security cameras and network video recorders, with each compromised device programmed to execute password attacks on other devices to ensure the botnet’s growth and sustainability. A large enough botnet can enable attackers to mount powerful DDoS assaults. Both state and non-state actors are likely to exploit IoT vulnerabilities, including those found in CCTV cameras, for malicious purposes such as creating attack infrastructure and launching DDoS attacks.

Risks of Unpatched IoT Devices on Enterprise Networks

While the security of common enterprise devices like desktops and laptops has progressed over time through incremental upgrades in operating systems and endpoint security, the security measures for networked devices such as enterprise printers are often overlooked, creating greater potential for exploitation by threat actors seeking to establish a foothold within target organizations. Cybercriminals actively seek out vulnerable ECDs to compromise enterprise systems. The presence of unpatched devices poses a prevalent risk; lacking the latest updates, these devices may be susceptible to known vulnerabilities, allowing threat actors to gain unauthorized access to corporate networks. Ultimately, unpatched devices can lead to data breaches, exposed information, compromised assets, unauthorized access to servers and systems, malware deployment, or even physical disruptions to operations.

Case Study: Enterprise Printer Vulnerabilities
In 2019, a comprehensive six-month study was conducted to uncover vulnerabilities and exploitations regarding devices produced by six major enterprise printer manufacturers. Researchers identified weaknesses that could expose devices to DDoS attacks, but a more pressing concern was their potential as entry points into corporate networks, allowing for remote code execution (RCE) and circumvention of security measures. According to a leading printer manufacturer, cybercrime constitutes a $445 billion global crisis for printers, PCs, and other essential IoT endpoints.

Risks of Personal Devices in Enterprise Networks

Personal IoT devices introduced into workplace settings may be permitted access to certain enterprise networks. With the increasing number of personal devices connecting to these networks, they are likely to be targeted for unauthorized access.

The deployment of ECDs within large UK organizations may present a distinct threat profile compared to personal consumer devices. Organizations typically possess greater expertise, responsibility, and control over their networks and cybersecurity than an ordinary consumer. On the consumer front, the Department for Digital, Culture, Media, and Sport (DCMS) has been making considerable efforts to improve the security of consumer-connected products, and legislation was introduced in Parliament to support this aim in 2021.