Organisational use of Enterprise Connected Devices

Enterprise Connected Devices (ECDs) offer significant opportunities for organizations; however, a considerable number of devices in use today lack essential security measures. Malicious actors are likely to exploit technical vulnerabilities and inadequate cybersecurity practices to jeopardize these devices. This situation becomes critical if manufacturers fail to address security flaws and users neglect to apply necessary updates.

Many Internet of Things (IoT) devices have lower processing and storage capacities compared to traditional enterprise computing systems. Consequently, implementing security applications, such as antivirus programs, becomes challenging. Although patches are offered for some IoT devices, many older ones were not designed with security in mind and lack the ability to accept remote updates. Additionally, many organizations lack proper processes to monitor and manage device support. As a result, it has become increasingly easier and more economical for cybercriminals to access tools that facilitate large-scale, low-complexity attacks targeted at numerous poorly secured devices.

Potential attack surfaces associated with ECD systems and applications, where threats and vulnerabilities may be found, include:

• Devices – Devices can serve as primary entry points for attacks. Vulnerabilities can exist in various parts of a device, including storage firmware, application software, physical interfaces, web interfaces, and network services. Attackers may exploit insecure default settings, outdated components, and unreliable update mechanisms. In certain cases, hardware vulnerabilities cannot be patched like software issues and require specific physical replacements to mitigate.
• Communication Channels – Attacks may originate from the communication pathways linking ECD components. Protocols utilized in many ECD systems may harbor security issues affecting the broader system. Additionally, many ECD systems are susceptible to known network attacks, such as denial of service and spoofing.
• Applications and Software – Vulnerabilities in network services and associated software for ECDs can lead to system compromises. For instance, network services may be exploited to steal user credentials or deliver malicious firmware updates.

Case Study: Ripple20
In June 2020, researchers identified 19 zero-day vulnerabilities affecting millions of devices due to weaknesses in the Treck embedded IP stack. This stack is utilized by more than 50 vendors and millions of devices, including critical tools in healthcare, data centers, and essential infrastructure. The vulnerabilities, collectively termed “Ripple20,” highlight the extensive potential impact of exploiting these flaws across numerous products across various industries.
The Ripple20 vulnerabilities affect critical IoT devices such as printers, networking equipment, IP cameras, video conferencing systems, and building automation devices. Exploiting these software library flaws could allow attackers to execute code remotely and access sensitive information, and the situational challenges are amplified since Ripple20 constitutes a supply chain vulnerability that’s challenging to track across all devices using this library.

Supply Chain Risks

ECDs intensify supply chain vulnerability concerns. Supply chain attacks usually occur before devices are incorporated into an organization’s networks. Nonetheless, as demonstrated in the SolarWinds supply chain incident, compromised software updates to devices already on a network can also present significant threats. Typically, supply chain attacks on ECDs involve malicious software being installed on specific devices, such as routers or cameras. However, such attacks can also pertain to hardware that has been tampered with to alter a device’s function.

Figure 1: Analysis of vulnerable device models, illustrating proportions among various device types.

Supply chain attacks significantly impact security, as compromised software or devices may represent single points of failure for the security of multiple entities.

In 2020, a series of Shodan searches for 37 specific device models across 18 vendors (including printers, IP cameras, video conferencing systems, and networking equipment) showed around 15,000 internet-connected instances that could potentially be susceptible to compromise by anyone online.

*Shodan is a search engine designed to enable users to find internet-connected devices.

Bot Threats

While threat actors continue to exploit compromised traditional computers, their bot armies increasingly consist of IoT devices. Most IoT botnets have primarily been utilized for coordinated distributed denial of service (DDoS) attacks; however, some botnets, such as the Torri botnet, also possess capabilities to exfiltrate sensitive data. Given the growing number of ECDs, IoT botnets will continue to constitute a formidable challenge and significant threat.

Case Study: Mirai-Inspired IoT Botnet
In 2020, a Russian cyber group known as Digital Revolution leaked documents purporting to be from a contractor for a company developing cyber tools for the FSB, Russia’s internal security agency. The documents indicated that the initiative, which began in 2017, aimed to create a Mirai-influenced IoT botnet targeting security cameras and network video recorders. Each infected device could be reprogrammed to conduct password attacks on other devices to sustain and expand the botnet. A sufficiently large botnet allows attackers to perform significant DDoS attacks, with both state and non-state actors likely to exploit vulnerabilities in IoT devices, including CCTV systems, for malicious purposes, including infrastructure attacks and DDoS assaults.

Challenges of Unpatched IoT Devices on Enterprise Networks

While the security of common enterprise infrastructure devices such as desktops and laptops has progressed due to incremental improvements in operating systems and endpoint security, network devices like enterprise printers are frequently neglected, thus presenting a heightened potential for exploitation by threat actors aiming to secure a persistent position within target organizations.
Cyber actors actively search for vulnerable ECDs to compromise enterprise systems. The presence of unpatched devices poses a prevalent risk; lacking the latest security patches, these devices are susceptible to older vulnerabilities that can be exploited for unauthorized access to corporate networks. Ultimately, unpatched devices can lead to data breaches, disclosure of sensitive information, manipulation of other assets, server access, malware deployment, or even physical disruption of operations.

Case Study: Vulnerabilities in Enterprise Printers
In 2019, a research initiative over six months sought to uncover vulnerabilities and exploitation incidents associated with devices produced by six leading enterprise printer manufacturers. The study revealed vulnerabilities that could expose devices to DDoS attacks; more concerning, however, was the potential for these devices to serve as gateways into corporate networks, enabling remote code execution (RCE) and bypassing security layers. According to a prominent printer manufacturer, cybercrime represents a $445 billion global crisis encompassing printers, PCs, and other critical IoT endpoints.

Personal Connected Devices within Enterprise Networks

Personal IoT devices brought into corporate environments are often permitted to connect to enterprise networks. With the rising number of personal devices accessing enterprise networks, these endpoints are likely to be targeted to gain unauthorized entry to the corporate network.

Deployments of ECDs in major UK organizations likely present a different threat profile compared to personal consumer devices. Organizations usually possess greater knowledge, responsibility, and control over their networks and cybersecurity protocols than typical consumers. Conversely, the UK Department for Digital, Culture, Media and Sport (DCMS) has been actively working to enhance consumer connected product security and put forth legislation to further this objective in 2021.