A recent study by ForeScout reveals which IoT devices pose particular risks. The data illustrates which devices in which areas of the enterprise pose the greatest risk of compromise. This helps security teams focus on key areas depending on the threat. The time factor plays an important role here, and one that should not be underestimated. The most vulnerable and critical gateway should be closed especially quickly to prevent cybercriminals from penetrating one’s network. But what are the 10 biggest gateways?
To determine the highest-risk device features, it makes sense to first determine an individual risk score for each device. The following figure illustrates the top 10 riskiest device types in select industries, highlighting ones that IT security teams should take a closer look at. In the figure, device functions are grouped as follows:
- Smart building devices include HVAC systems, IP cameras, physical access control, emergency communications systems, and lighting.
- Healthcare devices include HL7 gateways, Picture Archiving and Communication System (PACS) archives, radiation therapy systems, radiology workstations, and sterilization.
- Network and VoIP devices include network management, firewalls, out-of-band controllers, routers or switches, VoIP servers, serial-to-IP converters, and wireless access points.
- Operational devices include UPS, PLCs, and robots.
- Other IoT devices include printers, video conferencing, pneumatic tube systems, point of sale (POS), and network-connected warehouses.
Most of these device types are waiting with many open ports, connections, and vulnerabilities. With the exception of network devices, all types are primarily unmanaged devices. Although typical IT workstations are not included in the listing due to hardware/software fragmentation, they are still among the most important entry points in the enterprise network. Attacks exploiting these workstations typically begin with phishing, malicious emails, or infected websites. This is followed by lateral movement within the Active Directory domain.
Top 10 riskiest IoT devices.
In addition to analyzing the risk level of device groups, as well as their distribution within industries, Forescout Research Labs measured the risk posed by specific device features and types.
The figure illustrates the ten highest-risk device classes. While they are far from the only classes that should be monitored by security teams, they are certainly among the most important. It should be noted that all of these devices are typically unmanaged.
1. Physical access control solutions
These devices are used to open or close door locks with authorized credentials. In the research, it was found that they are often configured with open ports (including Telnet port 23), connected to other risky devices, and contain serious reported vulnerabilities.
2. HVAC systems
Found that heating, ventilation, air conditioning (HVAC) devices were also configured with critical open ports (including Telnet) and connected to other risky devices, as well as containing some critical vulnerabilities that could allow a complete takeover of a device (CVE-2015-2867 and CVE-2015-2868).
3. Network cameras
Investigated IP cameras have dozens of serious vulnerabilities (e.g., CVE-2018-10660). They are usually configured with critical ports such as SSH port 22 and FTP.
The programmable logic controllers (PLCs) identified here have serious vulnerabilities (for example, CVE-2018-16561). Their potential impact is very high because PLCs control critical industrial processes. (The infamous Stuxnet malware, for example, targeted S7 systems used for uranium enrichment.) Nevertheless, these devices are ranked lower than the first three because they have fewer open ports and lower connectivity in the sample.
5. Radiotherapy systems
No vulnerabilities have been reported for these devices, but they have been found to be configured with many open critical ports (including telnet) and connectivity to other risky medical devices. The impact of the exploitation of these devices is inherently high.
6. Out-of-band controller
This refers to an out-of-band controller for servers that are integrated into the motherboard and provide an interface for managing and monitoring the server hardware. It contains its own processor, memory, network connection, and access to the system bus. Relevant vulnerabilities were found in these devices, such as CVE-2015-7272, which can be exploited via SSH (port 22 was open in all of these devices in the dataset) to achieve a denial of service attack, and CVE-2019-13131, which can be exploited via SNMP (port 161 was open in most iDRAC devices in the dataset) to achieve remote code execution.
7. Radiology workstations
This workstation is commonly connected to many peripheral systems in healthcare facilities, such as radiology information systems, PACS, electronic medical records, and more. In the case of radiation therapy systems, there are no reported vulnerabilities. However, these devices have been found to be configured with many open critical ports and connectivity to risky devices. The exploitation impact is also very high as it is a workstation where common attacker tools can be easily adapted to achieve persistence or pivot within a healthcare network.
8. Picture archiving and communication systems (PACS)
PACS are medical imaging systems that enable the storage, retrieval, management, distribution, and presentation of medical images. The research found vulnerabilities in these systems (for example, CVE-2017-14008 and CVE-2018-14789). Because of their place in the network and their application context, they have a similar risk profile to other medical devices in the research sample.
9. Wireless access points
These contain many critical vulnerabilities, including CVE-2017-3831 and CVE-2019-15261, and are often associated with multiple risky guest devices.
10. Network management cards
These contain many critical vulnerabilities. The cards are used to remotely monitor and control individual UPS devices. In addition to the presence of known vulnerabilities (for example, CVE-2018-7820), high connectivity, and open ports, these devices have the interesting ability to support BACnet/IP and Modbus/TCP protocols, again highlighting the convergence of smart building technology with IT infrastructure.
To address security risks posed by current vulnerabilities, organizations should first inventory all devices on their network. They must enforce risk mitigation controls and prioritize patch updates. The 10 classes of typically unmanaged IoT devices highlighted here provide a large attack surface. Segmentation, isolation, and control of network access for vulnerable devices, therefore, help mitigate risk. Automated alerts to inform IT security departments and incident response teams help separate the wheat from the chaff and identify key security incidents early.