ECDs bring great opportunities for organisations but a significant number of devices on the market today have been found to lack basic security measures. Threat actors will seek to take advantage of technical vulnerabilities and poor cyber security to compromise ECDs. This is problematic if manufacturers do not seek to fix the issue, and if users do not apply updates.
Most IoT devices possess fewer processing and storage capabilities than traditional enterprise computing platforms. This makes it difficult to employ security applications that could help protect them, such as antivirus software. Additionally, whilst patches are made available for IoT devices, many older IoT devices were not built with security in mind and do not have capacity to receive remote patches. Some organisations also do not have processes in place to monitor and manage if an ECD is supported or not. At the same time, it has become steadily easier and cheaper for criminals to acquire tools that enable them to launch high-volume, low-sophistication attacks that are ideally suited for compromising large numbers of poorly secured devices.
ECD attack surface areas or areas in ECD systems and applications where threats and vulnerabilities may exist include:
- Devices – devices can be the primary means by which attacks are initiated. Parts of a device where vulnerabilities may exist include its storage firmware and application software, physical interface, web interface, and network services. Attackers can also take advantage of insecure default settings, outdated components, and insecure update mechanisms, among others. Vulnerabilities that exist in hardware sometimes cannot be patched, like with software, and would need a complete physical replacement to secure.
- Communication channels – attacks can originate from the communication channels that connect ECD components with one another. Protocols used in a range of ECD systems can have security issues that can affect the entire system. Many ECD systems are also susceptible to known network attacks such as denial of service and spoofing.
- Applications and software – vulnerabilities in network services and related software for ECDs can lead to compromised systems. Network services can, for example, be exploited to steal user credentials or push malicious firmware updates.
Case Study: Ripple20
In June 2020, researchers announced 19 zero-day vulnerabilities impacting millions of devices, affecting the Treck embedded IP stack. Treck is used by over 50 vendors and millions of devices, including mission-critical devices for healthcare, data centres, and critical infrastructure. This group of vulnerabilities has been named “Ripple20” to reflect the widespread impact the exploitation of these flaws could have on a wide range of products from various industries.
Ripple20 impacts critical IoT devices, including printers, networking equipment, IP cameras, video conferencing systems and building automation devices. By exploiting the software library flaws, attackers could remotely execute code and gain access to sensitive information. The impact of these vulnerabilities is exacerbated by the fact that Ripple20 is a supply chain vulnerability, meaning it is hard to track all the devices that make use of this library.
Supply chain
ECDs exacerbate supply chain vulnerabilities. Supply chain attacks typically occur before devices are deployed onto organisations’ networks. However, as seen in the SolarWinds supply chain attack, compromised software updates to devices deployed onto a network can also be a vector. Supply chain attacks on ECDs often involve compromised software being installed in a certain ECD, such as a router or a camera. However, an ECD supply chain attack can also refer to a piece of hardware that has been implanted or modified to change a device’s behaviour.
Figure 1: Shodan search results for vulnerable device models, split between printer, IP cameras and video conferencing, networking, and ICS.
Supply chain attacks have a significant impact since the compromised software or device can present a single point of failure for the security of several entities.
In 2020, a series of Shodan* searches for 37 specific device models from 18 vendors (including printers, IP cameras, video conferencing systems and networking equipment) revealed that there were around 15,000 internet-connected instances of these affected devices that could potentially be compromised by anybody on the internet.
*Shodan is a search engine that lets users search for internet-connected devices
Bots
While threat actors still make ready use of compromised traditional computers, their bot armies are now increasingly composed of IoT. The majority of IoT botnets have been used for coordinated DDoS attacks, although there are also IoT botnets that have the ability to exfiltrate sensitive information, as seen in the example of the Torri botnet. With the large, and rapidly increasing, number of ECDs, IoT botnets will continue to pose a unique challenge and noteworthy threat.
Case Study: Mirai-inspired IoT botnet
In 2020, a Russian hacking group, dubbed Digital Revolution, leaked documents claimed to be taken from a subcontractor to a company building cyber tools for the FSB, the Russian domestic intelligence agency. According to the documents, the project began in 2017 and looks to create an IoT botnet inspired by the notorious Mirai botnet of 2016. The plans showed that its main targets would be security cameras and network video recorders. Each infected device in the botnet would be reprogrammed to carry out password attacks on other devices in order to keep the botnet alive and growing. With a large enough botnet, attackers can launch powerful DDoS attacks. Both state and non-state actors are likely to exploit vulnerabilities in the IoT, including CCTV cameras, to form botnets for malicious ends including attack infrastructure and DDoS attacks
Unpatched IoT devices on enterprise networks
The security of common enterprise infrastructure devices such as desktops and laptops has advanced over the years through incremental improvements in operating systems and endpoint security. However, security controls for network devices such as enterprise printers are often ignored and thus present a greater potential for exploitation and compromise by threat actors seeking to gain a persistent foothold on target organisations.
Cyber actors will try to locate any vulnerable ECD to compromise enterprise systems. The use of unpatched devices is a common risk – since they lack the latest security updates, threat actors can use older known vulnerabilities to compromise such devices and gain privileged access to corporate networks. Ultimately, unpatched devices can then lead to data breaches or exposed information, manipulation of other assets, access to servers and systems, deployment of malware, or even physical disruption of operations.
Case Study: Enterprise printer vulnerabilities
In 2019, researchers conducted a six-month project to identify vulnerabilities and exploitations relating to devices made by six of the largest enterprise printer makers in the world. The researchers uncovered weaknesses that opened devices to DDoS attacks, but of much more concern is the potential for those devices to be used as entry points into corporate networks, with remote code execution (RCE) and the bypassing of security layers. According to a leading printer manufacturer, cyber crime represents a $445 billion global crisis for printers, PCs, and other mission-critical IoT endpoints.
Personal connected devices on enterprise networks
Personal IoT devices which are brought into the office environment may be allowed to connect to some enterprise networks. Due to the increased number of personal devices connected to enterprise networks, it is likely these devices will be targeted to gain access to the enterprise network.
Deployments of ECDs within large UK organisations are likely to present a different threat profile from personal consumer-use devices. Organisations often have more knowledge, responsibility and control for networks and cyber security, compared with a typical consumer. On the consumer side, DCMS has been conducting extensive work to improve the security of consumer connected products and brought legislation into Parliament to support this goal in 2021.