IoT: little understood risks

The study by Forescout Technologies, which specializes in the visibility and control of devices connected to the network, finds that physical access control systems and medical equipment are very vulnerable.

Some connected devices expose corporate networks. Entitled “ The Enterprise of Things Security Report ”, the Forescout study defines the risks inherent in the types of equipment and specific to each sector.

The most sensitive trio includes, in descending order in terms of risk, physical access control systems, HVAC (heating, ventilation, air conditioning), and surveillance cameras.

To conduct this study, Forescout collected data from 8 million connected devices worldwide, deployed in five main sectors: finance, public institutions, health, industry, and commerce.

It has implemented a methodology defining the risk for IoT devices according to 6 criteria including vulnerabilities, security events, or even potential impact.

According to this survey, the groups of equipment most at risk are those relating to Smart Buildings. Next come healthcare equipment, networking equipment, and VoIP phones.

Open Critical Ports
These Smart Building connected objects – among which are HVAC systems, physical access control solutions, IP cameras, emergency communication systems,s, and lighting – are present in all sectors studied and represent a risk for organizations. modern.

The recent discovery of Ripple 20 vulnerabilities reminds us that many devices can be at risk for organizations. Either the device will be hacked itself, with direct consequences on the service it provides, or the hackers will use it as a gateway to access the company’s network.

Apart from the health sector, connected objects from the Smart Building group still occupy one of the first two places of the most at-risk equipment. In the institutional sector and the commercial sector, they even make up the entirety of the podium!

In detail, the types of devices that present the highest level of risk are physical access control systems, in particular, due to many open critical ports and too much connectivity with risky devices, as well as the presence of known vulnerabilities.

HVAC (heating, ventilation, air conditioning) systems and surveillance cameras complete the podium.

Medical equipment is also among the connected objects most at risk, in the same way as network equipment. If compromised, this equipment could have significant consequences, especially medical equipment. Again, these devices too often have critical ports open that expose dangerous services on the network.

More worryingly, just over 30% of equipment managed under Windows in the industrial sector uses software versions that Microsoft no longer provides support for! This figure reached exceeds 35% in health.

Hundreds of forgotten IOTs
In the financial sector, nearly 30% of devices managed under Windows use operating systems that have not been updated to deal with identified threats such as BlueKeep.

On the other hand, the percentage of devices using Microsoft software versions (Windows 7, Vista, XP) that are no longer supported by the publisher remains below 1% in all the sectors studied.

The main network protocols are present in the different verticals. The study shows that nearly 10% of devices in the institutional sector have Telnet port 23 open by default, and nearly 12% have FTP ports 20 or 21 open by default.

In the financial services, healthcare, and institutional sectors, almost 20% of devices have the default SMB port 445 open and 12% have RDP port 3389.

“When we talk about connected equipment, most companies first think of phones and laptops, and forget the hundreds of other devices that are also connected to their networks”, explains Julien Tarnowski, Regional Director France and Luxemburg from Forescout.

Managing to secure so many and so different devices is a major challenge for IT managers. But solutions exist to automatically identify, manage and secure devices that connect to networks and are part of more global security policies.