Outdated software was prevalent across devices, researchers found in a study of enterprise connected device security for the Department for Science, Innovation and Technology (DSIT).
DSIT commissioned NCC Group to make a vulnerability assessment of some commonly-used enterprise connected devices, namely Internet Protocol (IP) cameras, Voice over Internet Protocol (VoIP) phones, Network Attached Storage (NAS) and meeting room panels (commonly found outside office rooms, showing their availability and often integrating with scheduling and booking systems). The researchers found one device’s bootloader over 15 years old. “Outdated software can often contain security vulnerabilities that can be exploited by attackers and so a robust and proactive software patching policy is essential,” the study stated.
Most devices did not use enough boot integrity protections or secure boot. “This means that the devices will not adequately check the filesystem for modifications or for tampering and in most cases an attacker with physical access to a device would be able to fully compromise a device and install a persistent backdoor.” Some manufacturers configured a device in ‘a default or insecure manner’.
Even more expensive, ‘high end’ devices had issues, such as the ‘high end’ IP camera that came with ‘severely outdated software’; and a ‘high end’ VoIP phone was deemed to be ‘extremely insecure’ and had device settings and credentials stored in plaintext. The researchers found many NAS devices (data storage servers) reachable from the internet, ‘but it was not possible to test these devices for default password use due to Computer Misuse Act 1990 legal restrictions’. The researchers did note that a physical hacker would only require brief physical access (plausibly while cleaning a desk, for example) and would leave no visible trace.
The report pointed out that mass-produced connected products ‘could conceivably be boxed and shelved in warehouses for months or even years before they are eventually purchased by customers – during a device’s shelf time, its software may become outdated while critical vulnerabilities may have been identified in the product, thus rendering it vulnerable ‘out of the box’.’ For consumers, the report recommended that ‘second-hand or refurbished devices should be avoided’, and devices ought to have their factory settings reset.
Comment
Sylvain Cortes, VP Strategy at the cyber firm Hackuity said: “The fact that outdated software and unpatched solutions are “prevalent across devices” is particularly worrying. Ultimately, the onus is on the manufacturers of devices to ensure their products are truly secure by design, but this still doesn’t seem to be a priority. One of the key issues is that many IoT devices, are still built with usability first and security as an afterthought. In particular, the report highlighted how privileges can be escalated which provides an open door for attackers not only to gain access but also to move laterally once they are inside.
“The report is a timely reminder that we have to make sure that, as the attacks surface expands, functionality is not sacrificed for the security of our systems, networks and sensitive data.”
DSIT meanwhile has brought out a ‘call for views on enterprise connected device security’, running until July 7.
