No less than 98 per cent of traffic sent by internet-of-things (IoT) devices is unencrypted, exposing huge quantities of personal and confidential data to potential attackers, fresh analysis has revealed.
What’s more, most networks mix IoT devices with more traditional IT assets like laptops, desktops and mobile devices, exposing those networks to malware from both ends: a vulnerable IoT device can infect PCs; and an unpatched laptop could give an attacker access to IoT devices - and vast quantities of saleable data.
Those are the big conclusions from a real-world test of 1.2 million IoT devices across thousands of physical locations in the United States, carried out by Palo Alto Networks.
The company also focused in on the healthcare industry and found a truly alarming security situation: no less than 83 per cent of medical imaging devices run on unsupported operating systems; a massive 56 per cent jump from two years ago because of the end of support for Windows 7.
That leaves hospitals “vulnerable to attacks that can disrupt care or expose sensitive medical information,” the report notes. In addition, 72 per cent of healthcare VLANs mix IoT and traditional assets, so the potential for hackers to access personal health data is a ticking time bomb.
The researchers estimate that more than half - 57 per cent - of IoT devices are currently vulnerable to medium or high-severity attacks, making them an obvious target for hackers. “We found that, while the vulnerability of IoT devices make them easy targets, they are most often used as a stepping stone for lateral movement to attack other systems on the network,” the report noted. “Furthermore, we found password-related attacks continue to be prevalent on IoT devices due to weak manufacturer-set passwords and poor password security practices.”
Hate to say everyone told you so...
In short, the poor IoT security that people have been warning about for years now risks compromising larger networks because they are being attached to the same network; and thanks to a failure to upgrade imaging equipment to newer operating systems, hackers also have an extra route in networks where they could gather vast amounts of data from unencrypted IoT devices. A double-whammy in other words.
There is a small amount of good news: California’s new IoT law (SB-327) that requires a different password for every device - rather than manufacturer defaults - came into effect at the start of the year and is expected to cut down on easy hacks.
While that is an improvement, as we previously noted the law only deals with the lowest hanging fruit and did not include things like secure software updates which are, over time, a greater security risk - as those running Windows 7 are likely to find out over the next few years. Even a law requiring manufacturers to periodically prompt users to upgrade their software could have a massively positive security impact.
Laws requiring encryption would also be a huge help. As would a data-minimization law that requires companies to only request and store data that is needed for the functioning of their products. As would some kind of compulsory two-factor authentication.
The fear is that lawmakers will take their focus off terrible IoT security now that they passed a law eliminating default passwords. As far as we are aware, that appears to be playing out with no new security legislation working its way through the corridors of power.
The report also has some interesting observations about specific security risks and OS use. “We’re witnessing a shift away from attackers’ primary motivation of running botnets to conduct DDoS attacks via IoT devices to malware spreading across the network via worm-like features, enabling attackers to run malicious code to conduct a large variety of new attacks,” the authors noted.
As for the operating systems that critical hospital equipment is using: 56 per cent are on now-unsupported Windows 7 and a vaguely terrifying 11 per cent are still using WinXP. Seven per cent are running unsupported Linux or Unix; with just two per cent using supported Linux.
The report has several pieces of advice to limit exposure to IoT related threats. First up, find out whether you have IoT devices on your network and if so, segment them across VLANs. Then patch, patch, patch - especially easy things like printers. And lastly, switch to active monitoring so you find out faster if something is going on. ®