Phosphorus Labs on Tuesday reported that 99% of xIOT (extended-internet-of-things) device passwords are out of compliance with industry best practices.
The research, which marked Phosphorus Labs’ inaugural report since becoming a new division of Phosphorus, found that 68% of xIoT devices have high-risk or CVSS scores of between 8-10. The report also said that 80% of security teams can’t identify the majority of their xIoT devices.
“The purpose behind Phosphorus Labs is not to create yet another vulnerability research program,” said Brian Contos, chief security officer of Phosphorus. “xIoT vulnerabilities are a dime a dozen. While they often make a lot of noise in the news media, what’s more important from a security standpoint is that we learn how to prevent these attacks by hardening devices and reducing their attack surface. Vulnerabilities will come and go, but device-level security should be consistent.”
Bud Broomhead, chief executive officer at Viakoo, said the issues identified by Phosphorus are genuine, but the solutions to these issues are not so simple. For example, Broomhead said knowing through service assurance that IoT devices are functioning properly is also a component of hardening and securing devices.
“There must also be a focus on providing a path to zero-trust on IoT devices through comprehensive certificate management,” Broomhead said. “Discovering IoT devices and assessing their vulnerabilities is critically important, but also an already solved problem through leading vendors such as Armis, Forescout, Nozomi, and others. We need more focus on adding unique IoT and IoT application data to discovery solutions and configuration management database solutions, so that records of historical operations can be used in hardening and securing IoT systems.“
Craig Burland, chief information security officer at Inversion6, said these findings should alarm leaders from supply chain to engineering, from legal to IT. Burland said the percentage of vulnerable devices is the direct result of designing without security or lifecycle in mind. Burland said building anything in the information age demands that security requirements sit alongside functional requirements and are considered from the moment a product gets conceptualized.
“The volume of vulnerable devices speaks to consistently poor asset management,” Burland said. “This capability was critical when IT devices alone connected to the internet. Now that devices of all types connect to the internet, the inability to know and manage assets is an existential threat that organizations must now face.”
Patrick Tiquet, vice president, security and architecture at Keeper Security, said whether it’s OT, ICS, IIoT or IoT, the broader xIoT space benefits from application of the same standard security practices used in IT. Tiquet said those best practices include regular firmware/software upgrades, frequent patching and vulnerability remediation, as well as implementing strong encryption and secure authentication.
“Ideally, there should be a security framework or certification under which xIoT vendors would have to certify their products as secure,” Tiquet said. “This type of certification would give consumers and businesses a level of assurance that the xIoT products they are utilizing are, in fact, secure.”