Outdated and unsecured IoT devices are a serious risk for UK businesses
Businesses are running old, outdated IoT and aren't adhering to cybersecurity standards.
- IoT in the enterprise is a major liability, the UK government claims
- Most organizations are running old and outdated software
- They are also not adhering to security standards
Internet of Things (IoT) devices in the enterprise are a major security liability. This is according to a new report from the cybersecurity professionals NCC Group, on behalf of the UK’s government.
“The government is concerned about the security of these products as vulnerable devices can provide a route for hostile actors to attack the IT systems used by businesses,” the UK government said in an announcement for the report. “As part of the government’s work to address this issue and improve cyber resilience across the UK economy, the government commissioned NCC Group to conduct a vulnerability assessment of some commonly-used enterprise connected devices.”
The results have shown that UK businesses have plenty of reasons to be concerned. Apparently, NCC Group found a “number” of software and hardware vulnerabilities that could lead to remote code execution (RCE) attacks, granting threat actors full control of a device, over the network.
Outdated software
One of the bigger problems was outdated software. The report states that unpatched solutions were “prevalent across devices”, also stating that one of the analyzed devices ran a 15-year-old bootloader.
The UK government also said that in “most cases”, an attacker with physical access to a device would be able to fully compromise it, installing a persistent backdoor to be used in future attacks. The majority of the tested devices ran all of their processes as the highly privileged “root” user, which means there’s no access granulation and the consequences of a breach could be dire.
There is nothing particularly unique about these IoT devices, or the vulnerabilities they carried. The UK government said they were “generally insecure”, especially when it comes to configuration of services, applications, or features. It also warned that adherence to the NCSC’s Device Security Principles, and the ETSI EN 303 465 standard was “mixed”.
You might also like
- The hidden risks of IoT: Why businesses need to modernize mobile security
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
