Security traps: old and forgotten IoT devices in industrial use. Seven year old vulnerabilities are still current and not patched. A comment from security expert Thomas Uhlemann, ESET.
The Internet of Things (IoT) has long been established in German industry. According to a survey by Statista, two thirds of all companies surveyed are already using Industry 4.0 applications. But the operators do not seem to take IT security of the devices so seriously: Security expert Thomas Uhlemann cannot explain the fact that hackers succeed in exploiting security gaps that have been known for seven years and more . In fact, the ESET Top 10 vulnerabilities for IoT devices include leaks from 2015-2012 without exception.
Without a patch: age-old leaks in IoT
“The Internet of Things offers companies unimagined new opportunities. But if you don't fix known weak points for years, you risk losing more than you would like, ”says Uhlemann, Security Specialist at ESET Germany. “In addition, outdated IT veterans like Fritz! Fax are still in operation, presumably unpatched. In Germany alone, more than 3 million are actively used. "
But the protection of the devices also leaves a lot to be desired. Their access can be achieved using a combination of user name and password - there is no trace of modern multi-factor authentication. It becomes really questionable when you meet the who's who of the worst authentications here:
“Against the background of the current success of hacker attacks worldwide, Zero Trust Security must be the order of the day. Therefore, every weak point should be closed urgently, especially the one in the IoT devices, ”recommends Thomas Uhlemann.
Special groups of errors
Basically, the expert sees four serious error groups that make the use of the Internet of Things so problematic:
- Security problems already in the design of the IoT devices
- Operating errors or installations by humans
- Apps for operation that are questionable in terms of security and data protection law
- Unwanted or unnoticed data transfers from the device to the Internet
“Aside from potential security leaks, many industrial IoT devices become dangerous over time. Because their lifespan is designed for years or even decades - and unfortunately a lot happens in terms of safety. In this respect, every company has to think carefully about whether and how it connects these devices to the Internet in the active network, ”says the IT expert. His favorite example is the widely used webcam. Although this is not used in large-scale productive operations, it symbolizes devices with a long service life. Many are still broadcasting - perhaps even forgetting - live videos from the company onto the Internet. One click on it often takes you to the admin interface of the cams. Even if you do not want to log in, the attacker will find out valuable information: such as the public IP address or whether and in which network segment the camera is located.
Forgotten devices are a security risk
In short: forgotten or not inventoried devices pose a major security risk. By the way, this happens very often when projects are canceled or companies are sold. Then this equipment takes a back seat and only later becomes a ticking security bomb.
Companies should keep this in mind when dealing with IoT devices:
- Use inventory software
- Use network segments
- Use secure access
- Sensors, actuators and the like are just as important as servers and PCs
- Updates, updates, updates
- Security in the design
- Use additional protection software
The expert also describes in the security blog what other dangers lurk, what companies should be aware of and how they can help themselves.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.