Internet of Things (IoT) devices containing vulnerabilities have surged by 136% compared to a year ago, according to Forescout’s The Riskiest Connected Devices in 2024 report.
The study, which analyzed data sourced directly from nearly 19 million devices, found that the proportion of IoT devices with vulnerabilities rose from 14% in 2023 to 33% in 2024.
The most vulnerable IoT device types were wireless access points, routers, printers, voice over Internet Protocol (VoIP) and IP cameras.
Around a third (33%) of IoT devices analyzed had vulnerabilities.
Rik Ferguson, VP Security Intelligence at Forescout, told Infosecurity that threat actors primarily target IoT devices connected to the enterprise stack, such as IP cameras and building management systems, ahead of consumer smart products.
These endpoints provide a huge opportunity for attackers to enter and exit organizations systems without being seen.
“There are tutorials shared in underground forums about how to compromise and use them for lateral movement, exfiltration and command and control, because they are invisible in most cases to the enterprise security stack,” noted Ferguson.
Internet of Medical Things (IoMT) were also highlighted as a significant risk by the researchers, with 5% of these devices found to contain vulnerabilities.
The riskiest devices observed in this category were medical information systems, electrocardiographs, digital imaging and communications in medicine (DICOM) workstations, picture archiving and communication systems (PACS) and medication dispensing systems.
The researchers noted there are documented cases of ransomware attacks affecting the availability of dispensing systems, which can cause delays in patient treatment.
IoMT has also moved above the operational technology (OT) in categories with the riskiest devices, compared to Forescout’s 2023 report.
Network Equipment the Riskiest IT Device Category
IT devices accounted for most device vulnerabilities (58%) in this year’s report, although this represents a significant fall from 78% in 2023.
Network infrastructure devices, including routers and wireless access points, were the riskiest type of IT device category, surpassing endpoints.
Ferguson observed that there has been a fall in some IT device categories and an increase in others, with attackers focusing on devices that are often unmanaged such as wireless access points and routers.
He noted that hypervisors have been the entry points for major compromises in the past year, with ransomware created specifically to target these devices.
The five riskiest device types identified in OT environments were uninterruptible power supply (UPS), distributed control systems (DCS), programmable logic controllers (PLC), robotics and building management systems (BMS).
In total, 4% of OT devices were found to contain vulnerabilities.
The researchers noted that the use of robots is rapidly increasing in industries like electronics and automotive manufacturing where factories are becoming more connected.
Many of these robots have the same security issues as other OT equipment, including outdated software and default credentials.
Most Vulnerable Industries
The industries that have the highest average device risk are technology (8.3), education (8.14), manufacturing (7.98) and financial (7.95).
Interestingly, healthcare has gone from being the riskiest industry in 2023, to the least riskiest in Forescout’s the latest report, with a score of 7.25.
This is a result of healthcare’s significant investment in device security in the past year, according to the researchers.
Ferguson noted that healthcare has learned lessons from being targeted heavily by ransomware attacks in the past year, by closing up key entry points for attackers, in particular reducing the exposure of Telnet and RDP.
Risk scores are quantified based on configuration, behavior and function, with each device assigned a score between 1 and 10.
The country with the highest average device risk was China (7.32), followed by Philippines (6.97), Thailand (6.96), Canada (6.51) and the US (6.44).
The UK had the lowest risk score of the countries analyzed, at 6.