Security Risks Found in Millions of XIoT Devices

Written by

A vast number of common vulnerabilities and exposures (CVEs), default passwords and other security risks have been found in millions of extended internet of things (XIoT) devices.

The claims come from security experts at Phosphorus, who recently published a report encapsulating five years of security research and device testing.

The research suggests some worrying findings based on the analysis of millions of XIoT devices deployed in corporate network environments across leading verticals.

Phosphorus has claimed that 99% of XIoT device passwords analyzed as part of its research were out of compliance with best practices, and 68% of XIoT devices had high-risk or critical vulnerabilities (CVSS scores of 8-10). Further, the company said that 80% of security teams could not correctly identify most of their XIoT devices.

“XIoT as a consumer category went from being nascent to hyped to ubiquitous over a very short space of time,” said Casey Ellis, founder and CTO at Bugcrowd. “Speed, or more specifically haste, is the natural enemy of security, resulting in generally more ‘lax by default’ design and development considerations when it comes to cybersecurity and user protection.”

To defend against these threats, the Phosphorus report suggests companies should harden devices and reduce their attack surface.

“The issues identified by Phosphorus are genuine, but the solution to these issues is not as simple as they are making it out to be,” commented Viakoo CEO Bud Broomhead.

“For example, knowing through service assurance that IoT devices are functioning properly is also a component of hardening and securing devices. There must also be a focus on providing a path to zero trust on IoT devices through comprehensive certificate management.”

The executive added that more focus is needed on adding unique IoT and IoT application data to discovery solutions and configuration management database solutions. This would enable the use of records of historical operations to harden and secure IoT systems.

“Many enterprise IoT devices are tightly-coupled to their applications, which is another layer of complexity to securing them,” Broomhead explained.

“Understanding the differences with loosely-coupled and tightly-coupled IoT devices is required to secure them in a way that enables the entire IoT workflow to be restored after firmware, password, and certificate updates.”

Patrick Tiquet, vice president of security and architecture at Keeper Security, goes one step further, saying that there should be a security framework or certification for XIoT vendors to certify their products as secure.

“This type of certification would give consumers and businesses a level of assurance that the XIoT products they are utilizing are, in fact, secure.”

The Phosphorus report comes months after Claroty published new data suggesting the number of vulnerability disclosures impacting XIoT devices increased by 57% in the first half of 2022 compared to the previous six months.

What’s hot on Infosecurity Magazine?