Recommended reading

Outdated and unsecured IoT devices are a serious risk for UK businesses

News
By published

Businesses are running old, outdated IoT

IoT Devices
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • IoT in the enterprise is a major liability, the UK government claims
  • Most organizations are running old and outdated software
  • They are also not adhering to security standards

Internet of Things (IoT) devices in the enterprise are a major security liability. This is according to a new report from the cybersecurity professionals NCC Group, on behalf of the UK’s government.

“The government is concerned about the security of these products as vulnerable devices can provide a route for hostile actors to attack the IT systems used by businesses,” the UK government said in an announcement for the report. “As part of the government’s work to address this issue and improve cyber resilience across the UK economy, the government commissioned NCC Group to conduct a vulnerability assessment of some commonly-used enterprise connected devices.”

The results have shown that UK businesses have plenty of reasons to be concerned. Apparently, NCC Group found a “number” of software and hardware vulnerabilities that could lead to remote code execution (RCE) attacks, granting threat actors full control of a device, over the network.

Outdated software

One of the bigger problems was outdated software. The report states that unpatched solutions were “prevalent across devices”, also stating that one of the analyzed devices ran a 15-year-old bootloader.

The UK government also said that in “most cases”, an attacker with physical access to a device would be able to fully compromise it, installing a persistent backdoor to be used in future attacks. The majority of the tested devices ran all of their processes as the highly privileged “root” user, which means there’s no access granulation and the consequences of a breach could be dire.

There is nothing particularly unique about these IoT devices, or the vulnerabilities they carried. The UK government said they were “generally insecure”, especially when it comes to configuration of services, applications, or features. It also warned that adherence to the NCSC’s Device Security Principles, and the ETSI EN 303 465 standard was “mixed”.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.