A new Government research paper has identified a number of potential cyber security weaknesses in internet of things (IoT) devices.
Published by the Department for Science, Innovation and Technology (DSIT), the report – based on a vulnerability assessment by NCC Group – examines weak points in ‘enterprise connected devices’ such as office printers, internet connected telephones, building entry systems and room booking systems.
It says the Government is concerned about the security of the products as vulnerable devices can provide a route for hostile actors to attack IT systems.
DSIT highlighted a handful of key findings, including that outdated software is prevalent across devices, and that a number of serious remote code execution vulnerabilities have been discovered that could give an attacker full control of a device over the network.
Other key findings are that:
- in most cases an attacker with physical access to a device would be able to fully compromise a device and install persistent backdoor;
- there are issues related to insecure configurations of services, applications or features;
- and there has been mixed adherence to the National Cyber Security Council’s Device Security Principles and ETSI EN 303 645 standard.
In response, the report provides a number of recommendations for users of the devices. These include: evaluating the reputation and track record of device manufacturers; ensuring the devices adhere to relevant industry standards and certifications; looking for features such as encryption, secure boot and hardware based security; determining whether a device can be configured to meet the organisation’s security requirements; and ensuring the manufacturer provides regular firmware and software updates.
DSIT has also launched a call for evidence on the relevant issues to feed into the future publication of a code of practice and policy interventions that are under consideration.
Attractive target
In the document’s foreword, Minister for AI and Digital Government Feryal Clark says: “Enterprise connected devices remain a hugely attractive target for cyber criminals and our adversaries as many of these devices have limited security features built in, making them an easy target.”
She adds: “We must now act to ensure that connected devices used in a business context are also afforded better protection throughout their lifecycles.
“I am therefore pleased to announce this call for views on the cyber security of enterprise connected devices.”
