Palo Alto Networks Unit 42 researchers say over half of all IoT hardware is vulnerable to medium or high-severity exploits. Indeed, the team told ThreatPost many organizations are on a “ticking IoT time bomb”. In an interview with ThreatPost, Ryan Olson, vice president of Threat Intelligence for Unit 42, spoke about the dangers of unencrypted connected devices. He says there are some major threat problems facing the IoT market, including the potential exposure of confidential data and user information. “So 98 percent of IoT device traffic being unencrypted, meaning it’s in the clear, anyone can go and see it if they are able to access it on that network, sort of gives you an indication around how the software and how the protocols for these are iot security being done.” Obsolete legacy protocols are also an issue, leaving organizations open to attacks that would no longer work on newer systems. Olson says devices are not patched regularly, leaving them more open to attacks. “Either they’ve got software on them that there’s a vulnerability that exists which hasn’t been patched because the device maybe hasn’t been patched in a long time, or maybe there’s no patch available for it, or it has some sort of default password on it, which is widely known and it’s easy to identify that this device could be compromised.”
Non-Patch Solutions
According to Olson, while installing up-to-date patches can thwart attacks, patching is not the only answer for IoT. He highlights the fact many devices have reached end-of-support but does not have to remain insecure. He suggests putting the device software in an isolated VLAN, although that will be it won’t be connected to other devices. “The last thing you want in a hospital is your device that’s connected, that’s maybe used for medical imaging, on the same network as a doctor who’s sitting down and opening phishing emails and maybe getting malware on his laptop. If you can isolate those devices, so they can’t talk to each other, you can greatly reduce the risks that that critical device is going to be impacted by some sort of malware.”