- IoT in the company is a great responsibility, the United Kingdom government affirms
- Most organizations are running old and obsolete software
- Nor are they adhering to security standards
The Internet of Things (IoT) devices in the company are a great security responsibility. This is in accordance with a new report by the NCC Professionals Cybersecury Professionals, on behalf of the United Kingdom government.
“The Government is concerned with the safety of these products, since vulnerable devices can provide a route for hostile actors to attack IT systems used by companies,” said the United Kingdom government in an announcement for the report. “As part of the government’s work to address this problem and improve cyber resilience between the United Kingdom economy, the Government commissioned the NCC group to carry out a vulnerability evaluation of some business connected devices of common use.”
The results have shown that the United Kingdom companies have many reasons to worry. Apparently, NCC Group found a “number” of software and hardware vulnerabilities that could lead to remote code execution attacks (RCE), granting to the actors threatens the total control of a device, through the network.
Obsolete software
One of the biggest problems was obsolete software. The report establishes that non -eyelid solutions were “frequent in all devices”, also stating that one of the devices analyzed executed a 15 -year starter manager.
The United Kingdom government also said that in “most cases”, an attacker with physical access to a device could completely compromise it, installing a persistent rear door to be used in future attacks. Most of the proven devices performed all their processes as the highly privileged “root” user, which means that there is no access granulation and the consequences of a violation could be serious.
There is nothing particularly unique in these IoT devices, or the vulnerabilities they carried. The United Kingdom government said they were “generally insecure”, especially when it comes to configuration of services, applications or characteristics. He also warned that adhesion to the security principles of the NCSC device, and the ETSI standard in 303 465 was “mixed.”
