ITEM: The Internet of Things has been famously insecure for at least seven years, chiefly because the vendors producing IoT devices didn’t take security seriously enough. New research released this week by Claroty suggests that while IoT security still hasn’t improved much, at least vendors are getting better at disclosing security problems – at least in the Extended Internet of Things (XIoT) space.
According to the latest State of XIoT Security Report from Team82 (Claroty’s research team), vulnerability disclosures impacting IoT devices increased by 57% in the first half of 2022 compared to the previous six months.
That number looks unsettling – not least because XIoT includes operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. In other words, these vulnerabilities are being found in XIoT devices running more mission-critical services than consumer webcams and wireless printers.
XIoT vendors taking more responsibility
The good news is that disclosures are happening – and vendors are stepping up efforts to disclose vulnerabilities themselves. The report found that over the same time period, vendor self-disclosures increased by 69%. In fact, the report says, vendor self-disclosures (29%) surpassed independent research outfits (19%) as the second most prolific vulnerability reporters. Although third-party security companies (45%) are more prolific in disclosing vulnerabilities, the rise of vendor self-disclosures is a sign that they’re taking security more seriously:
This indicates that more OT, IoT, and IoMT vendors are establishing vulnerability disclosure programs and dedicating more resources to examining the security and safety of their products than ever before.
This is a fairly big deal – the early days of IoT saw device vendors not only taking a lax approach to security, but also trying to keep vulnerabilities under wraps in the name of “security by obscurity”, or at least protecting the brand. The fact that vendors are being more proactive in disclosing vulnerabilities suggests a mindshift towards a more open security approach.
(That said, it could also be the result of new cybersecurity legislation in some places promising tougher penalties for vendors and companies that don’t disclose cyber attacks and related vulnerabilities in a timely fashion.)
Meanwhile, fully or partially remediated firmware vulnerabilities increased by 79%, which is notable given the relative challenges in patching firmware due to longer update cycles and infrequent maintenance windows, the report says:
This indicates researchers’ growing interest in safeguarding devices at lower levels of the Purdue Model, which are more directly connected to the process itself and thus a more attractive target for attackers.
Other findings of note
- Published firmware vulnerabilities were nearly on par with software vulnerabilities (46% and 48% respectively), a huge jump from the 2H 2021 report when there was almost a 2:1 disparity between software (62%) and firmware (37%).
- On average, XIoT vulnerabilities are being published and addressed at a rate of 125 per month, reaching a total of 747 in 1H 2022. The vast majority have CVSS scores of either critical (19%) or high severity (46%).
- The top mitigation step is network segmentation (recommended in 45% of vulnerability disclosures), followed by secure remote access (38%) and ransomware, phishing, and spam protection (15%).
Full report is here.