- IoT in the company is a major responsibility, claims the British government
- Most organizations use old and obsolete software
- They do not adhere to safety standards either
Internet objects (IoT) devices of the company are a major security responsibility. It is according to a new report by the group of cybersecurity professionals, on behalf of the British government.
“The government is concerned about the security of these products, as vulnerable devices can provide a route to hostile players to attack the IT systems used by companies,” the British government said in an announcement for the report. “As part of the government’s work to solve this problem and improve cyber resilience through the British economy, the government has instructed the CCN group to assess the vulnerability of certain devices connected to commonly used companies.”
The results have shown that British companies have many reasons to worry. Apparently NCC Group has found a “number” of software and hardware vulnerabilities that could lead to remote code execution attacks (RCE), granting threat actors a total control of a device, on the network.
Obsolete software
One of the biggest problems was obsolete software. The report indicates that unlikely solutions were “widespread between devices”, also declaring that one of the devices analyzed directed a 15 -year start charger.
The British government has also said that in “most cases”, an attacker with physical access to a device would be able to compromise it entirely, installing a persistent stolen door to be used in future attacks. The majority of the tested devices generate all their processes as a very privileged “root” user, which means that there is no access granulation and the consequences of a violation could be disastrous.
There is nothing particularly unique in these IoT devices, nor the vulnerabilities they have worn. The British government said that they were “generally unsatisfied”, especially with regard to the configuration of services, applications or features. He also warned that membership in the safety principles of NCSC devices and that the ETSI standard in 303,465 was “mixed”.
