IoT Vulnerabilities Surge: Forescout’s 2024 Report Highlights Risks and Trends

3 mins read
IoT Vulnerabilities Surge: Forescout's 2024 Report Highlights Risks and Trends

The Forescout report reveals a concerning surge in IoT vulnerabilities, escalating by 136% within a year. With 33% of IoT devices now vulnerable, including critical infrastructure like wireless access points and IP cameras, the threat landscape is increasingly ominous. Rik Ferguson of Forescout emphasizes that threat actors target enterprise-connected IoT devices, exploiting them for unauthorized access and lateral movement. Alarmingly, Internet of Medical Things (IoMT) devices are also at risk, threatening patient care and medical systems.

Network infrastructure, notably routers and wireless access points, surpass endpoints in vulnerability. Operational technology faces risks from devices like uninterruptible power supplies and robotics. Despite previously being the most vulnerable sector, healthcare has seen improvements due to increased security investment, particularly against ransomware.

Globally, China leads in device risk, while the UK demonstrates comparatively lower risk. These findings underscore the critical need for organizations to fortify IoT security measures against evolving cyber threats, safeguarding not only their infrastructure but also critical services and public safety.

IoT Vulnerabilities Surge by 136%: Key Findings from Forescout’s 2024 Report

Internet of Things ( IoT ) devices containing vulnerabilities have surged by 136 % compared to a year ago, according to Forescout’s The Riskiest Connected Devices in 2024 report.The study, which analyzed data sourced directly from nearly 19 million devices, found that the proportion of IoT devices with vulnerabilities rose from 14 % in 2023 to 33 % in 2024.

The most vulnerable IoT device types were wireless access points, routers, printers, voice over Internet Protocol ( VoIP ) and IP cameras.

Around a third ( 33 % ) of IoT devices analyzed had vulnerabilities.

Forescout’s VP Security Intelligence Rik Ferguson stated to Infosecurity that threat actors generally target IoT devices connected to the enterprise stack, such as IP cameras and building management systems, away of consumer smart products.

These endpoints give attackers a great deal of the opportunity to hack into and break into an organization’s systems without being seen.

Because they are typically visible to the enterprise security stack, they are frequently tutorials shared in underground forums about how to compromise and use them for lateral movement, exfiltration, and command and control, according to Ferguson.

Internet of Medical Things ( IoMT ) were also highlighted as a significant risk by the researchers, with 5 % of these devices found to contain vulnerabilities.

The riskiest devices observed in this category were medical information systems, electrocardiographs, digital imaging and communications in medicine ( DICOM) workstations, picture archiving and communication systems ( PACS) and medication dispensing systems.

The researchers noted that there are documented instances of ransomware attacks that affect the functionality of dispensing facilities, which can cause persistent treatment delays.

IoMT has also moved above the operational technology ( OT ) in categories with the riskiest devices, compared to Forescout’s 2023 report.

Network equipment is the most susceptible category of IT equipment

IT devices accounted for most device vulnerabilities ( 58 % ) in this year’s report, although this represents a significant fall from 78 % in 2023.

Network infrastructure devices, including routers and wireless access points, were the riskiest type of IT device category, surpassing endpoints.

According to Ferguson, there have been fewer and fewer IT device categories as a result of attackers focusing on frequently uncontrolled resources like mobile access points and routers.

He noted that ransomware was developed specifically for these devices and that hypervisors have been the entry points for significant compromises in the previous year.

Uninterruptible power supplies ( UPS), distributed control systems (DCS), programmable logic controllers ( PLC ), robotics, and building management systems ( BMS ) were the five most dangerous device types identified in OT environments.

In total, 4 % of Twisted devices were found to contain vulnerabilities.

The researchers found that robot use is speedily increasing in sectors like mechanical manufacturing and electronics, where factories are becoming more connected.

Some of these robots have outdated software and default credentials, which are the same security issues as another OT equipment.

IoT and Cybersecurity: What's the Future?

Industry Device Risk Scores: Insights from Forescout’s Latest Report

The industries that have the highest average device risk are technology ( 8.3 ), education ( 8.14 ), manufacturing ( 7.98 ) and financial ( 7.95 ).

Ironically, healthcare has gone from being the riskiest industry in 2023, to the least riskiest in Forescout’s the latest report, with a score of 7.25.

This is a result of healthcare’s substantial investment in device security in the previous year, according to the researchers.

Ferguson noted that healthcare has learned from being seriously targeted by ransomware attacks in the last year by closing vital entry points for attackers, and in particular by reducing the exposure of Telnet and RDP.

Risk scores are quantified based on configuration, behavior and function, with each device assigned a score between 1 and 10.

The country with the highest average device risk was China ( 7.32 ), followed by Philippines ( 6.97 ), Thailand ( 6.96 ), Canada ( 6.51 ) and the US ( 6.44 ).

The UK received the lowest risk score of the nations analyzed, at 6 points.

Leo Portal

Leo is an expert in the field of smart city research and an overall tech-enthusiast with an emphasis on smart energy, IOT, smart homes and governance. After a master degree in international administration at the University of Gothenburg in Sweden, and a master in public management at Fudan University in China, he pursued research studies in the field of smart cities at the European University Institute. This led him to publish multiple articles on smart cities. Among them “Using Smart People to Build Smarter: How Smart Cities Attract and Retain Highly Skilled Workers to Drive Innovation (Belgium, Denmark, the Netherlands, Poland)” published in the Smart Cities and Regional Development Journal (SCRD) and “Establishing Participative Smart Cities: Theory and Practice”, also published in the SCRD Journal. He regularly audits and advises municipalities and regional governments on their smart city strategies. He is currently writing a chapter for Springer on smart mobility in French smart cities.

Leave a Reply

Your email address will not be published.

Revolutionizing RV Theft Recovery: Sigfox 0G Technology Offers Enhanced Security in the UK
Previous Story

Revolutionizing RV Theft Recovery: Sigfox 0G Technology Offers Enhanced Security in the UK

U.S. DOE Definition of Zero-Emission Buildings: A Blueprint for Decarbonization and Sustainability
Next Story

U.S. DOE Definition of Zero-Emission Buildings: A Blueprint for Decarbonization and Sustainability

Latest from Technology

Don't Miss