BitSight, a provider of detecting and managing cyber risk, has unveiled new research which found one in 12 BitSight tracked organisations with Internet facing webcams or similar IoT devices are susceptible to video and audio compromise. These findings come shortly after the White House release of its National Cybersecurity Strategy, which aims to improve the security of IoT devices.
Spanning 54 countries, exposed organisations include multiple Fortune 1000 organisations, are concentrated in the education, technology, government and politics, and media and entertainment sectors. Of these sectors, education was found to be most at risk nearly one in four BitSight-tracked education organisations using Internet facing webcams or similar devices are susceptible to spying.
By utilising exposed devices, organisations put both cybersecurity and physical security at risk. If these devices are exploited, threat actors could eavesdrop on both private and professional conversations allowing them to potentially exploit personal information and sensitive business information. Exposed webcams overlooking access controlled doors and rooms could also provide bad actors with key information relating to physical security.
“This research shows that even everyday technologies, such as webcams, can leave organisations highly vulnerable if exposed,” says BitSight chief risk officer Derek Vadala. “Understanding how these devices can increase an organisation’s attack surface and taking the steps to deploy them in a manner that limits potential threats is critical.”
BitSight assembled a dataset of IP addresses owned by organisations with at least one open audio/video service, mapping them to BitSight’s inventory of organisations to determine rates of exposure. The exposed devices discovered by BitSight were found to not be protected by a firewall or VPN, despite recommended practices. Additionally, they were either misconfigured possibly due to a user failing to set a password or suffered from a software vulnerability.
BitSight urges organisations to identify and assess the security of any video and audio enabled devices deployed internally and by third party business partners, and engage in the following remediation efforts:
- If the devices are not behind a firewall or VPN, then prioritise doing so.
- If the devices lack authentication to access video and/or audio feeds, then prioritise setting up access control measures to protect them.
- If the devices suffer from a software vulnerability, the developer is the only route to remediation. In this case, BitSight recommends halting use of the exposed device and changing brands if the vendor is not able or willing to remediate.
For more information, the full study can be viewed here.
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow
