Skyrocketing IoT bug disclosures put pressure on security teams
Rising numbers of documented security issues in Internet of Things (IoT) devices mean that businesses have a new patch-management issue brewing, cybersecurity, experts say.
A combination of more connected products, greater scrutiny by researchers, and regulations requiring disclosure of vulnerabilities has resulted in a rising tide of disclosed bugs. Those found in products considered to be part of the Extended Internet of Things (XIoT), for example, jumped 57% in the first half of the year, compared with the prior six months, Claroty stated in a recent report.
Embedded IoT devices have meanwhile jumped to account for 15% of the XIoT vulnerabilities, up from 9% in the second half of 2021.
This rapidly expanding landscape of IoT devices and infrastructure means that companies need to ensure visibility, not only into their IoT devices, but all the systems that manage those devices, and be ready to quickly patch those devices, says Sharon Brizinov, director of research for Claroty.
“The networks [have become] much more diverse than ever before, and that goes hand-and-hand with the fact that more security researchers are looking for vulnerabilities than ever before,” he says. “So, more devices and more awareness and more security researchers investigating those devices means more vulnerabilities being disclosed.”
This trend is only set to continue, according to experts. Companies will need to keep track of their IoT assets and, because vulnerability remediation typically requires a software update, evaluate whether deployed devices can easily be updated.
Fewer vendors are trying to hide their security issues and are moving away from silent patching — a good development for security but one that contributes to the “noticeable increase” in the number of IoT vulnerabilities being publicly disclosed, says Deral Heiland, principal security researcher for IoT at Rapid7.
“If no data is made available to the public, then end users can’t be aware of a potentially serious risk caused by a vulnerability and may delay patching,” he notes. “So, vendors publishing in this way is a positive move.”
Growing Number of XIoT issues
Overall, 747 vulnerabilities were disclosed in XIoT devices between the start of January and the end of June, a 57% jump from the prior six months, according to Claroty’s “State of XIoT Security: 1H 2022” report. The affected products came from 86 different vendors, and for the first time, proactive disclosure by vendors became the second most common way that information on vulnerabilities was published, after disclosure by third-party firms. Independent researchers and the Zero Day Initiative were the third and fourth most common sources of vulnerability information.
To read the complete article, visit Dark Reading.