Which devices on your network are most vulnerable?

Infosec teams know all about cyberattacks on servers and desktop computers, and the optimal protective practices are both well-known and well-developed. But things get a lot more complicated when it comes to less “visible” devices — such as routers, printers, medical equipment, and video surveillance cameras. Yet they too are often connected to the organization’s general network along with servers and workstations. The question of which of these devices should be the top infosec priority, and what risk factors are key in each case, is the subject of the “Riskiest Connected Devices in 2024” report.

Its authors analyzed more than 19 million devices: work computers, servers, IoT devices, and specialized medical equipment. For each individual device, a risk level was calculated based on known and exploitable vulnerabilities, open ports accessible from the internet, and malicious traffic sent from or to the device. Also factored in were the importance of the device to its respective organization, and the potential critical consequences of compromise. Here are the devices that researchers found to be most often vulnerable and high-risk.

Wireless access points, routers, and firewalls

The top two places in the list of the riskiest devices in office networks — by a comfortable margin, went to network devices. Routers are typically accessible from the internet, and many of them have open management ports and services that are easy for threat actors to exploit: SSH, Telnet, SMB, plus highly specialized proprietary management services. In recent years, attackers have learned to exploit vulnerabilities in this class of equipment — especially in its administration interfaces. Much the same holds for firewalls — especially since these two functions are often combined in a single device for SMBs. Access points have insecure settings even more often than routers do, but the threat is somewhat mitigated by the fact that compromising them requires being in close proximity to the device. The initial attack vector is usually a guest Wi-Fi network, or a dedicated network for mobile devices.

Printers

Although printer exploitation by hackers isn’t that common, such cases are nearly always high-profile. The risk factors associated with printers are as follows:

• They’re often connected directly to the office network and at the same time to the manufacturer’s central servers; that is — to the internet.
• They often operate in a standard configuration with default passwords, allowing a potential attacker to view, delete, and add print jobs, among other things, without having to exploit any vulnerabilities.
• They usually lack infosec tools, and often get added to firewall allowlists by network administrators to ensure accessibility from all computers in the organization.
• Software updates are slow to appear, and installation by users is even slower — so dangerous vulnerabilities in printer software can remain exploitable for years.
• The “printers” category includes not only network MFPs, but also highly specialized devices such as label and receipt printers. The latter are often directly connected to both POS terminals and privileged computers that process important financial information.
• Printers are a favorite target of hacktivists and ransomware groups because a hack that prints off thousands of copies of a threatening letter can’t fail to make an impression.

VoIP devices and IP surveillance cameras

Like printers, devices in these categories are rarely updated, are very often accessible from the internet, have no built-in information security tools, and are regularly used with default, insecure settings.

Besides the risks of device compromise and hackers’ lateral movement across the network that are common to all technology, unique risks here are posed by the prospect of attackers spying on protected assets and facilities, eavesdropping on VoIP calls, or using VoIP telephony for fraudulent purposes impersonating the attacked organization. Exploiting vulnerabilities isn’t even necessary; a misconfiguration or default password will suffice.

Automatic drug dispensers and infusion pumps

The No. 1 niche devices in the hit parade are automated drug dispensers and digital infusion pumps, the compromising of which could seriously disrupt hospitals and threaten lives. According to the researchers, high-risk cases occur when such devices aren’t protected from external connections: in late 2022, 183 publicly accessible management interfaces for such devices were discovered; and by late 2023, that number had grown to 225. For a critical incident affecting patient care to arise, deep compromise of the target device is often not necessary — a denial of service or disconnection from the telecommunications network would be quite enough. Real attacks on healthcare facilities by the ransomware group LockBit have provoked such situations. Another risk is the malicious altering of drug dosage, which is made possible by both numerous device vulnerabilities and insecure settings. In some institutions, even a patient can do the altering simply by connecting to the hospital’s Wi-Fi.

How to protect vulnerable equipment in your organization

• Disable all unnecessary services on the equipment and restrict access to necessary ones. Control panels and service portals should only be accessible from administrative computers on the internal subnet. This rule is critical for network hardware and any equipment accessible from the internet.
• Segment the network by creating a separation between the office, production, and administrative networks. Ensure that IoT devices and other isolated resources can’t be accessed from the internet or the office network available to all employees.
• Use strong and unique passwords for each administrator, with multi-factor authentication (MFA) where possible. Use unique passwords for each user, and be sure to apply MFA for access to critical resources and equipment.
• If the device lacks support for sufficiently strong authentication and MFA, you can isolate it in a separate subnet, and introduce MFA access control at the network equipment level.
• Prioritize rapid firmware and software updates for network equipment.
• Study the network and security settings of the equipment in detail. Change default settings if they aren’t secure enough. Disable built-in default accounts and password-less access.
• Study the router manual, if available, for ways to improve security (hardening); if not available, seek recommendations from reputable international organizations.
• When purchasing printers, multi-function peripherals (MFPs), and similar devices, explore the standard features for improving printer security. Some corporate models offer an encrypted secure print function; some are capable of updating their firmware automatically; and some are able to export events to a SIEM system for comprehensive infosec monitoring.
• Implement an all-in security system in your organization, including EDR, and comprehensive SIEM-based network monitoring.