A universe of devices and technology has fallen into our laps at a speed that organizations struggle to manage effectively. And that boom in devices shows no signs of stopping. In 2019, there were an estimated 9.9 billion Internet of Things (IoT) devices. By 2025, we expect 21.5 billion. As more information about IoT device vulnerabilities is published, the pressure on industry and government authorities to enhance security standards might be reaching a tipping point.
Last month’s passage of the IoT Cybersecurity Improvement Act of 2020 means all IoT devices used by government agencies will soon have to comply with strict NIST standards. While it’s a progressive step for the network security of the U.S. government, standards will not apply to the IoT market at-large. However, many are hopeful that this security update will trickle out to all IoT vendors and devices.
Forescout Research Labs last month released a 14-page white paper and a 47-page research report detailing 33 vulnerabilities affecting millions of Internet of Things (IoT), Operational Technology (OT), and IT devices. Dubbed AMNESIA:33, these newly identified vulnerabilities include four broadly used TCP/IP stacks and have left more than 150 vendors potentially compromised.
Forescout’s findings are the first published study under Project Memoria, an initiative to understand the flaws and threats rooted in TCP/IP stacks for organizations. Malicious actors familiar with the vulnerabilities can use a number of devices to gain access, move laterally within networks, and cause extensive damage. Because AMNESIA:33 affects an expansive code network with deeply embedded subsystems, the task of identifying and patching vulnerable devices for your organization is as daunting as it is essential.