IT systems – and this year networking equipment in particular – continue to pose the most security risk for organizations, but it is the vulnerable Internet of Things (IoT) devices that are quickly moving up the ladder, according to researchers with Forescout’s Verdere Labs researchers.

In this year’s Riskiest Connected Devices report released this week, the researchers found that among IT devices, networking gear – such as wireless access points and routers – proved for the first time to be more vulnerable than endpoints like computers, servers, and hypervisors.

In addition, these IT systems as a group still accounted for 58% of the vulnerabilities detected among the four groups Verdere Labs looked at – the other three being IoT, operational technology (OT), and Internet of Medical Things (IoMT) – it was a drop from 2023, when they came in at 78%.

Instead, IoT devices like network-attached storage (NAS) systems, voice-over-IP (VoIP) equipment, and IP cameras, and printers that surged by 136 – from 14% to 33% – with network video recorders (NVRs) joining the group.

IoT devices “are commonly exposed on the internet and have been historically targeted by attackers,” the researchers wrote in a blog post, noting the appearance of NVRs on the list. “NVRs sit alongside IP cameras on a network to store recorded video. Like IP cameras, they are commonly found online and have significant vulnerabilities that cybercriminal botnets and APTs have exploited.”

More Area to Protect

“The attack surface now encompasses IT, IoT and OT in almost every organization – with IoMT in healthcare,” they wrote in the report. “It is not enough to focus defenses on risky devices in a single category since attackers can leverage devices of different categories to carry out attacks. We have demonstrated this with a proof-of-concept attack (R4IoT) that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT).”

The R4IoT demonstration looked at what they expect will be the next generation of ransomware that will target IoT and OT systems, given the expansion in both number and types of these devices and their connectivity into corporate networks. The continued convergence of IoT and OT devices and the rise of software supply-chain attacks expand the attack surface of essentially every company.

In addition, the threat isn’t going away, with more than 1,100 ransomware kits that bad actors can use to extort organizations, they wrote, noting that according to the SANS Institute, the number of ransomware attacks in 2023 jumped year-over-year by 73%, to 4,611 total cases.

Vedere Labs reviewed data from almost 19 million devices between January 1 and April 30 to compile its 12-page report, looking at the devices through three lenses: configuration (number and severity of vulnerabilities plus the open ports), behavior (inbound and outbound malicious traffic and inbound internet traffic to the device), and function (the danger to the organization if it’s compromised). Each device is given a risk score and the researchers calculated average of each device.

Watch Out for the Robots

There were a few surprises – some good, some bad – beyond the increased risk of networking equipment and the spike in the IoT category, according to the researchers. One emerging threat is in the OT arena: industrial robots. Their use in industries like electronics and automotive manufacture in more highly connected and smart factories is rising quickly. They counted almost 4 million industrial robots around the world last year, with about 80% in five counties: the United States, China, Japan, South Korea, and Germany.

“There are also service robots deployed in a variety of other industries, such as logistics and the military,” the researchers wrote. “Despite popular use, many robots have the same security issues as other OT equipment, including: outdated software, default credentials and lax security postures. Attacks on robots range from production sabotage to physical damage and human safety.”

Improvements in Health Care Security

That said, health care is no longer the industry with the riskiest devices – that crown is now worn by the technology sector – thanks in part to organizations switching the remote management of devices from Telnet to the more secure SSH, which uses an encrypted format and a secure channel to send data. The sector saw the percentage of open ports drop from 10% in 2023 to 4% this year and the use of Remote Desk Protocol (RDP) from 15% to 6%.

Still, the IoMT devices used in health care facilities are still a risk, particularly for those systems dispensing medication. The researchers wrote that they’ve been known to vulnerable to almost 10 years and are listed in the report as the sixth-most vulnerable type of device. Hospitals and other facilities are likely to continue to be a growing focus of threat actors.

A Challenging Future

It’s only going to get more difficult for organizations, they warned. By 2028, there will be more than 25 billion IoT devices.

“They have significantly expanded the attack surface creating new challenges and vulnerabilities,” the researchers wrote. “The need for accurate, rapid information from systems across every industry is essential for business operations. From the electric power grid to electrocardiograms, connected devices monitor our health, report changes in conditions or trigger automated actions.

They outlined steps enterprises can take to reduce that attack surface, including upgrading, replacing, or isolating OT and IoMT devices that are running legacy operating systems known to have critical flaws, implementing automated device compliance verification, and ensuring that non-compliant devices don’t connect to the internet.

They also recommended improve security on the network, from using segmentation to isolating devices like IP camaras and dangerous open ports like Telnet.