BitSight, a leader in detecting and managing cyber risk, today unveiled new research which found one in 12 BitSight-tracked organizations with Internet-facing webcams or similar IoT devices are susceptible to video and/or audio compromise. These findings come shortly after the White House release of its National Cybersecurity Strategy, which aims to significantly improve the security of IoT devices.
Spanning 54 countries, exposed organizations include multiple Fortune 1000 organizations, and are concentrated in the education, technology, government and politics, and media and entertainment sectors. Of these sectors, education was found to be most at risk – nearly one in four BitSight-tracked education organizations using Internet-facing webcams and/or similar devices are susceptible to spying.
By utilizing exposed devices, organizations put both cybersecurity and physical security at risk. If these devices are exploited, threat actors could eavesdrop on both private and professional conversations – allowing them to potentially exploit personal information and sensitive business information. Exposed webcams overlooking access-controlled doors and rooms could also provide bad actors with key information relating to physical security.
"This research shows that even everyday technologies, such as webcams, can leave organizations highly vulnerable if exposed," said BitSight Chief Risk Officer Derek Vadala. "Understanding how these devices can increase an organization's attack surface and taking the steps to deploy them in a manner that limits potential threats is critical."
For this study, BitSight assembled a comprehensive dataset of IP addresses owned by organizations with at least one open audio/video service, mapping them to BitSight's inventory of organizations to determine rates of exposure. The exposed devices discovered by BitSight were found to not be protected by a firewall or VPN, despite recommended best practices. Additionally, they were either misconfigured – possibly due to a user failing to set a password – or suffered from a software vulnerability.
BitSight urges organizations to identify and assess the security of any video- and/or audio-enabled devices deployed internally and by third-party business partners, and engage in the following remediation efforts:
If the devices are not behind a firewall or VPN, then prioritize doing so.
If the devices lack authentication to access video and/or audio feeds, then prioritize setting up access control measures to protect them.
If the devices suffer from a software vulnerability, the developer is the only route to remediation. In this case, BitSight recommends halting use of the exposed device and changing brands if the vendor is not able or willing to remediate.
For more information, the full study can be viewed here.