Assessing the Technical Vulnerabilities of Unmanaged Devices

I read an article recently in Dark Reading that described the research done by the firm Risk Based Security that showed that at least 33% of all disclosed vulnerabilities are missing from the CVE and NVD databases. Why? Because these databases include only the vulnerabilities that security vendors and researchers directly report to them. All other software vulnerabilities are missing from the CVE and NVD databases. And many of those missing vulnerabilities are critical in severity.

Of course, this missing information means that, since most scanning tools use the CVE and NVD databases as their source of truth, enterprise security managers often have an incomplete picture of software vulnerabilities on their networks.

As interesting as this was, I say: Why stop the analysis here? Software vulnerabilities are just the tip of the iceberg. There are many kinds of technical vulnerabilities that have nothing to do with software CVEs but are caused by how the device has been designed and/or how you have (or have not) configured it when you (or someone) deployed it. For example:

• Data storage vulnerabilities. Is data being stored on the device? Is that data encrypted? Do vulnerabilities in the device’s operating system allow attackers to access the data?

• Cloud synchronization. Is data being sent from the device to a cloud service? Is that cloud service in a suspicious domain (e.g. Russia)?

• Application ambiguity. Does the device load applications from a repository that you don’t control, such as an app store?

• Authentication vulnerability. Does the device allow unauthenticated access, rendering it vulnerable to attacks such as DNS rebinding?

• External connectivity. Can the device be accessed via Wi-Fi, Bluetooth, or other peer-to-peer IoT protocols that are not monitored by your existing security tools?

As an example, several of the factors listed above apply to Smart TVs, and recently the FBI reminded consumers how vulnerable Smart TVs are to being attacked. The FBI bulletin did not go into details, but I would say that Smart TVs frequently suffer from four of the five vulnerabilities listed above. (I don’t think they store data, but wow, they sure transmit it.)

One story that Armis sales people love to tell to new customers is the time that Armis found a Smart TV that had been installed in a conference room. It had been infected with malware, and the malware was attempting to propagate to nearby devices via the TV’s built-in Wi-Fi hotspot and Bluetooth radio. Since Armis’ discovery of Blueborne in 2017, Bluetooth has been a known propagation vector, but most enterprise security tools don’t monitor Bluetooth and therefore can’t detect malicious Bluetooth activity. Armis can. Our customer was pleased.

Looking back at the list above, it is clear that this compromised Smart TV bore two technical vulnerabilities:

• Application ambiguity: The Smart TV got infected by a bad download of software from a service technician who periodically visited to “maintain” the device. This software was not under the direct control of the enterprise IT department, who was not even aware that the software was being periodically updated.

• External connectivity: The default-on capabilities of the Wi-Fi hotspot and the Bluetooth connectivity options built into the Smart TV allowed the malware to leverage these vectors for propagation.

One of the capabilities that Armis’ agentless device security platform enables is the ability to perform vulnerability assessments against all forms of devices including traditional IT, OT, enterprise IoT and consumer IoT. We have designed our platform in a way that can discover both software vulnerabilities (CVEs) and many other types of device vulnerabilities, including those listed above. In this way, we provide our customers with more complete information about vulnerabilities in their environment, not just the “tip of the iceberg” information that resides inside CVE and NVD databases. For more details on Armis’ capabilities, check out this solution brief.

What do you think? I’d love to hear from you. Contact me at [email protected]