Realtek is a well-regarded semiconductor chipset manufacturer based in Taiwan, with many of their chips used in IoT devices. Along with the physical chips themselves, Realtek also provides firmware and software development kits to enable the devices to perform their functions and integrate into a variety of systems. To IoT system manufacturers, Realtek is a one-stop-shop for the most demanding requirements of their devices. But to cyber criminals finding an exploitable IoT vulnerability in these chipsets is a path towards breaching hundreds of organizations and across many years. Here’s some background on the Realtek vulnerability, and more importantly how it serves as a reminder for organizations to incorporate IoT/OT devices into their overall security posture.
On January 24, 2023 Palo Alto Network’s Unit 42 research group reported that exploitation of a remote code execution vulnerability accounted for 40% of cyber attacks between August and October 2022, with over 134 million attempts to exploit it through the end of 2022. There are 66 different manufacturers shipping products with this vulnerability, with roughly 190 different devices impacted.
What’s the right way to respond to the specific issue with Realtek-based devices, and with IoT/OT vulnerability management in general? First start with developing long term strategies, not one time. This specific CVE will be a threat for a long time to come because many IoT devices exist in the supply chain for a long time (months or years) before they are deployed. Use an asset discovery solution (Viakoo integrates with all leading discovery solutions) to make sure all devices are visible and understood. Have automation to manage critical cyber hygiene functions (firmware, passwords, certificates) because of their scale and need to quickly update or rotate security on devices when disaster strikes. Organizations need to ensure when deploying new devices that they are immediately updated to the latest and most secure firmware versions. In short, assess and account for IoT/OT devices as part of an organization’s security posture just as you would for IT systems.
With 40% of total attacks for part of last year aimed at exploiting IoT devices, it is astounding that organizations would not consider IoT/OT devices as part of their security posture. IoT devices clearly have become a principal focus for threat actors, and with good reason. These devices are often managed outside of IT, are difficult to patch, and have all the necessary ingredients (compute, network, and storage) to make them ideal for planting and distributing malware.
In most organizations IoT devices exist at 5X to 20X the scale of IT systems, making them “higher value” targets than IT systems to cyber criminals. Another factor is that the lines of business that operate them often don’t have budget to replace devices that are end-of-life or unsupported by the manufacturer (if the old printer is still working, why replace it?), making IoT/OT devices on the network more likely to have exploitable vulnerabilities. Without the use of asset discovery solutions designed with IoT in mind, many of these devices at scale are invisible to the security team or even to the teams that manage them.
The widespread use of open source software in IoT devices and the lack of having software bills of material (SBOMs) makes IoT devices ideal for planting malware and launching DDoS attacks from these infected devices. A remote code execution vulnerability, as in the Realtek devices, can be leveraged for a number of cyber criminal activities.
Want to discuss further how to ensure all your IoT/OT devices are visible, operational, and secure? Click here to request a demo and have a personalized discussion with one of our IoT security experts.