Retailers are benefiting from connected devices known as the Internet of Things (IoT) however increased connectivity brings increased risk. Because retailers hold payment card details, they’re an attractive target for cybercriminals. A successful cyberattack can be disastrous for a retailer’s reputation as customers feel betrayed if their payment details are compromised. Retailers must understand this risk, and identify which devices are most vulnerable.

Forescout has released The Enterprise of Things Security Report, which uncovered the 10 riskiest IoT devices in retail in 2020. In this study, Forescout Research Labs undertook the most comprehensive study of its kind within the greater cybersecurity industry to date. It assessed the risk posture of more than eight million devices deployed across five verticals including retail.

Forescout measured the risk of a device to an organisation by aggregating vulnerabilities, exploitability, remediation effort, matching confidence, open ports, potential communications, business criticality and whether the device is managed.

The top 10 riskiest IoT device attack vectors are:
1. Physical access control

2. Heating, ventilation and air conditioning (HVAC) systems

3. IP camera

4. Programmable logic controller

5. Firewall

6. Out of band controller

7. Wireless access point

8. Video conferencing

9. Router or switch

10. Network attached storage

Smart building devices ranked as the riskiest retail device type, with physical access controls, HVACs and IP cameras ranking in the top three. Physical access controls are used to open or close door locks in the presence of authorised badges, preventing unauthorised access into shops or specific rooms. HVAC systems and IP cameras were found configured with critical open ports, connected to other risky devices, and containing critical vulnerabilities.

Smart building devices make it easy for cybercriminals to enter the building’s network. From there, they can access locked premises and rooms, stealing physical goods. Or, they can damage the data centre by tampering with locks and HVAC systems to overheat the delicate equipment.

Networking and Voice over Internet Protocol (VoIP) devices are generally less risky than smart building devices because their impact is often restricted to information systems. However, networking equipment such as routers, switches and firewalls are often exposed online, with consumer-grade routers one of the preferred targets since these devices are rarely updated and often have default credentials that are easy to crack.

Wireless access points link internal and external networks. They are frequently used to host guest devices on corporate networks. While guest devices usually have no access to sensitive systems or information, they are often connected to many other guest devices, can be infected, and are much more difficult to monitor than managed devices.

For retailers in particular, point of sale (POS) devices can also present a risk as these are ideal access points for cybercriminals looking to steal payment information.

Retailers should aim to reduce their risk and increase their network’s overall resilience by:

– Increasing visibility: Retailers must be able to continuously discover, classify and assess devices without agents or active techniques that could compromise business operations. This facilitates real-time risk management.
– Segmenting networks: Dynamic network segmentation across the extended enterprise reduces the attack surface and regulatory risk.
– Managing endpoints: Retailers need a single interface to manage every network-connected device and unified asset.
– Implementing policy-based controls: Retailers need countermeasures to mitigate threats, incidents, and compliance gaps.

Cybersecurity used to be the sole responsibility of the IT team. However, the increasing number and diversity of connected devices in the retail means every employee is a cybersecurity stakeholder. Every retailer must be aware of the risks presented by connected devices and take all possible steps to close the gaps and mitigate those risks.

Rohan Langdon is regional director for Australia and New Zealand at Forescout