Who Left the Door Open? Investigating the Causes of Exposed IoT Devices in an Academic Network

Many studies have discovered internet-facing systems exposing services that are vulnerable to attack. These are often assumed to be misconfigured systems that are not meant to expose these services to the network, especially not in an enterprise network. In this study, we clarify the causes of the presence of IoT devices exposing Telnet and FTP in a university enterprise network. This also helps us to understand who is responsible. We scanned the network and found 185 IoT devices consisting of 30 device models exposing Telnet and 49 models exposing FTP. We sent out a security notification and a survey to device owners. The survey demonstrated that 2 out of 21 and 8 out of 41 owners intentionally enabled Telnet and FTP, respectively, on all their devices. After receiving the notification, 38 out of 47 owners said they were willing to take measures on at least one of their IoT devices. All except one of the devices of these willing owners were successfully remediated. When we investigated the manuals of the devices, we were able to confirm that there was no disclosure whatsoever of the exposed service in 15 out of 30 manuals for models with Telnet and 10 out of 49 manuals for models with FTP. We also confirmed, by combining a survey of the manufacturers with the device manuals, that 22 out of 30 and 29 out of 49 devices enabled Telnet and FTP by default, respectively. From the above results, we conclude that the presence of misconfigured devices was less driven by human errors of the owners and more by the choices of the manufacturers. The majority of owners were motivated to remediate the security risks once made aware of them.