By Daniel dos Santos

As our world becomes increasingly interconnected, the security of Operational Technology (OT) and Internet of Things (IoT) devices is more critical than ever.

New findings from Forescout – Vedere Labs, the industry leader in device intelligence, and Finite State, an industry leader in software supply chain security, emphasize the critical state of software supply chains in OT and IoT routers, revealing widespread vulnerabilities. The findings focused on outdated software components in router firmware, across sectors from industrial operations to healthcare and critical infrastructure, highlighting associated cyber risks.

These findings are not just a wake-up call, but also show the need for immediate action to mitigate cyber risks today and in the future.

Unveiling vulnerabilities

The research revealed a troubling issue: the extensive use of outdated software components in routers, which are essential for device connectivity in various environments. Many of these routers depend on firmware built on outdated versions of the OpenWrt operating system – an open-source project for embedded operating systems primariy used for routing network traffic. The average open-source component in these routers was found to be over five years old, and using a version that lagged significantly behind the latest release.

Equally alarming was the widespread presence of known vulnerabilities, or “n-day” vulnerabilities, in the firmware images. On average, each firmware image contained 161 known vulnerabilities, with a significant number rated as high or critical. Despite the availability of newer, more secure versions of the software, these vulnerabilities persist in the latest firmware releases, leaving devices vulnerable to potential attacks.

dos Santos

The research also revealed significant security weaknesses in the routers’ binary protection mechanisms. Features like stack canaries, intended to prevent buffer overflow attacks, were found to be poorly implemented or not present at all. This lack of robust security features further compounds the risks associated with using outdated firmware.

Firmware risks

The presence of these vulnerabilities in widely used cellular routers is more than just a technical oversight, it represents a significant risk for organizations that rely on these devices for critical operations. Cellular routers are often deployed in environments where reliability and security are paramount, such as in industrial control systems, remote monitoring, and critical infrastructure management. When these routers are compromised, the consequences can be severe, leading to operational disruptions, data breaches, and even damage to essential infrastructure.

The persistence of known vulnerabilities in these devices raises an important question: why are these issues still present, despite being well-documented? The answer lies partly in the complexity of firmware updates and the challenges of maintaining compatibility with a wide range of hardware. Yet, this does not justify the lack of proactive measures taken to address these vulnerabilities. The research found that while some vendors do apply custom patches to issues, these patches often introduce new problems or fail to fully resolve existing ones, further complicating the security landscape.

Role of SBOMs

The findings from this research are a reminder that addressing firmware vulnerabilities in OT and IoT routers must be a top priority for both device manufacturers and the organizations that rely on them. We recommend the adoption of Software Bills of Materials (SBOMs) which provide a detailed inventory of the components within a device’s software. SBOMs enhance transparency and allow for more effective vulnerability managemen

Manufacturers must also improve their patch management processes and be more transparent with customers regarding product security. This includes issuing timely security advisories when vulnerabilities are identified. Additionally, sharing asset risk information, including details about the configuration, behavior and function of devices is essential. In doing this, manufacturers can help organizations better understand the risks associated with their devices and the appropriate mitigation actions. In turn, organizations should prioritize mitigating the vulnerabilities that pose the greatest threat to their operations first.

As the proliferation of OT and IoT devices continues across sectors, addressing firmware vulnerabilities will become ever more important. There is an urgent need to improve device security and create greater transparency in the software supply chain. By taking proactive measures today, including embracing SBOMs and prioritizing regular updates and patches, organizations can reduce cybersecurity risks and safeguard the future of our interconnected world.

Daniel dos Santos is Head of Research at Forescout Research – Vedere Labs

August 26th, 2024 | Uncategorized