Rough Around the Edges: The State of OT/IoT Routers in the Software Supply Chain

Rough Around the Edges: The State of OT/IoT Routers in the Software Supply Chain

Introduction

Hello everyone and welcome to this discussion on the state of OT and IoT routers in the software supply chain. Today, we will delve into the research we've conducted on software bill of materials (SBOM) and vulnerability assessments focusing on devices critical to various industries.

The Journey into the Supply Chain

To begin our exploration, we can liken our journey into supply chain security to a cinematic adventure, much like that seen in the "Lord of the Rings." This includes navigating the complexities of the software development life cycle to enhance supply chain security. To do this, we utilized individual pieces of binary or source code to develop a detailed SBOM. This SBOM lists the various components included in the firmware, which can then be enriched by associating them with vulnerability data.

However, integrating vulnerability data with SBOM presents challenges, especially when accounting for both first-party and third-party components. In essence, the journey can be intricate - sometimes requiring uphill navigation or even detours through treacherous terrain.

Background of the Research

Our collaboration arose from a need for a deeper understanding of vulnerability research in the supply chain. Since 2020, our team has discovered over 200 vulnerabilities, with more than 100 related to supply chain issues. One significant initiative within this research is Project Memorial, where we analyzed TCP/IP stacks to identify common vulnerabilities resulting from the misinterpretation of technical standards.

Why Supply Chain Vulnerabilities are Unique

Supply chain vulnerabilities are complex as they often involve multiple suppliers and third-party components. For instance, vulnerabilities such as Log4J demonstrate how difficult it is to maintain visibility and control over various dependencies within a software supply chain, especially when products may rely on code and libraries from many developers.

Research Focus: The Devices

Our study specifically focused on Gateway routers used in critical infrastructure settings. We found that over 100,000 of these routers, pertaining to various industries, such as smart cities and energy distribution, were exposed on the internet, raising significant security concerns.

We also sought to determine how common it was to use open-source components within these IoT routers, as prior research had revealed that many vulnerabilities originated from open-source libraries.

Methodology and Results

Our analysis began with 290 firmware images, narrowing down our focus to 39 that were analytically manageable. We selected five vendors based on market presence and recent incidents. Among key findings, we discovered:

1. Common Operating Systems: Four out of five routers analyzed utilized OpenWRT, an open-source operating system tailored for embedded systems.

2. Component Decay: The average age of components in the firmware was notably high, often exceeding five years, resulting in outdated software that may harbor previously exploited vulnerabilities.

3. Vulnerability Statistics: Our research indicated an alarming number of vulnerabilities across the devices, with an average of seven critical vulnerabilities per firmware.

4. Lack of Memory Protections: Most routers lacked fundamental security measures, although they encouraged changing default credentials during initial setup.

5. Inconsistent Custom Patching: Manufacturers often provided their own patches for third-party components. However, these patches were inconsistent and sometimes introduced new vulnerabilities.

Collaborative Analysis with Finite State

By partnering with Finite State, our analysis was streamlined, allowing the automated generation of detailed SBOMs, making it easier for researchers to focus on validating results and producing insights on device security.

Conclusion and Recommendations

To mitigate supply chain vulnerabilities, we recommend that manufacturers prioritize updating components and employing security measures, showcasing their commitment to strong security postures. Moreover, asset owners should conduct comprehensive visibility into the devices in their environment, through implemented security tools that enhance risk assessment capabilities while enabling threat detection and response.

Keywords

• OT/IoT Routers
• Software Bill of Materials (SBOM)
• Supply Chain Vulnerabilities
• Firmware Analysis
• Open Source Components
• Vulnerability Assessment
• Critical Infrastructure

FAQ

Q1: What is the purpose of a Software Bill of Materials (SBOM)? A: An SBOM serves to itemize all components and dependencies within a software product, allowing organizations to assess security risks associated with each component.

Q2: Why are supply chain vulnerabilities significant? A: They pose risks due to dependencies on third-party components, which can be overlooked in security assessments, leading to unaddressed vulnerabilities in critical infrastructure.

Q3: How does using open-source software impact development? A: While open-source components can reduce development time, they also require vigilance in managing vulnerabilities, as dependencies may go unmonitored.

Q4: What challenges arise from custom patching? A: Custom patches may introduce new vulnerabilities or fail to accurately reflect version changes, complicating vulnerability management for security tools.

Q5: How can organizations enhance their security posture regarding OT/IoT devices? A: Organizations should regularly update devices, perform vulnerability assessments, and leverage automated security tools to track component health throughout the software life cycle.