Forescout and Finite State have released a report titled "Rough Around the Edges" that scrutinises the software supply chain in Operational Technology (OT) and Internet of Things (IoT) routers. The research reveals that many of these routers, vital for connecting various devices to the Internet, continue using outdated software components linked to existing vulnerabilities.
This report builds on earlier findings, notably the Sierra 21 research, which identified tens of thousands of Australian network devices with outdated firmware accessible online and susceptible to cyber threats. Australia ranks third globally in the number of exposed devices, with less than 10% confirmed to be patched against known vulnerabilities discovered since 2019.
The analysis explored firmware images from prominent OT/IoT router vendors, including Acksys, Digi, MDEX, Teltonika, and Unitronics. According to the report, the firmware images contained an average of 662 components, with 2,154 findings related to known vulnerabilities, weak security postures, and potential new vulnerabilities. The report noted that the average open-source component was over five years old and significantly behind the latest versions.
Daniel dos Santos, Head of Research at Forescout Research Vedere Labs, said, "With the convergence of IoT and OT, threats targeting connected devices are increasing exponentially due to cybercriminal botnets, nation-state APTs and hacktivists. Following our Sierra 21 research, we aimed to understand the state of software components in OT/IoT network devices from other vendors and what threat actors might find if they closely examined this software supply chain."
The research highlighted several key issues:
OpenWrt Prevalence: Four of the five analysed firmware run on operating systems based on OpenWrt, an open-source Linux OS for embedded devices. These versions often mix individual component versions with base versions or develop their components in-house.
Outdated Components: The study identified an average of 161 known vulnerabilities in firmware images, including 24 with critical scores. This raises significant concerns, given that many devices play critical roles in various sectors.
Security Features and Binary Protection: The research found significant variations in using security features like RELRO, stack canaries, and NX across firmware images, suggesting a lack of consistent binary protection mechanisms.
Default Credentials: While default credentials are still present in devices, they are often uniquely generated, necessitating a change upon initial setup, making the devices more secure in common usage scenarios.
Patching Practices: The analysis uncovered that some vendors apply custom patches to known vulnerabilities, sometimes introducing new issues without updating component versions. This leads to confusion in understanding which components are vulnerable.
Larry Pesce, Director of Product Research and Development at Finite State, commented: "These findings highlight the critical importance of addressing software supply chain risks. Our analysis identified an average of 161 known vulnerabilities per firmware image, including 24 with critical scores. By leveraging our platform's capabilities, organisations can gain deep insights into their software's vulnerabilities and outdated components, allowing them to proactively address risks and protect their products and customers from evolving cyber threats."
The report also pointed out a positive correlation between the age of components, the number of known vulnerabilities, and binary hardening practices among vendors. Firmware with newer components generally exhibited fewer vulnerabilities and better binary protections.
Barry Mainz, CEO of Forescout, underscored the urgency of robust cybersecurity measures: "As we observe an unprecedented increase in both managed and unmanaged devices connecting to the Internet, extending into critical infrastructure sectors and beyond, the need for robust cybersecurity measures has never been more urgent. To effectively mitigate risks in an environment increasingly dominated by OT and IoT, we need a comprehensive asset inventory that identifies crucial details through both passive and active methods."