Critical Vulnerabilities Found in OT/IoT Router Firmware: Outdated Software Poses Major Risks

Groundbreaking Research by Forescout and Finite State Reveals the Alarming State of the Software Supply Chain in OT/IoT Routers

Singapore, August 15, 2024 – Forescout Technologies, Inc., a global leader in cybersecurity, in collaboration with Finite State, a prominent figure in software supply chain security, today unveiled a new report titled “Rough Around the Edges.” This report provides an in-depth analysis of the software supply chain within OT/IoT routers, which play a critical role in connecting essential devices to the internet across various settings. The research highlights that OT and IoT cellular routers, as well as those utilised in small offices and homes, are plagued by outdated software components associated with existing (“n-day”) vulnerabilities. The “Rough Around the Edges” report identified an average of 20 exploitable n-day vulnerabilities within the kernel of widely-used OT/IoT router firmware, revealing significant security gaps.

The report underscores that in the ASEAN region alone, there are 22 million exposed devices, marking a 21% increase over the past two years. Singapore tops the list with the highest exposure of OT/ICS devices, holding a risk level of 23.89%, followed by Vietnam (21.06%), Thailand (19.52%), Malaysia (18.56%), and Indonesia (14.76%).

Singapore also leads with the highest percentage of exposed IT devices, at 38.22%. However, the report notes that the countries with the most exposed devices do not necessarily suffer the highest levels of compromise. Interestingly, Singapore registers the highest number of NAS devices infected with ransomware and also hosts the most Command and Control (C2) infrastructure, while Thailand has the most hacked DVRs.

Regarding compromised or malicious IP addresses, Singapore ranks fourth in the ASEAN region with 11.79%, trailing behind Indonesia (18.28%), Thailand (20.86%), and Vietnam (31.89%).

Daniel dos Santos, Head of Research at Forescout Research – Vedere Labs, said, “With the increasing convergence of IoT and OT, threats targeting connected devices are escalating at an exponential rate due to cybercriminal botnets, nation-state APTs, and hacktivists. Our recent Sierra:21 research uncovered tens of thousands of devices running outdated firmware that are exposed online, making them easy targets for hackers. Following this, we aimed to examine the state of software components in OT/IoT network devices from various vendors, seeking to understand what threat actors might discover if they scrutinised this software supply chain. Our objective wasn’t to find new vulnerabilities, but to assess what is already known (‘n-day’) yet remains unaddressed in the latest router firmware releases.”

The analysis conducted by Forescout Research and Finite State covered five firmware images from prominent OT/IoT router vendors: Acksys, Digi, MDEX, Teltonika, and Unitronics. The “Rough Around the Edges” report presents several key findings:

• Widespread Use of OpenWrt: Four of the five firmware images analysed utilise operating systems derived from OpenWrt, an open-source Linux-based OS for embedded devices. However, these images feature heavily modified versions of the base operating system, often mixing and matching component versions or developing in-house components.
• Outdated Software Components: The research uncovered an average of 662 components and 2,154 findings per firmware image, spanning known vulnerabilities, weak security postures, and potential new vulnerabilities. On average, the open-source components were five years and six months old, and four years and four months behind the latest releases. Even the most recent firmware images were found to be using outdated versions of critical components such as the kernel and OpenSSL.
• Prevalence of Known Vulnerabilities: Firmware images contained an average of 161 known vulnerabilities in their most common components: 68 with low or medium CVSS scores, 69 with high scores, and 24 with critical scores. Additionally, the firmware images had an average of 20 exploitable n-days affecting the kernel.
• Insufficient Security Features: On average, 41% of binaries in firmware images use RELRO, 31% use stack canaries, 65% use NX, 75% use PIE, 4% use RPath, and 35% contain debugging symbols. However, these averages can be misleading due to significant disparities between firmware images. Overall, the five firmware images examined showed deficiencies in binary protection mechanisms.
• Decrease in Default Credentials: While each firmware image came with default credentials, they were often uniquely generated, and users were required to change them during device configuration, reducing their exploitability under normal circumstances.
• Issues with Custom Patching: The analysis revealed instances of vendors applying their own patches to known vulnerabilities, which sometimes introduced new issues. Additionally, some vulnerabilities were patched without updating component versions, creating confusion for users trying to assess vulnerability status.

Larry Pesce, Director of Product Research and Development at Finite State, remarked, “The ‘Rough Around the Edges’ report uncovers a concerning trend of outdated software components in OT/IoT routers, with many devices running modified versions of OpenWrt that include known vulnerabilities. These findings emphasise the critical need to address software supply chain risks. Our analysis identified an average of 161 known vulnerabilities per firmware image, including 24 with critical scores. By harnessing our platform’s capabilities, organisations can gain deep insights into their software’s vulnerabilities and outdated components, enabling them to proactively address risks and safeguard their products and customers from evolving cyber threats.”

The research highlighted a positive correlation between the age of components, the number of known vulnerabilities, and the binary hardening practices among vendors. As anticipated, firmware with newer components tended to exhibit fewer vulnerabilities and stronger binary protections.

Barry Mainz, CEO of Forescout, commented, “As we witness an unprecedented surge in both managed and unmanaged devices connecting to the Internet, extending into critical infrastructure sectors and beyond, the need for robust cybersecurity measures has never been more pressing. To effectively mitigate risks in a landscape increasingly dominated by Operational Technology (OT) and the Internet of Things (IoT), we require a comprehensive asset inventory that captures essential details through both passive and active methods. Integrating this data with Software Bills of Materials (SBOMs) allows us to deliver targeted risk information and implement security measures vital for protecting our digital infrastructure.”