The Forescout Technologies-Finite State report, Rough Around the Edges, revealed that OT and IoT cellular routers, and others used in small offices and homes, have outdated software components that are linked to existing (“n-day”) vulnerabilities. The report also found that popular OT/IoT router firmware images had an average of 20 exploitable n-day vulnerabilities affecting the kernel, with widening security gaps.
Analysing the state of the software supply chain in OT/IoT routers, the report said 22 million exposed devices in the ASEAN region alone – 21% more than two years ago. Singapore has the highest exposed OT/ICS, with a risk level of 23.89%, followed by Vietnam (21.06%), Thailand (19.52%), Malaysia (18.56%), and Indonesia (14.76%).
Singapore also has the highest percentage of exposed IT devices at 38.22%. However, the report notes that countries with the most exposed devices are not necessarily the most compromised. Notably, Singapore has the highest number of NAS devices infected with ransomware and the most hosted C2 infrastructure, while Thailand has the most hacked DVRs.
In terms of compromised/malicious IP addresses, Singapore ranks fourth in ASEAN at 11.79%, behind Indonesia (18.28%), Thailand (20.86%), and Vietnam (31.89%).
“With the convergence of IoT and OT, threats targeting connected devices are increasing exponentially due to cybercriminal botnets, nation-state APT’s and hacktivists,” said
Daniel dos Santos, head of research at Forescout Research – Vedere Labs, said the threats targeting connected devices are on the rise with the convergence of IoT and OT.
“Our recent Sierra:21 research found tens of thousands of devices with outdated firmware are exposed online, easily accessible to hackers. Our goal was to look at what is already known (“n-day”), but still present in the latest firmware releases of routers.”
Report findings:
- OpenWrt, an open-source Linux-based OS for embedded devices. It was found that four of the five firmware analysed ran operating systems derived from OpenWrt.
But those four firmware images use heavily modified versions of the base operating system, either mixing and matching individual component versions with a base version or developing their in-house components. - Software components are often outdated. The analysis identified an average of 662 components and 2,154 findings between known vulnerabilities, weak security posture, and potential new vulnerabilities on each firmware image.
The research singled out 25 common components and noticed that the average open-source component was five years and six months old, and four years and four months behind the latest release. Even the most recent firmware images do not use the latest releases of open-source components, including critical components such as the kernel and OpenSSL. - Prevalence of vulnerable firmware. On average, firmware images had 161 known vulnerabilities on their most common components: 68 with a low or medium CVSS score, 69 with a high score, and 24 with a critical score. Additionally, the firmware images had an average of 20 exploitable n-days affecting the kernel.
- Security features are lacking. On average, 41% of binaries across firmware images use RELRO, 31% use stack canaries, 65% use NX, 75% use PIE, 4% use RPath, and 35% have debugging symbols. The averages can be misleading as the differences between firmware images are very large. Overall, all five firmware images we examined are lacking when it comes to binary protection mechanisms.
- Default credentials are going away. Even though every firmware came with default credentials, they were often uniquely generated, and the user was forced to change them when configuring a device, making them not exploitable under normal circumstances.
- Custom patching is a problem. The analysis found examples of vendors applying their own patches to known vulnerabilities, introducing new issues, and patching vulnerabilities without incrementing the versions of components, creating confusion for the user of a device to understand what is vulnerable or not.
Larry Pesce, director of product research and development at Finite State, says the findings highlight the critical importance of addressing software supply chain risks. "As we observe an unprecedented increase in both managed and unmanaged devices connecting to the Internet—extending into critical infrastructure sectors and beyond—the need for robust cybersecurity measures has never been more urgent,” he added.
Citing the increase in managed and unmanaged devices connected to the internet extends into critical infrastructure sectors, Forescout CEO Barry Mainz suggests the need for a comprehensive asset inventory that identifies crucial details through passive and active methods.
“Integrating this data with Software Bills of Materials (SBOMs) helps us deliver targeted risk information and enforce security measures essential for protecting our digital infrastructure," he continued.
