OpenWrt dominates, but vulnerabilities persist in OT/IoT router firmware

Forescout has published a new report examining the current state of the software supply chain in OT/IoT routers. The study uncovered that OT and IoT cellular routers and those used in small offices and homes contain outdated software components associated with known (“n-day”) vulnerabilities. The research showed that widely used OT/IoT router firmware images have, on average, 20 exploitable n-day vulnerabilities affecting the kernel, leading to increasing security risks.

Number of historical vulnerabilities by CVSS score. Source: Forescout Vedere Labs

“With the convergence of IoT and OT, threats targeting connected devices are increasing exponentially due to cybercriminal botnets, nation-state APT’s and hacktivists,” said Daniel dos Santos, Head of Research at Forescout Research – Vedere Labs. “Our recent Sierra:21 research found tens of thousands of devices with outdated firmware are exposed online, easily accessible to hackers. Following the publication of Sierra:21, we wanted to understand the state of software components in OT/IoT network devices from other vendors, and what threat actors might uncover if they looked more closely at this software supply chain. Instead of finding new vulnerabilities, our goal was to look at what is already known (“n-day”), but still present in the latest firmware releases of routers.”

Researchers analyzed five firmware images from popular OT/IoT router vendors: Acksys, Digi, MDEX, Teltonika, and Unitronics. The “Rough Around the Edges” report includes the following key findings from this analysis:

• OpenWrt is everywhere. Four of the five firmware analyzed run operating systems derived from OpenWrt, an open-source Linux-based OS for embedded devices. However, these four firmware images use heavily modified versions of the base operating system, either mixing and matching individual component versions with a base version or developing their in-house components.
• Software components are often outdated. The analysis identified an average of 662 components and 2,154 findings, including known vulnerabilities, weak security posture, and potential new vulnerabilities in each firmware image. The research highlighted 25 common components and noted that the average open-source component was five years and six months old, and four years and four months behind the latest release. Even the most recent firmware images do not use the latest versions of open-source components, including critical elements such as the kernel and OpenSSL.
• Known vulnerabilities abound. On average, firmware images had 161 known vulnerabilities in their most common components: 68 with a low or medium CVSS score, 69 with a high score, and 24 with a critical score. Additionally, the firmware images contained an average of 20 exploitable n-days affecting the kernel.
• Security features are lacking. On average, 41% of binaries across firmware images use RELRO, 31% use stack canaries, 65% use NX, 75% use PIE, 4% use RPath, and 35% have debugging symbols. The averages can be misleading as there are significant differences between firmware images. Overall, all five firmware images examined are lacking in binary protection mechanisms.
• Default credentials are going away. Although every firmware came with default credentials, they were often uniquely generated, and users were forced to change them when configuring a device, making them not exploitable under normal circumstances.
• Custom patching is a problem. The analysis found instances of vendors applying their own patches to known vulnerabilities, sometimes introducing new issues, and patching vulnerabilities without incrementing the versions of components. This creates confusion for device users in understanding what is vulnerable or not.

“The report reveals a troubling trend of outdated software components in OT/IoT routers, with many devices running modified versions of OpenWrt that include known vulnerabilities,” said Larry Pesce, Director of Product Research and Development at Finite State. “These findings highlight the critical importance of addressing software supply chain risks, as our analysis identified an average of 161 known vulnerabilities per firmware image, including 24 with critical scores.”

The research found positive correlations between the age of components, the number of known vulnerabilities, and binary hardening practices among vendors. As expected, firmware with newer components tends to have fewer vulnerabilities and better binary protections.