As the world becomes increasingly interconnected through Operational Technology (OT) and the Internet of Things (IoT), the security of our network devices has never been more critical. Recent research from Forescout and Finite State reveals alarming vulnerabilities in OT and IoT routers, particularly those that rely on outdated software components. This issue poses significant risks to organizations that depend on these devices to connect critical infrastructure.
Key Findings from the Research
The Forescout-Finite State report, titled “Rough Around the Edges,” analyzed firmware from several OT/IoT router vendors, including Acksys, Digi, MDEX, Teltonika, and Unitronics. The findings paint a concerning picture of the security landscape for these devices:
- Exploitable Vulnerabilities: The study found that OT and IoT routers had an average of 20 exploitable n-day vulnerabilities affecting their kernels. These vulnerabilities represent known risks that have not been addressed in the latest firmware releases.
- Aging Software Components: The research identified an average of 662 components per firmware image, with many components being outdated. On average, the open-source components analyzed were five years and six months old, lagging behind the latest available releases.
- Known Vulnerabilities: The report revealed that firmware images contained an average of 161 known vulnerabilities, including 24 classified as critical. These vulnerabilities present substantial risks if left unaddressed.
- Lack of Security Features: The analyzed firmware images exhibited a lack of essential binary protection mechanisms. For instance, only 41% of binaries utilized RELRO (Read-Only Relocations), and just 4% employed RPath.
The Importance of Software Supply Chain Security
The research highlights the critical need for organizations to assess their software supply chain actively. As Daniel dos Santos, head of research at Forescout, stated, “With the convergence of IoT and OT, threats targeting connected devices are increasing exponentially due to cybercriminal botnets, nation-state APTs, and hacktivists.” The prevalence of outdated components can leave networks vulnerable to attacks.
A worrying trend is the reliance on modified versions of OpenWrt, an open-source Linux-based OS. While many firmware images utilize this operating system, the heavily modified versions can introduce additional vulnerabilities, further complicating security efforts.
Addressing the Risks
To mitigate the risks associated with outdated software components in OT and IoT routers, organizations should consider the following strategies:
- Regular Software Updates: Ensure that all devices are running the latest firmware and that software components are regularly updated to address known vulnerabilities.
- Implement Security Best Practices: Adopt best practices for device management, including the use of strong, unique passwords and enabling multi-factor authentication (MFA) where possible.
- Conduct Vulnerability Assessments: Regularly assess the network for vulnerabilities and identify devices that may be running outdated software components. This proactive approach can help organizations respond quickly to emerging threats.
- Demand Transparency from Manufacturers: Device manufacturers should provide more detailed information about the software components used, including their versions and any patches applied. This transparency is crucial for understanding and mitigating risks effectively.
- Utilize Software Bill of Materials (SBOM): Implement SBOMs to track the components within devices accurately. SBOMs provide a comprehensive view of vulnerabilities, helping organizations manage risk and compliance more effectively.
The Road Ahead
As cyber threats continue to evolve, the need for robust security measures in OT and IoT environments becomes increasingly urgent. The Forescout-Finite State research underscores the vulnerabilities posed by outdated software components, highlighting the necessity for organizations to adopt a proactive and informed approach to cybersecurity.
By understanding the risks associated with OT and IoT routers and implementing the recommended strategies, organizations can better protect their critical infrastructure from the growing tide of cyber threats.
