At Finite State, we are dedicated to shedding light on the vulnerabilities that threaten the software supply chain and providing actionable insights to mitigate these risks. That's why we are thrilled to announce the release of our latest joint report with Forescout Technologies, "Rough Around the Edges," which dives deep into the security challenges facing OT/IoT routers.
Key Findings from "Rough Around the Edges"
OT and IoT routers play a vital role in connecting critical devices across various environments to the internet, making their security paramount. However, our research found that many of these routers are built on outdated software components, exposing them to known vulnerabilities. Here are some of the key findings from the report:
-
OpenWrt Prevalence: Our analysis revealed that four out of the five firmware images examined use operating systems derived from OpenWrt, a widely used open-source Linux-based OS for embedded devices. While OpenWrt provides flexibility, the heavily modified versions in these routers often lack consistent updates, leaving them vulnerable.
-
Outdated Software Components: On average, the firmware images analyzed contained 662 components, with many of them being outdated by over four years. This delay in adopting the latest software versions, including critical components like the kernel and OpenSSL, significantly increases the risk of exploitation.
-
Known Vulnerabilities Abound: We identified an average of 161 known vulnerabilities per firmware image, with 24 of those vulnerabilities scoring as critical. These vulnerabilities pose a serious threat to device security and highlight the urgent need for comprehensive software supply chain management.
-
Lack of Security Features: The report also highlights a concerning lack of binary protection mechanisms in these devices. On average, only 41% of binaries across the firmware images use RELRO, 31% use stack canaries, and 65% use NX, underscoring the need for improved security practices.
-
Custom Patching Challenges: The analysis found instances where vendors applied their own patches to known vulnerabilities, sometimes introducing new issues or failing to update component versions. This practice can create confusion for users and leave devices vulnerable.
The Path Forward: Enhancing Software Supply Chain Security
The "Rough Around the Edges" report serves as a wake-up call for organizations to prioritize the security of their OT/IoT routers and other connected devices. At Finite State, we believe that a proactive approach to software supply chain security is essential to safeguarding critical infrastructure and protecting against evolving cyber threats.
By leveraging the insights and tools provided by our platform, organizations can gain a comprehensive view of their software's vulnerabilities and take decisive action to address them. Our mission is to empower industries to enhance security, ensure compliance, and achieve resilience in the face of an ever-changing threat landscape.
Join Our Upcoming Webinar
To further explore the findings of the "Rough Around the Edges" report, Finite State and Forescout will host a joint webinar in September. This event will offer an in-depth look at the report's insights and provide guidance on strengthening your organization's software supply chain security. Register for this informative session here.
Explore the Full Report
We invite you to explore the full "Rough Around the Edges" report to gain a deeper understanding of the vulnerabilities and challenges facing OT/IoT routers today. By staying informed and proactive, we can collectively strengthen the security of connected devices and protect the industries that rely on them.
For more information about how Finite State can help your organization secure its software supply chain, request a demo today or contact our team!
Together, we can build a safer, more secure future for connected devices worldwide.
Share this
Why we signed CISA's Secure by Design Pledge
Why Try the Finite State Product Security Maturity Model?
