The effect of massive globalization is apparent in modern connected devices, from medical equipment to telecommunications infrastructure. Built using complex global supply chains of hardware, software, and service providers, these critical devices are positively impacting our daily lives, but at the same time, creating attractive attack surfaces for cyber threats.
A recent Bloomberg article, “Banned Chinese Security Cameras Are Almost Impossible to Remove,” provides another stark example of how a complex supply chain makes it nearly impossible to know exactly what is running on a network. Many readers may be surprised to learn that vulnerable components of one specific camera may also be found in many other cameras. Unfortunately, I am not surprised. Here at Finite State, we’ve done our own analysis of hundreds of thousands of firmware images, including cameras, printers, infusion pumps and 5G network devices. On average, more than 80% of software in a device is duplicated in other devices, illustrating just how interconnected software supply chains are. And once an attacker finds one of these seemingly trivial vulnerabilities, they will attempt to exploit them across similar devices.
Compounding the issue, these connected devices are like black boxes, and security teams usually have no idea what is running inside them, making it nearly impossible to properly assess risk. The combination of global supply chains and lack of transparency into Internet of Things (IoT) and other connected devices leaves nearly everyone exposed.
City governments, healthcare providers, manufacturers, telecommunications providers, and enterprises around the world should be demanding increased transparency from device manufacturers. Comprehensive firmware analysis was infeasible a few years ago, but that technology now exists to help increase transparency and provide clarity around the true risks of IoT devices.
The first two Center for Internet Security (CIS) Critical Security Controls are generating an inventory of authorized and unauthorized devices and software. While proactive organizations are starting to make progress on generating device inventories using a variety of tools, little traction has been made on generating software inventories for IoT and other embedded devices connected to networks. The reality is that the software running inside your devices is what attackers target, and without a comprehensive software inventory, it’s virtually impossible to understand your true exposure.
The Finite State platform enables you to take control by analyzing every device and firmware update that comes into your network. You will be able to see a comprehensive view of the risk of each device firmware and update, including a comprehensive Software Bill of Materials (SBOM), known CVEs, configuration and device hardening information, open source licensing and compliance information, and remediation guidance. Armed with that unprecedented level of transparency and risk intelligence, you automatically, passively can understand your true risks and quickly detect and respond to attacks. Without this firmware-enabled approach, the problems articulated in the Bloomberg article will continue.
As manufacturers start responding to calls for increased transparency from their users, security will improve, and this process will get easier. In the meantime, there are steps you can start taking now to minimize your risk.