OpenWrt Dominates, Yet Vulnerabilities Persist in OT/IoT Router Firmware

In an era where interconnected devices and systems define the landscape of operational technology (OT) and the Internet of Things (IoT), security remains a critical concern. Recent research by Forescout, detailed in their “Rough Around the Edges” report, highlights a disturbing trend: while OpenWrt-based firmware dominates the OT/IoT router market, significant vulnerabilities persist. This underscores an urgent need for enhanced security measures and more diligent management of software supply chains.

The State of OT/IoT Router Firmware

Forescout's research reveals that OT and IoT cellular routers, along with those used in small office and home environments, often rely on outdated software components. These components are linked to known vulnerabilities, commonly referred to as “n-day” vulnerabilities. These are issues that have been identified and documented but remain unpatched in many current firmware versions.

Daniel dos Santos, Head of Research at Forescout Research – Vedere Labs, remarks, “With the convergence of IoT and OT, threats targeting connected devices are increasing exponentially due to cybercriminal botnets, nation-state APTs, and hacktivists.” The Sierra:21 research demonstrated that tens of thousands of devices with outdated firmware are exposed online, making them vulnerable to attackers. The aim of this study was to examine the state of software components in OT/IoT network devices and assess the security implications of these known vulnerabilities.

Key Findings from the Analysis

The Forescout team analyzed firmware from five popular OT/IoT router vendors: Acksys, Digi, MDEX, Teltonika, and Unitronics. Their findings shed light on several critical issues:

1. Prevalence of OpenWrt: OpenWrt, an open-source Linux-based operating system for embedded devices, is used extensively. Four out of the five firmware images analyzed are based on OpenWrt. However, these versions are heavily modified, often integrating various component versions or custom in-house components, which can obscure the security posture of these systems.
2. Outdated Software Components: The research identified an average of 662 software components per firmware image, with 2,154 total findings, including known vulnerabilities, weak security postures, and potential new vulnerabilities. The average age of open-source components was five years and six months, with some components being four years and four months behind their latest releases. Notably, critical components like the kernel and OpenSSL are not always updated to their most recent versions.
3. Abundance of Known Vulnerabilities: On average, the firmware images contained 161 known vulnerabilities. These vulnerabilities were distributed across various severity levels: 68 with low or medium CVSS scores, 69 with high scores, and 24 with critical scores. The research also found an average of 20 exploitable n-day vulnerabilities affecting the kernel, further exacerbating security risks.
4. Insufficient Security Features: The firmware images displayed significant gaps in security features. The use of security mechanisms such as RELRO, stack canaries, NX, PIE, RPath, and debugging symbols varied widely. On average, only 41% of binaries used RELRO, 31% used stack canaries, 65% used NX, 75% used PIE, 4% used RPath, and 35% had debugging symbols. This variability highlights a general lack of robust binary protection mechanisms.
5. Default Credentials: While all firmware images included default credentials, these were often unique and required users to change them during device setup. This practice helps mitigate exploitation risks under normal circumstances, although it is not a panacea for all security issues.
6. Challenges with Custom Patching: Some vendors applied their own patches to address known vulnerabilities, which sometimes introduced new issues. Additionally, patches were applied without incrementing component versions, creating confusion for users about the security status of their devices.

Implications and Recommendations

The report emphasizes a troubling trend: despite the widespread use of OpenWrt, the presence of outdated software components and known vulnerabilities remains a significant issue. Larry Pesce, Director of Product Research and Development at Finite State, notes, “These findings highlight the critical importance of addressing software supply chain risks, as our analysis identified an average of 161 known vulnerabilities per firmware image, including 24 with critical scores.”

The research also indicates that newer components tend to correlate with fewer vulnerabilities and better binary protections. This suggests that regular updates and the adoption of more recent components are crucial for improving security. Additionally, more stringent practices around patch management and clearer communication regarding software versions can help mitigate some of the risks associated with outdated components.

To address these issues, vendors and users alike should focus on the following measures:

1. Regular Firmware Updates: Ensure that firmware is updated regularly to incorporate the latest security patches and component updates.
2. Enhanced Security Practices: Implement robust security features and practices, such as RELRO, stack canaries, and PIE, to protect against various types of attacks.
3. Clear Patch Management: Adopt clear and consistent patch management practices, including proper versioning of components to avoid confusion about their security status.
4. Increased Awareness: Educate users and administrators about the importance of firmware updates and the risks associated with outdated components.

In conclusion, while OpenWrt-based firmware remains prevalent in OT and IoT routers, the persistence of known vulnerabilities and outdated components poses significant security risks. By addressing these issues through regular updates, enhanced security practices, and clear patch management, the industry can better safeguard connected devices and systems against evolving threats.