Security risks in OT/IoT routers: New report shows alarming facts

Risk management in the software supply chain for IoT devices: A guide to improve cyber security

Munich (ots)

In today's networked world, on the Internet of Things (IoT) and Operational Technology (OT), the safety of software supply chains becomes an urgent topic. A new report by Forescout Technologies and Finite State entitled "Rough Around the Edges" offers a deep analysis of the security situation in this critical infrastructure.

discovered security dates

The investigation shows that common router firmware images have significant weaknesses. There are an average of 20 exploited N-Day weak spots in the kernel. Overall, the experts analyzed firmware images from providers such as Acksys, Digi, Mdex, Teltonika and Unitronics. These images, often based on OpenWRT, contain an average of 662 components with 2,154 safety assessments.

It is particularly alarming that 161 known weaknesses were identified per image, including 24 classified as critical. Many of these problems are due to the age of the open source components used, which are on average 5.5 years old and are therefore far behind the latest versions. Security features such as Relro, Stack Canaries and NX are common.

challenges for cyber security

With over 40 million exposed devices in the Dach region,

Germany occupies a top position. The most frequently used weak points include security gaps in devices from Citrix ADC, Cisco iOS and Huawei Home Gateway. This situation is assessed as serious by experts like Daniel Dos Santos by Forescout. He indicates the growing risk of botnets, advanced persistent threats (apts) and hacktivists.

In addition, Larry Pesce, another expert of Finite State, underlined urgency to prioritize the risk reduction in the software supply chain. "Recent firmware usually has fewer vulnerabilities and offers better binary protection. However, even the latest images often show defects in relation to critical components such as kernel and OpenSSL," explains PESCE.

recommendations for companies

Barry Mainz, CEO of Forescout, pleads for robust cyber security measures to protect critical infrastructures. He recommends creating a comprehensive system inventory, the integration of software Bills of Materials (SBOMS) and a targeted risk analysis. A positive development is that standard login data is often generated individually and must be changed during configuration. Nevertheless, there are challenges because manufacturers sometimes patch weaknesses, which can lead to new problems.

conclusion: Need for action orientation

The results of the report emphasize the urgency to tackle risks in the software supply chain of OT/IoT devices. Companies are required to take clear measures to improve cyber security. In view of the progressive networking of systems, targeted strategies for risk reduction are not only useful, but also necessary to protect the digital infrastructure.

Further information can be found in the report "Rough Around the Edges".