Rough Around the Edges

Cellular routers connect critical Operational Technology (OT) and Internet of Things (IoT) devices to the internet. Electrical substations. Oil and gas fields. Temporary healthcare facilities — and more. These connections allow remote monitoring and control, especially where wired networks are difficult to deploy.

At the end of 2023, we studied vulnerabilities in OT/IoT router vendor: Sierra:21. In that research, Forescout Research — Vedere Labs discovered open-source software components are a key vulnerability. Today, we have widened our research lens to understand the state of software components in OT/IoT network devices beyond one vendor. Our goal: To understand risk in the software supply chain from existing (“n-day”) vulnerabilities in the latest router firmware.

Supply-chain vulnerabilities are hard to eradicate because firmware images frequently depend on outdated components for compatibility — allowing threat actors to target many devices with a single exploit. However, identifying the intricate components used in common models of a specific class of devices is difficult at scale. To help, we partnered with Finite State, a leading Software Bill of Materials (SBoM) vendor, to analyze firmware images from popular routers: Acksys, Digi, MDEX, Teltonika, and Unitronics.