About Session
Technical Level: Intermediate
This talk will give a deep perspective on the state of software supply chains for edge devices, using popular IoT/OT routers as examples. These routers provide connectivity to critical infrastructure and have been targeted by cybercriminal botnets, APT groups, and hacktivists.
We will provide a qualitative and quantitative analysis of: how different firmware is often built from the same basic components and how devices get rebranded; what is the average age of open-source components on these firmware, how many components are end-of-life and how sometimes newer firmware uses older components; what is the number and types of n-days originating from third-party components; and how often security hardening or exploit mitigation features are used on these components.
Our analysis is based on accurate Software Bills of Materials (SBOMs) that we built for the routers using both an automated commercial tool and manual validation, since these SBOMs are rarely provided by the manufacturers.
We will show that firmware images from different vendors within the same category of devices are very similar in what components they use, yet very different in what version of these components they use. Furthermore, this research highlights the importance of manufacturers providing precise SBOMs, while also emphasizing the limitations of automatically generating them from firmware.