Severe SDK vulnerabilities at Broadcom due to copy-paste engineering

  • Cisco small business routers and other well-known manufacturers affected
  • Vulnerabilities discovered as early as 2011, yet still resurface

Bad Homburg, October 7th, 2021– Hardware components from Broadcom can be found in numerous devices from leading vendors such as Cisco, DD-WRT or Linksys. Security firm IoT Inspector recently reported that significant vulnerabilities lie deep in the software development kit (SDK). The IoT Inspector Research Lab team just exposed vulnerabilities that have been a common thread throughout products built on Broadcom for more than a decade, providing a welcome entryway for hackers. In addition to the issue of the unmonitored supply chain — i.e., the use of hardware without prior risk verification — what stands out here is how serious the consequences of copy-paste engineering can be: “Although Broadcom published a patch as early as 2011 according to our findings, leading manufacturers repeatedly build these vulnerabilities into products as they rely on a faulty version of the SDK,” recognizes Florian Lukavsky, Managing Director of IoT Inspector. The company offers a comprehensive platform for analyzing device firmware and regularly uncovers vulnerabilities at component or device manufacturers. The company carries out security checks on behalf of manufacturers and distributors, as well as for scientific purposes.

The Supply chain requires control

Among others, the Cisco routers of the small business series RV110W, RV130, RV130W and RV215W, which are used by thousands of companies, are affected by the security vulnerabilities. This allows remote control of the router and a denial of service (DoS) attack via the Universal Plug-and-Play (UPnP) function. The vulnerability is listed under CVE-2021-34730 with a risk rating of 9.8 (critical) for Cisco. Identifying the affected devices is problematic. To date, Broadcom has not provided any information about which versions of the SDK are affected. As was the case with the Realtek vulnerability, which was distributed hundreds of thousands of times worldwide, IoT Inspector offers a free service that allows users to check whether  said vulnerability impacts a product in use from the aforementioned manufacturers. “The real vulnerability lies in the supply chain. Device manufacturers use third-party building blocks and install them without checking the source codes. Things must change quickly to create transparency and force hackers on the defensive whenever possible,” explains Florian Lukavsky of IoT Inspector.


At the root of such vulnerabilities is the use of existing software development kits that are simply rewritten for new devices. In doing so, the potential for damage lies hugely hidden in the depth of the code. “Vulnerabilities like these often disappear somewhere deep in the code and are hardly noticed during the development of components such as Wi-Fi routers. However, this potentiates the associated danger, while making it more difficult to trace the flaws,” Florian Lukavsky sums up. The IoT Inspector platform can detect numerous vulnerabilities during an automated firmware check. Elimination is then once again up to the respective manufacturer or distributor, both in ongoing production and for existing devices on the market that require a patch. Yet, IoT Inspector’s experience shows that even these can harbor risks, since it is not uncommon for new vulnerabilities to be generated as a result of an untested patch.

Ad Banner For Blog


ONEKEY is a leading European specialist in product cybersecurity. The unique combination of an automated security & compliance software analysis platform and consulting services by cybersecurity experts provides fast, comprehensive analysis, and solutions in the area of IoT/OT product cybersecurity. Building upon automatically generated “Digital Twins” and “Software Bill of Materials (SBOM)” of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time, and can thus be remediated in a targeted manner. The easy-to-integrate solution enables manufacturers, distributors, and users of IoT technology to quickly and continuously perform 24/7 security and compliance audits throughout the product lifecycle. Leading international companies in Asia, Europe, and America are already successfully benefiting from the ONEKEY platform and experts.


Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150

Share on facebook
Share on twitter
Share on pinterest
Share on linkedin
Share on xing
Share on email