Severe SDK vulnerabilities at Broadcom due to copy-paste engineering

• Cisco small business routers and other well-known manufacturers affected
• Vulnerabilities discovered as early as 2011, yet still resurface

Bad Homburg, October 7th, 2021– Hardware components from Broadcom can be found in numerous devices from leading vendors such as Cisco, DD-WRT or Linksys. Security firm IoT Inspector recently reported that significant vulnerabilities lie deep in the software development kit (SDK). The IoT Inspector Research Lab team just exposed vulnerabilities that have been a common thread throughout products built on Broadcom for more than a decade, providing a welcome entryway for hackers. In addition to the issue of the unmonitored supply chain — i.e., the use of hardware without prior risk verification — what stands out here is how serious the consequences of copy-paste engineering can be: “Although Broadcom published a patch as early as 2011 according to our findings, leading manufacturers repeatedly build these vulnerabilities into products as they rely on a faulty version of the SDK,” recognizes Florian Lukavsky, Managing Director of IoT Inspector. The company offers a comprehensive platform for analyzing device firmware and regularly uncovers vulnerabilities at component or device manufacturers. The company carries out security checks on behalf of manufacturers and distributors, as well as for scientific purposes.

The Supply chain requires control

Among others, the Cisco routers of the small business series RV110W, RV130, RV130W and RV215W, which are used by thousands of companies, are affected by the security vulnerabilities. This allows remote control of the router and a denial of service (DoS) attack via the Universal Plug-and-Play (UPnP) function. The vulnerability is listed under CVE-2021-34730 with a risk rating of 9.8 (critical) for Cisco. Identifying the affected devices is problematic. To date, Broadcom has not provided any information about which versions of the SDK are affected. As was the case with the Realtek vulnerability, which was distributed hundreds of thousands of times worldwide, IoT Inspector offers a free service that allows users to check whether  said vulnerability impacts a product in use from the aforementioned manufacturers. “The real vulnerability lies in the supply chain. Device manufacturers use third-party building blocks and install them without checking the source codes. Things must change quickly to create transparency and force hackers on the defensive whenever possible,” explains Florian Lukavsky of IoT Inspector.

Copy-Paste-Engineering

At the root of such vulnerabilities is the use of existing software development kits that are simply rewritten for new devices. In doing so, the potential for damage lies hugely hidden in the depth of the code. “Vulnerabilities like these often disappear somewhere deep in the code and are hardly noticed during the development of components such as Wi-Fi routers. However, this potentiates the associated danger, while making it more difficult to trace the flaws,” Florian Lukavsky sums up. The IoT Inspector platform can detect numerous vulnerabilities during an automated firmware check. Elimination is then once again up to the respective manufacturer or distributor, both in ongoing production and for existing devices on the market that require a patch. Yet, IoT Inspector's experience shows that even these can harbor risks, since it is not uncommon for new vulnerabilities to be generated as a result of an untested patch.