Full Title: Old Code Dies Hard: Finding New Vulnerabilities in Old Third-Party Software Components and the Importance of Having SBoM for IoT/OT Devices
Device manufacturers often rely on "security by obscurity" for their own code - e.g., by encrypting firmware files - and on the "principle of many eyes" when choosing to integrate open source components - i.e., if there are no public CVEs, a component is considered safe.
This talk shows that these principles can fail the manufacturers, but serve the attackers well. Our running example is the software components of a wireless gateway device that is used to bring networking to industrial control systems, remote healthcare locations, and other environments. We discuss our journey of finding over 20 vulnerabilities within these components, both internal and open source...
By: Stanislav Dashevskyi , Francesco La Spina
Full Abstract and Presentation Materials:
www.blackhat.com/eu-23/briefi...