Abstract:IoT devices are becoming popular. Meanwhile, researchers are actively working on improving the security of IoT devices. However, previous works ignore the insecurity caused by a special category of devices, i.e., the End-of-Life (EoL) devices. Once a product becomes End-of-Life, vendors tend to no longer maintain its firmware or software, including fixing bugs and patching vulnerabilities. This makes EoL devices susceptible to attacks. For instance, a report showed that an EoL model with thousands of active devices was exploited to redirect web traffic for malicious purposes. In this paper, we conduct the first empirical study to shed light on the (in)security of EoL devices. To this end, our study performs two types of analysis, including the liveness analysis and the vulnerability analysis . The first one aims to detect the scale of EoL devices that are still alive in the wild. The second one is to evaluate the vulnerabilities existing in (active) EoL devices. We applied our approach to a large number of EoL models from three vendors (i.e., D-Link, Tp-Link, and Netgear) and detect the alive devices in a time period of more than two years . Our study reveals some worrisome facts that were unknown by the community. For instance, there exist a large number (more than 3 million) of active EoL devices. Some devices (more than 1 million) are still alive even after five years since EoL. Furthermore, more than half of the vulnerabilities (182 of 294) are discovered after the EoL date. Although vendors may release security patches after the EoL date, the process is ad hoc and incomplete, with only limited functionality. Furthermore, these patches can have side effects, such as providing valuable information to attackers. In summary, more than 2 million active EoL devices are vulnerable, and nearly half of them are threatened by high-risk vulnerabilities. Attackers can achieve a minimum of 8.67 Tbps DDoS attack by exploiting OS command injection vulnerabilities and compromising a large number of active EoL devices. We believe these facts pose a clear call for more attention to deal with the security issues of EoL devices.

An Empirical Study on the Insecurity of End-of-Life (eol) IoT Devices

A Measurement Study on the (In)security of End-of-Life (EoL) Embedded Devices

A Large-Scale Empirical Study on the Vulnerability of Deployed IoT Devices

An Empirical Study of High-Risk Vulnerabilities in IoT Systems

How IoT Re-using Threatens Your Sensitive Data: Exploring the User-Data Disposal in Used IoT Devices.

Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols

A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices

IoT Security: An End-to-End View and Case Study

Understanding IoT Security Through the Data Crystal Ball: Where We Are Now and Where We Are Going to Be

Detecting IoT Devices and How They Put Large Heterogeneous Networks at Security Risk

An Empirical Study of Open Edge Computing Platforms: Ecosystem, Usage, and Security Risks

A Survey on IoT Vulnerability Discovery.

A Survey of the Security Analysis of Embedded Devices

Beware of the App! On the Vulnerability Surface of Smart Devices through their Companion Apps

Survey on Enterprise Internet-of-Things Systems (E-IoT): A Security Perspective

Empirical Study of System Resources Abused by IoT Attackers.

Security Weaknesses in IoT Management Platforms

Dissecting Open Edge Computing Platforms: Ecosystem, Usage, and Security Risks

Vulnerability Detection in IoT Firmware: A Survey

Detecting Authentication-Bypass Flaws in a Large Scale of IoT Embedded Web Servers.

Leveraging Electromagnetic Side-Channel Analysis for the Investigation of IoT Devices