A Measurement Study on the (In)security of End-of-Life (EoL) Embedded Devices

TL;DR

This study investigates the security risks of End-of-Life embedded devices, revealing millions are still active and vulnerable, posing significant threats like large-scale DDoS attacks, highlighting urgent need for better EoL device security management.

Contribution

First measurement study analyzing the security status of EoL embedded devices, providing insights into their prevalence, vulnerabilities, and potential attack impacts.

Findings

Over 2 million active EoL devices identified

Nearly 300,000 EoL devices remain active after five years

More than 1 million EoL devices are vulnerable to high-risk exploits

Abstract

Embedded devices are becoming popular. Meanwhile, researchers are actively working on improving the security of embedded devices. However, previous work ignores the insecurity caused by a special category of devices, i.e., the End-of-Life (EoL in short) devices. Once a product becomes End-of-Life, vendors tend to no longer maintain its firmware or software, including providing bug fixes and security patches. This makes EoL devices susceptible to attacks. For instance, a report showed that an EoL model with thousands of active devices was exploited to redirect web traffic for malicious purposes. In this paper, we conduct the first measurement study to shed light on the (in)security of EoL devices. To this end, our study performs two types of analysis, including the aliveness analysis and the vulnerability analysis. The first one aims to detect the scale of EoL devices that are still alive. The second one is to evaluate the vulnerabilities existing in (active) EoL devices. We have applied our approach to a large number of EoL models from three vendors (i.e., D-Link, Tp-Link, and Netgear) and detect the alive devices in a time period of ten months. Our study reveals some worrisome facts that were unknown by the community. For instance, there exist more than 2 million active EoL devices. Nearly 300,000 of them are still alive even after five years since they became EoL. Although vendors may release security patches after the EoL date, however, the process is ad hoc and incomplete. As a result, more than 1 million active EoL devices are vulnerable, and nearly half of them are threatened by high-risk vulnerabilities. Attackers can achieve a minimum of 2.79 Tbps DDoS attack by compromising a large number of active EoL devices. We believe these facts pose a clear call for more attention to deal with the security issues of EoL devices.