OEM Finder: Hunting Vulnerable OEM IoT Devices at Scale

Presented at Black Hat Europe 2019, Dec. 5, 2019, 11:55 a.m. (25 minutes)

Nowadays, many consumer IoT vendors employ an OEM production model. They purchase IoT devices from OEM suppliers, then customize and sell those devices under their own brands. While this production model can reduce the device manufacturing costs, it could lead to a high-security risk; generally, when the original device is vulnerable, the OEM device (re-branded device) is also vulnerable. Indeed, the survey conducted by IPVM in 2017 concluded that the vulnerability found in the Hikvision's (OEM supplier's) network camera is propagated to its various OEM devices, which are sold by over 80 vendors. Unfortunately, including the above case, we found that the vulnerability databases (e.g., NVD, CVE) do not include and announce vulnerable OEM devices as one of the affected products of the vulnerability. One of the probable causes is that there is still no means to find the OEM devices other than asking the OEM suppliers or inspecting each device manually. In order to address this supply chain risk, we developed a new tool called OEM Finder, which can automatically detect OEM device candidates based on the similarity of its appearance between the OEM and original device. To achieve fast, automatic and precise OEM device detection, we adopt an object recognition algorithm (KAZE) with k-NN, and employ graph kernels. Using this tool, we found more than 180 unique vulnerable OEM device candidates from over 50,000 IoT device images, which we had collected from EC websites. Furthermore, we analyzed the latest firmware image of some of these OEM device candidates, which are distributed by the OEM vendor (not OEM suppliers), and confirmed that the devices detected by the tool are indeed an OEM device. Moreover, we also found that the OEM firmware images are still vulnerable. At the end of the talk, we will publish this tool as an online search engine. By uploading a photo of vulnerable IoT devices, this web service can list the OEM device candidates that potentially contain the identical vulnerability. We believe that our web service could help to facilitate finding vulnerable OEM devices and mitigate the security risk.


  • Asuka Nakajima - Security Reasercher, NTT Secure Platform Laboratories
    Asuka Nakajima is a researcher at the NTT Secure Platform Laboratories. Her research interests include reverse engineering, vulnerability discovery, and IoT security. Since 2014, she has been a member of the executive committee of SECCON, the largest CTF organizer in Japan. She is also a founder and leader of "CTF for GIRLS", which is the first female infosec community in Japan. She has presented at various security conferences and events including Black Hat USA 2019, Asia CCS 2019, AIS3 2018/2016, and PHDays IV. Asuka also serves as a Review Board member for Black Hat Asia 2018/2019, and BlueHat Shanghai 2019. She is also an author of the best seller book called "Cyber Attack" in Japan. (Bluebacks, 2018)


Similar Presentations: