Vulnerabilities on customer devices: a never-ending story
Authors:
Pierre-Yves Marche
Head of Devices Security
Orange Innovation Partnerships, Content & Devices
Orange Expertise Security community
Fabrice Fontaine
Embedded Security Expert
Orange Innovation IT-S HOME Services
Orange Expertise Security community
A remarkable rise in the number of connected devices owned by each consumer
By the end of 2029, there will be 9 billion consumer electronic devices in the hands of consumers.1 The average number of devices owned per person globally increased from 2.4 to 3.6 between 2018 and 2023. More specifically, in North America, the average individual owned approximately 8 devices in 2018, rising to 13 in 2023, while in Western Europe, the average increased from 5.6 in 2018 to 9.4 in 2023.2
All these devices are connected to the Internet, transmitting large amounts of valuable data that enhance the intelligence and efficiency of users, industries, healthcare, and vehicles. However, will all these devices be secure? What measures are being taken to prevent, or at least mitigate, the risks of information theft and other forms of cybercrime?
1 https://www.statista.com/outlook/cmo/consumer-electronics/worldwide#volume
2 https://www.statista.com/chart/32691/average-number-of-devices-and-connections-per-capita
Network operator devices targeted by cybercriminals
Network operators, including Orange, play a crucial role in enhancing the security of various devices. They not only sell smartphones but also supply millions of home gateways, set-top boxes, and 4G/5G routers.
Due to their strategic position, operators have long been targets for cybercriminals. For instance, at the end of 2016, a global attack affected routers, resulting in approximately four percent of a Tiers-1 European operator's customers facing router issues because certain models could not handle the high volume of requests and subsequently crashed.3 Several hundred thousand computers worldwide were successfully attacked, infected with malware, and incorporated in a botnet. Additionally, in 2018, researchers identified a vulnerability in 19 000 modems, which allowed remote, unauthenticated users to access the device’s SSID and Wi-Fi password.4 More recently, in March 2024, authorization bypass issues affecting US modems, which have since been patched, could have been exploited to gain unauthorized access to the devices and execute malicious commands.5
3 https://thehackernews.com/2024/06/researcher-uncovers-flaws-in-cox-modems.html
4 https://www.bitdefender.com/en-us/blog/hotforsecurity/19000-orange-livebox-adsl-modems-found-leaking-wifi-passwords
5 https://www.telekom.com/en/company/data-privacy-and-security/archiv-datenschutznews/news/seven-facts-about-the-2016-global-router-attack-500218
Security at Orange: from requirements to comprehensive device audits
Recognizing these threats for years, Orange has assembled a diverse team of security experts, some of whom collaborate within the 'Home Device Security' team. This team's objective is to establish and uphold a strong security posture through bootloader assessments, Wi-Fi standardization, penetration testing, risk analysis, software development, and project leadership.
It is crucial for non-security experts to understand that security must be integrated 'by design.' Attempting to secure off-the-shelf products after the fact can often be an unfeasible task. Consequently, a set of requirements is provided to manufacturers for all products sold under the Orange brand (e.g., Liveboxes, Funboxes, airboxes). Examples of these requirements include having a dedicated security co-processor, implementing a root of trust, disabling debug ports, enabling binary hardening, and promptly addressing public vulnerabilities in open-source components, all outlined in the Security Book of Requirements.
Merely having requirements is insufficient, as developers may not fully comprehend or implement them. Consequently, multiple iterative audits and penetration tests are conducted to identify critical flaws and rectify them prior to launch. Remote Code Execution vulnerabilities, particularly through shell injections in web servers, are sometimes found among many device manufacturers and need to be identified and addressed promptly.
Given the complexities of security, it is essential to collaborate and share ideas, resources, and code with others. Orange actively utilizes and contributes to open-source tools, such as cve-bin-tool 6, released by Intel in 2019. This project serves as an excellent resource for penetration testers, as it aims to extract the versions of open-source components by analyzing binary code. Since 2022, Orange has significantly enhanced this tool by adding hundreds of version patterns and is now the second-largest contributor after Intel as well as a co-maintainer since March 2025.
Upcoming European regulatory requirements
Regarding open-source components and critical vulnerabilities, upcoming regulatory requirements such as the Network and Information Systems Directive 2 (NIS2) and the Cyber Resilient Act (CRA) are increasing the demand for improved transparency, risk management, and compliance. This is a significant issue, as software providers often lack a comprehensive understanding of what is embedded in their products. While they are familiar with the code they have developed, they are frequently unaware of the security vulnerabilities present in the various complex software layers they utilize. Although tools like cve-bin-tool can assist them, it would be more beneficial if each software provider could supply a Software Bill of Materials (SBOM) that lists all components in their software, detailing dependencies, and their origins. Unfortunately, many software providers are not well-versed in this concept.
Cybeats empowers organizations to track software elements and vulnerabilities across device fleets and product lines. The platform maps risks and dependencies between open-source and proprietary software components to enable proactive vulnerability lifecycle management.
Through import of VEX (Vulnerability and Exploitability eXchange), Cybeats delivers precise risk intelligence that transforms complex software supply chains into transparent and manageable resources, saving customers hundreds of hours per open source project while securing both operational assets and products throughout their lifecycle.
To address this gap, Orange started 18 months ago by asking its device manufacturers to provide the SBOM for each firmware running on products. With the provided SBOM, the Orange team is using the Cybeats SBOM Studio7 to detect component versions with well-known vulnerabilities. This allows us to proactively and easily challenge our suppliers, for example requesting them updated firmware with non-vulnerable versions. It should also be noted that the tool will later proactively notify us if new CVEs are detected as affecting our product during the lifetime.
Our objective with the SBOM management implementation is to anticipate compliance with the CRA, better challenge our suppliers regarding supply chain vulnerabilities, and provide tools to project managers and in-life product managers to maintain a good level of security during the whole lifetime of products without involving security experts every time.
Finally, it must be noted that implementing SBOM and SBOM management is not sufficient for security. This technology will not detect all kinds of vulnerabilities, such as configuration errors or weak parameters, which will be identified by pentesters or bug bounty programs. However, SBOM should significantly ease the detection and improve the scale of correction of supply chain software vulnerabilities on consumer devices.