Anchors that Don't Lift: Understanding Supply Chain Driven Kernel Lock-In and Governance-Mediated Mitigation Strategies in SOHO Devices

from arxiv, This extended version of our USENIX Security '26 paper on supply chain analysis of SOHO devices includes appendices for interested readers

Small Office/Home Office (SOHO) devices are widely popular, yet often attacked due to security vulnerabilities in their firmware, affecting thousands of devices. These security vulnerabilities often stem from outdated Linux kernel versions included in SOHO device firmware. Naturally, prior work audited the extent and impact of this issue by simple Linux version extraction and version number based vulnerability mapping. However, it is unclear how many of these anticipated vulnerabilities actually exist in the heavily customized SOHO kernels and if there are any barriers towards updating Linux kernels in SOHO firmwares. To address this gap, we uncover actual kernel-related vulnerabilities found in 306 SOHO devices using a high-precision template-based CVE detection mechanism on GPL source releases of more than 900 firmwares from these devices. Next, as a first, we traced the supply chain of these vulnerable SOHO devices at scale and identify kernel lock-in as a significant security issue -- SOHO vendors are effectively locked to specific (often older) kernel versions due to the system-on-chip (SoC) SDKs they use. This kernel lock-in produces a vulnerability debt that is inherited along the supply chain from SoC vendor to firmware creators (ODM/OEM) to router/IP-camera vendor and ultimately borne by end users. All five SoC vendors in our dataset had used SDKs with Linux kernels that had reached EoL more than a year before their usage in a SOHO device. Finally, we explore the mitigation-potential of individual, regulatory and community governance by analyzing social media posts, regulations and community efforts. Our results show that regulation compliance is insufficient and only SoC vendors who engage with communities for kernel upgradation offered a viable path towards mitigation. The data and code for this work is available at https://doi.org/10.5281/zenodo.20433799

翻译：小型/家庭办公室（SOHO）设备广受欢迎，但其固件中的安全漏洞常导致攻击，影响成千上万台设备。这些安全漏洞往往源于SOHO设备固件中使用的过时Linux内核版本。早期研究通过简单的Linux版本提取和基于版本号的漏洞映射，已审计了此问题的范围和影响。然而，尚不清楚这些预期漏洞在高度定制化的SOHO内核中实际存在多少，以及SOHO固件更新Linux内核是否存在障碍。为填补这一空白，我们基于900多个SOHO设备固件的GPL源代码发布，采用高精度模板化CVE检测机制，揭示了306款SOHO设备中实际存在的内核相关漏洞。其次，我们首次大规模追溯了这些易受攻击SOHO设备的供应链，并将内核锁定识别为重大安全问题——由于使用片上系统（SoC）软件开发工具包（SDK），SOHO厂商实际被束缚于特定（通常较旧）的内核版本。这种内核锁定产生漏洞债务，沿供应链从SoC厂商传递至固件创建者（ODM/OEM）、路由器/IP摄像头厂商，最终由终端用户承担。我们数据集中的五家SoC厂商均使用了Linux内核已超过生命周期结束（EoL）一年以上的SDK。最后，通过分析社交媒体帖子、法规及社区努力，我们探讨了个人、监管和社区治理的缓解潜力。结果表明，法规合规性不足以解决问题，唯有与社区合作进行内核升级的SoC厂商才提供了可行的缓解路径。本工作的数据和代码可访问 https://doi.org/10.5281/zenodo.20433799 获取。