OEM Finder: Hunting Vulnerable OEM IoT Devices at Scale

Conference:  BlackHat EU 2019



The presentation discusses the development of a tool called OM Finder, which can automatically detect vulnerable OEM devices based on their appearance similarity to the original device. The tool aims to solve the issue of vulnerable OEM devices not being included in vulnerability databases.
  • OEM devices are vulnerable when the original device is vulnerable, but vulnerability databases do not include and announce the vulnerable OEM devices as one of the affected products.
  • The proposed approach uses a specific object recognition algorithm called Casa to extract object features and construct a relative neighborhood graph based on a mask key point to detect OM device candidates.
  • The experiment conducted using two datasets found over 180 unique vulnerable OEM device candidates sold by over 25 vendors.
  • OM Finder can be applied to other types of IoT devices such as smart speakers and routers.
  • The tool can help improve the security of consumer IoT devices by detecting vulnerable OEM devices automatically.
The speaker showed a demo of the tool, where he used OM Finder to find vulnerable OEM devices of a Heike vision network camera model. The tool successfully detected nine vulnerable devices, including a false positive. The speaker also acknowledged his team members for discussing the research with him.


Nowadays, many consumer IoT vendors employ an OEM production model. They purchase IoT devices from OEM suppliers, then customize and sell those devices under their own brands. While this production model can reduce the device manufacturing costs, it could lead to a high-security risk; generally, when the original device is vulnerable, the OEM device (re-branded device) is also vulnerable. Indeed, the survey conducted by IPVM in 2017 concluded that the vulnerability found in the Hikvision's (OEM supplier's) network camera is propagated to its various OEM devices, which are sold by over 80 vendors. Unfortunately, including the above case, we found that the vulnerability databases (e.g., NVD, CVE) do not include and announce vulnerable OEM devices as one of the affected products of the vulnerability. One of the probable causes is that there is still no means to find the OEM devices other than asking the OEM suppliers or inspecting each device manually. In order to address this supply chain risk, we developed a new tool called OEM Finder, which can automatically detect OEM device candidates based on the similarity of its appearance between the OEM and original device. To achieve fast, automatic and precise OEM device detection, we adopt an object recognition algorithm (KAZE) with k-NN, and employ graph kernels. Using this tool, we found more than 180 unique vulnerable OEM device candidates from over 50,000 IoT device images, which we had collected from EC websites. Furthermore, we analyzed the latest firmware image of some of these OEM device candidates, which are distributed by the OEM vendor (not OEM suppliers), and confirmed that the devices detected by the tool are indeed an OEM device. Moreover, we also found that the OEM firmware images are still vulnerable. At the end of the talk, we will publish this tool as an online search engine. By uploading a photo of vulnerable IoT devices, this web service can list the OEM device candidates that potentially contain the identical vulnerability. We believe that our web service could help to facilitate finding vulnerable OEM devices and mitigate the security risk.