pith. sign in

arxiv: 2606.11175 · v1 · pith:UJBY63D5new · submitted 2026-06-09 · 💻 cs.CR

Anchors that Don't Lift: Understanding Supply Chain Driven Kernel Lock-In and Governance-Mediated Mitigation Strategies in SOHO Devices

Pith reviewed 2026-06-27 12:25 UTC · model grok-4.3

classification 💻 cs.CR
keywords SOHO devicesLinux kernel vulnerabilitiessupply chain securityfirmware analysiskernel lock-inCVE detectiongovernance mitigation
0
0 comments X

The pith

SOHO vendors are locked to outdated Linux kernels by SoC SDKs, inheriting vulnerability debt along the supply chain to end users.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines why SOHO devices continue to ship with outdated Linux kernels that carry known vulnerabilities. It demonstrates that device makers cannot freely update kernels because they depend on fixed versions bundled in system-on-chip SDKs supplied by upstream vendors. Analysis of GPL sources from more than 900 firmwares across 306 devices reveals that this lock-in begins at the SoC level and is passed through ODMs and OEMs to the final product, leaving end users exposed. The authors also evaluate mitigation options and conclude that regulation alone does not help, while SoC vendors that work with open-source communities provide the only practical route to kernel upgrades.

Core claim

SOHO vendors are effectively locked to specific often older kernel versions due to the system-on-chip SDKs they use. This kernel lock-in produces a vulnerability debt that is inherited along the supply chain from SoC vendor to firmware creators to router or IP-camera vendor and ultimately borne by end users. All five SoC vendors in the dataset had used SDKs with Linux kernels that had reached end of life more than a year before their usage in a SOHO device.

What carries the argument

Supply-chain tracing from SoC SDKs through ODMs to final firmware that enforces kernel-version lock-in, combined with template-based CVE detection on GPL source releases.

If this is right

  • Kernel vulnerabilities in SOHO devices arise from systemic supplier lock-in rather than isolated vendor choices.
  • Meaningful kernel updates require changes at the SoC vendor level, not at the device assembler level.
  • Regulatory compliance alone does not produce kernel upgrades in practice.
  • Only SoC vendors that engage open-source communities demonstrate a workable path to mitigation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Manufacturers could reduce exposure by qualifying multiple SoC suppliers with different kernel baselines.
  • Security evaluations of SOHO devices should examine SDK release dates rather than final firmware version strings alone.
  • If community-driven updates prove repeatable, they could become a contractual requirement in hardware supply agreements.

Load-bearing premise

The high-precision template-based CVE detection accurately identifies actual vulnerabilities in the customized SOHO kernels from GPL releases without significant false positives, and these sources represent the firmware running on the devices.

What would settle it

Direct verification on a sample of the 306 devices showing that the reported CVEs do not match the kernels actually running in the shipped firmware, or documentation of an SoC vendor releasing an updated SDK kernel without community involvement.

Figures

Figures reproduced from arXiv: 2606.11175 by Ashita Gupta, Chester Rebeiro, Mainack Mondal, Rajdeep Ghosh, Ritwik Badola.

Figure 1
Figure 1. Figure 1: Discovery of the Supply Chain via SOHO device [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Graph representing how SoC and their corresponding devices use kernel baselines several years after they have reached [PITH_FULL_IMAGE:figures/full_fig_p024_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: End-to-end SOHO Supply Chain analysis pipeline, combining automated firmware/source analysis with community [PITH_FULL_IMAGE:figures/full_fig_p025_3.png] view at source ↗
read the original abstract

Small Office/Home Office (SOHO) devices are widely popular, yet often attacked due to security vulnerabilities in their firmware, affecting thousands of devices. These security vulnerabilities often stem from outdated Linux kernel versions included in SOHO device firmware. Naturally, prior work audited the extent and impact of this issue by simple Linux version extraction and version number based vulnerability mapping. However, it is unclear how many of these anticipated vulnerabilities actually exist in the heavily customized SOHO kernels and if there are any barriers towards updating Linux kernels in SOHO firmwares. To address this gap, we uncover actual kernel-related vulnerabilities found in 306 SOHO devices using a high-precision template-based CVE detection mechanism on GPL source releases of more than 900 firmwares from these devices. Next, as a first, we traced the supply chain of these vulnerable SOHO devices at scale and identify kernel lock-in as a significant security issue -- SOHO vendors are effectively locked to specific (often older) kernel versions due to the system-on-chip (SoC) SDKs they use. This kernel lock-in produces a vulnerability debt that is inherited along the supply chain from SoC vendor to firmware creators (ODM/OEM) to router/IP-camera vendor and ultimately borne by end users. All five SoC vendors in our dataset had used SDKs with Linux kernels that had reached EoL more than a year before their usage in a SOHO device. Finally, we explore the mitigation-potential of individual, regulatory and community governance by analyzing social media posts, regulations and community efforts. Our results show that regulation compliance is insufficient and only SoC vendors who engage with communities for kernel upgradation offered a viable path towards mitigation. The data and code for this work is available at https://doi.org/10.5281/zenodo.20433799

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper analyzes kernel-related vulnerabilities in 306 SOHO devices via high-precision template-based CVE detection applied to GPL source releases from over 900 firmwares. It traces the supply chain to identify kernel lock-in driven by SoC SDKs, showing that all five SoC vendors in the dataset used kernels that had reached end-of-life more than a year prior to deployment; this creates inherited vulnerability debt borne by end users. The work also evaluates mitigation potential through individual, regulatory, and community governance mechanisms, concluding that only community-engaged SoC vendors offer a viable path, with data and code released at Zenodo.

Significance. If the CVE detection and supply-chain tracing hold, the results provide large-scale empirical evidence of systemic lock-in and inherited vulnerability debt in the SOHO/IoT supply chain, supported by open data and code. This strengthens the case for governance interventions and could inform future audits or regulations, while the reproducibility assets are a clear strength.

major comments (2)
  1. [CVE detection / methodology] The section describing the CVE detection mechanism: the central claim of actual (not merely potential) vulnerabilities and resulting debt rests on the template-based detector correctly identifying reachable CVEs in customized kernels. No validation (e.g., manual review of flagged cases, binary-diff comparison, or false-positive rate measurement on a subset) is reported to rule out over-counting from backports, config disables, or vendor patches; this directly affects the strength of the vulnerability-debt narrative.
  2. [supply chain tracing] The supply-chain tracing and SoC SDK analysis: the claim that all five SoC vendors used EoL kernels more than a year before SOHO deployment is load-bearing for the lock-in conclusion, yet the manuscript provides limited detail on how SDK release dates were obtained, matched to device firmwares, and verified for completeness across the 306 devices.
minor comments (1)
  1. [abstract] The abstract states the high-level findings but does not quantify false-positive risk or tracing coverage; adding one sentence on these points would improve clarity without altering the core argument.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment below and outline revisions to strengthen the manuscript.

read point-by-point responses
  1. Referee: [CVE detection / methodology] The section describing the CVE detection mechanism: the central claim of actual (not merely potential) vulnerabilities and resulting debt rests on the template-based detector correctly identifying reachable CVEs in customized kernels. No validation (e.g., manual review of flagged cases, binary-diff comparison, or false-positive rate measurement on a subset) is reported to rule out over-counting from backports, config disables, or vendor patches; this directly affects the strength of the vulnerability-debt narrative.

    Authors: We agree that the absence of reported validation steps is a limitation that weakens the strength of the vulnerability-debt claims. The template-based detector was selected for its focus on matching specific vulnerable code patterns rather than version numbers alone, and all analysis used the released GPL sources. However, no explicit validation (such as manual review or false-positive analysis) is described in the current manuscript. In the revised version we will add a dedicated subsection on methodology validation, including results from manual review of a sample of detections and discussion of how the approach handles common customization patterns. This directly incorporates the referee's point. revision: yes

  2. Referee: [supply chain tracing] The supply-chain tracing and SoC SDK analysis: the claim that all five SoC vendors used EoL kernels more than a year before SOHO deployment is load-bearing for the lock-in conclusion, yet the manuscript provides limited detail on how SDK release dates were obtained, matched to device firmwares, and verified for completeness across the 306 devices.

    Authors: We acknowledge that the supply-chain tracing section would benefit from expanded methodological detail to support the load-bearing claim. SDK timelines were derived from publicly available vendor release notes, archived SDK packages, and kernel version strings extracted from the firmware GPL sources, with matching performed via kernel version and build timestamp comparison. To address the comment, the revised manuscript will expand the supply-chain section with a step-by-step description of data sources per SoC vendor, the exact matching criteria, and verification procedures applied to the full set of 306 devices. The complete dataset remains available in the Zenodo release for independent inspection. revision: yes

Circularity Check

0 steps flagged

Empirical study with no definitional or fitted circularity

full rationale

The paper is an empirical audit of 306 SOHO devices using GPL source releases and supply-chain tracing. No equations, fitted parameters, or predictions are present that reduce claims to inputs by construction. Central claims about kernel lock-in and inherited vulnerability debt rest on observed data patterns from external firmware sources and public records rather than self-definitional mappings or self-citation chains. The template-based CVE detection is presented as an external mechanism applied to the data; its accuracy is an assumption about measurement validity, not a circular reduction of the result to the input.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the accuracy of template-based CVE detection in customized kernels and the representativeness of GPL sources for the 306 devices; no free parameters or invented entities are introduced.

axioms (1)
  • domain assumption GPL source releases accurately represent the kernels deployed in the analyzed SOHO devices.
    The study depends on these sources being available and faithful to the firmware binaries.

pith-pipeline@v0.9.1-grok · 5886 in / 1272 out tokens · 26465 ms · 2026-06-27T12:25:07.509453+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

89 extracted references · 5 canonical work pages · 4 internal anchors

  1. [1]

    https://dd- wrt.com/ , 2026

    DD-WRT: Linux-based open source router firmware. https://dd- wrt.com/ , 2026. Accessed: Jan. 26, 2026

  2. [2]

    https://www.freshtomato.org/ , 2026

    FreshTomato: Enhanced firmware for broadcom-based routers. https://www.freshtomato.org/ , 2026. Accessed: Jan. 26, 2026

  3. [3]

    A survey on security, privacy, trust, and architectural challenges in iot systems

    Mumin Adam, Mohammad Hammoudeh, Rana Al- rawashdeh, and Basil Alsulaimy. A survey on security, privacy, trust, and architectural challenges in iot systems. IEEE Access, 12:57128–57149, 2024

  4. [4]

    A decade of {Privacy-Relevant} an- droid app reviews: Large scale trends

    Omer Akgul, Sai Teja Peddinti, Nina Taft, Michelle L Mazurek, Hamza Harkous, Animesh Srivastava, and Benoit Seguin. A decade of {Privacy-Relevant} an- droid app reviews: Large scale trends. In33rd USENIX Security Symposium (USENIX Security 24), pages 5089– 5106, 2024

  5. [5]

    Optuna: A Next-generation Hyperparameter Optimization Framework

    Takuya Akiba, Shotaro Sano, Toshihiko Yanase, Takeru Ohta, and Masanori Koyama. Optuna: A next- generation hyperparameter optimization framework. ht tps://arxiv.org/abs/1907.10902, 2019

  6. [6]

    Understanding users’ security and privacy concerns and attitudes towards conversational ai platforms

    Mutahar Ali, Arjun Arunasalam, and Habiba Farrukh. Understanding users’ security and privacy concerns and attitudes towards conversational ai platforms. In2025 IEEE Symposium on Security and Privacy (SP), pages 298–316, 2025. 15

  7. [7]

    Firmsolo: enabling dynamic analysis of binary linux-based iot kernel modules

    Ioannis Angelakopoulos, Gianluca Stringhini, and Manuel Egele. Firmsolo: enabling dynamic analysis of binary linux-based iot kernel modules. InProceedings of the 32nd USENIX Conference on Security Symposium, SEC ’23, USA, 2023. USENIX Association

  8. [8]

    Understanding the mirai botnet

    Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Du- rumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. Understanding the mirai botnet. In 26th USENIX security symposium (USENIX Security 17), pages 1093–1110, 2017

  9. [9]

    Hackers Exploit Zero-Day in Discontin- ued D-Link Devices

    Ionut Arghire. Hackers Exploit Zero-Day in Discontin- ued D-Link Devices. https://www.securityweek.c om/hackers-exploit-zero-day-in-discontinue d-d-link-devices/ , 1 2026. SecurityWeek, Jan. 7,

  10. [10]

    Accessed: Feb. 6, 2026

  11. [11]

    Susanne Barth and Menno D.T. de Jong. The privacy paradox investigating discrepancies between expressed privacy concerns and actual online behavior a system- atic literature review.Telemat. Inf., 34(7):1038–1058, November 2017

  12. [12]

    Buck and Devon F

    Amber M. Buck and Devon F. Ralston. I didn’t sign up for your research study: The ethics of using “public” data.Computers and Composition, 61:102655, 2021. Rhetorics of Data: Collection, Consent, & Critical Digi- tal Literacies

  13. [13]

    But is it ex- ploitable? exploring how router vendors manage and patch security vulnerabilities in consumer-grade routers

    George Chalhoub and Andrew Martin. But is it ex- ploitable? exploring how router vendors manage and patch security vulnerabilities in consumer-grade routers. InProceedings of the 2023 European Symposium on Us- able Security, EuroUSEC ’23, page 277–295, New York, NY , USA, 2023. Association for Computing Machinery

  14. [14]

    Chen, Maverick Woo, David Brumley, and Manuel Egele

    Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. Towards automated dynamic analysis for linux-based embedded firmware. In23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21- 24, 2016. The Internet Society, 2016

  15. [15]

    Scaling instruction-finetuned language models.Journal of Ma- chine Learning Research, 25(70):1–53, 2024

    Hyung Won Chung, Le Hou, Shayne Longpre, Barret Zoph, Yi Tay, William Fedus, Yunxuan Li, Xuezhi Wang, Mostafa Dehghani, Siddhartha Brahma, et al. Scaling instruction-finetuned language models.Journal of Ma- chine Learning Research, 25(70):1–53, 2024

  16. [16]

    Qca software development kit (qsdk) overview

    CodeLinaro Wiki. Qca software development kit (qsdk) overview. https://wiki.codelinaro.org/en/clo /qsdk/overview, 2026. Accessed: 2026-02-02

  17. [17]

    Consumer iot device cybersecurity standards, policies, and certifica- tion schemes 2025

    Connectivity Standards Alliance (CSA). Consumer iot device cybersecurity standards, policies, and certifica- tion schemes 2025. Technical report, Connectivity Stan- dards Alliance, 2025

  18. [18]

    Openwrt project

    OpenWrt Contributors. Openwrt project. https://op enwrt.org/, 2024. Accessed: January 21, 2026

  19. [19]

    Techinfodepot

    TechInfoDepot Contributors. Techinfodepot. https:// techinfodepot.shoutwiki.com/ , 2024. Accessed: January 21, 2026

  20. [20]

    Wikidevi

    WikiDevi Contributors. Wikidevi. https://wikidevi .wi-cat.ru/, 2024. Accessed: January 21, 2026

  21. [21]

    A large-scale analysis of the security of embedded firmwares

    Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. A large-scale analysis of the security of embedded firmwares. InProceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, page 95–110, USA, 2014. USENIX Association

  22. [22]

    AA22-054A: New sandworm malware cyclops blink replaces vpnfilter

    Cybersecurity and Infrastructure Security Agency (CISA). AA22-054A: New sandworm malware cyclops blink replaces vpnfilter. https://www.cisa.gov/new s-events/cybersecurity-advisories/aa22-054 a, 2022. Accessed: Jan. 26, 2026

  23. [23]

    D-Link: Smart Home, SMB and Enterprise Networking Solutions

    D-Link Systems, Inc. D-Link: Smart Home, SMB and Enterprise Networking Solutions. https://www.dlin k.com/in/en, 2026. Accessed: Jan. 26, 2026

  24. [24]

    A survey of security and privacy issues in the internet of things from the layered context.Transactions on Emerging Telecom- munications Technologies, 33(6):e3935, 2022

    Samundra Deep, Xi Zheng, Alireza Jolfaei, Dongjin Yu, Pouya Ostovari, and Ali Kashif Bashir. A survey of security and privacy issues in the internet of things from the layered context.Transactions on Emerging Telecom- munications Technologies, 33(6):e3935, 2022

  25. [25]

    BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding

    Jacob Devlin. Bert: Pre-training of deep bidirectional transformers for language understanding.arXiv preprint arXiv:1810.04805, 2018

  26. [26]

    Berry, and Edward Lank

    Janna Lynn Dupree, Richard Devries, Daniel M. Berry, and Edward Lank. Privacy personas: Clustering users via attitudes and behaviors toward security practices. In Proceedings of the 2016 CHI Conference on Human Fac- tors in Computing Systems, CHI ’16, page 5228–5239, New York, NY , USA, 2016. Association for Computing Machinery

  27. [27]

    EMBA: The firmware security analyzer

    e-m-b-a. EMBA: The firmware security analyzer. ht tps://github.com/e-m-b-a/emba , 2025. Accessed: Dec. 7, 2025

  28. [28]

    ETSI EN 303 645: Cyber Security for Consumer Internet of Things

    ETSI (European Telecommunications Standards Insti- tute). ETSI EN 303 645: Cyber Security for Consumer Internet of Things. https://www.etsi.org/stand ards/303645 , 2020. European Telecommunications Standards Institute,Accessed: January 21, 2026. 16

  29. [29]

    Cyber Resilience Act (CRA)

    European Union. Cyber Resilience Act (CRA). https: //digital-strategy.ec.europa.eu/en/policies /cyber-resilience-act , 2022. Accessed: 2026-02- 02

  30. [30]

    Cvehound

    Evdenis. Cvehound. https://github.com/evdenis /cvehound, 2023. Accessed: 2026-02-02

  31. [31]

    Ethical issues in qualitative research on internet communities.BMJ, 323(7321):1103–1105, 2001

    Gunther Eysenbach and James E Till. Ethical issues in qualitative research on internet communities.BMJ, 323(7321):1103–1105, 2001

  32. [32]

    People’s republic of china-linked actors compromise routers and iot devices for botnet operations

    Federal Bureau of Investigation, Cyber National Mis- sion Force, and National Security Agency. People’s republic of china-linked actors compromise routers and iot devices for botnet operations. https://media.de fense.gov/2024/Sep/18/2003547016/-1/-1/0/C SA-PRC-LINKED-ACTORS-BOTNET.PDF , September

  33. [33]

    Joint Cybersecurity Advisory JCSA-20240918- 001, Accessed: Dec. 7, 2025

  34. [34]

    Cybersecurity labeling for internet of things

    Federal Communications Commission. Cybersecurity labeling for internet of things. Report and Order and Further Notice of Proposed Rulemaking, FCC 24-26, March 2024

  35. [35]

    Equipment au- thorization

    Federal Communications Commission. Equipment au- thorization. https://www.fcc.gov/engineering-t echnology/laboratory-division/general/equi pment-authorization, 2025. Accessed: 2026-02-05

  36. [36]

    Mobile phone maker BLU reaches settlement with FTC over deceptive privacy and data security claims

    Federal Trade Commission. Mobile phone maker BLU reaches settlement with FTC over deceptive privacy and data security claims. FTC Press Release, April 2018

  37. [37]

    Mobile security updates: Understanding the issues

    Federal Trade Commission. Mobile security updates: Understanding the issues. Technical report, U.S. Federal Trade Commission, February 2018

  38. [38]

    Security analysis of emerging smart home applications

    Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. Security analysis of emerging smart home applications. In2016 IEEE Symposium on Security and Privacy (SP), pages 636–654, 2016

  39. [39]

    Oper- ation wrthug, the global espionage campaign hiding in your home router

    Gilad Friedenreich Maizles and Marty Kareem. Oper- ation wrthug, the global espionage campaign hiding in your home router. https://securityscorecard.co m/blog/operation-wrthug-the-global-espio nage-campaign-hiding-in-your-home-router/ , November 2025. SecurityScorecard Blog / STRIKE. Accessed: 2026-01-23

  40. [40]

    i wasn’t sure if this is indeed a security risk

    Rajdeep Ghosh, Shiladitya De, and Mainack Mondal. "i wasn’t sure if this is indeed a security risk": Data-driven understanding of security issue reporting in github repos- itories of open source npm packages. In Lujo Bauer and Giancarlo Pellegrino, editors,34th USENIX Secu- rity Symposium, USENIX Security 2025, Seattle, WA, USA, August 13-15, 2025, pages ...

  41. [41]

    Gunnar Harboe and Elaine M. Huang. Real-world affin- ity diagramming practices: Bridging the paper-digital gap. InProceedings of the 33rd Annual ACM Confer- ence on Human Factors in Computing Systems, CHI ’15, page 95–104, New York, NY , USA, 2015. Association for Computing Machinery

  42. [42]

    DeBERTa: Decoding-enhanced BERT with Disentangled Attention

    Pengcheng He, Xiaodong Liu, Jianfeng Gao, and Weizhu Chen. Deberta: Decoding-enhanced bert with disentangled attention.arXiv preprint arXiv:2006.03654, 2020

  43. [43]

    Helmke and J

    R. Helmke and J. vom Dorp. Extended abstract: To- wards reliable and scalable linux kernel cve attribution in automated static firmware analyses. In Daniel Gruss, Federico Maggi, Mathias Fischer, and Michele Carmi- nati, editors,Detection of Intrusions and Malware, and Vulnerability Assessment, pages 201–210, Cham, 2023. Springer Nature Switzerland

  44. [44]

    Home - hon hai technology group - foxconn

    Hon Hai Technology Group (Foxconn). Home - hon hai technology group - foxconn. https://www.foxconn. com/en-us. Accessed: 2026-02-05

  45. [45]

    Chinese botnet infects 260,000 soho routers, ip cameras with malware

    Ionut Ilascu. Chinese botnet infects 260,000 soho routers, ip cameras with malware. https://www.bl eepingcomputer.com/news/security/flax-typ hoon-hackers-infect-260-000-routers-ip-c ameras-with-botnet-malware/ , September 2024. BleepingComputer. Accessed: 2026-01-23

  46. [46]

    Firmae: To- wards large-scale emulation of iot firmware for dynamic analysis

    Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae Kim. Firmae: To- wards large-scale emulation of iot firmware for dynamic analysis. InProceedings of the 36th Annual Computer Security Applications Conference, ACSAC ’20, page 733–745, New York, NY , USA, 2020. Association for Computing Machinery

  47. [47]

    Pri- vacy Indexes: A Survey of Westin’s Studies

    Ponnurangam Kumaraguru and Lorrie Faith Cranor. Pri- vacy Indexes: A Survey of Westin’s Studies. Tech- nical Report CMU-ISRI-5-138, Institute for Software Research International, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, Dezember 2005

  48. [48]

    W. Largent. New VPNFilter malware targets at least 500k networking devices worldwide, May 2018. Ac- cessed: Dec. 7, 2025

  49. [49]

    it’s up to the consumer to be smart

    Jingjie Li, Kaiwen Sun, Brittany Skye Huff, Anna Marie Bierley, Younghyun Kim, Florian Schaub, and Kassem Fawaz. “it’s up to the consumer to be smart”: Under- standing the security and privacy attitudes of smart home 17 users on reddit. In2023 IEEE Symposium on Security and Privacy (SP), pages 2850–2866. IEEE, 2023

  50. [50]

    Shadowv2 casts a shadow over iot devices

    Vincent Li. Shadowv2 casts a shadow over iot devices. https://www.fortinet.com/blog/threat-resea rch/shadowv2-casts-a-shadow-over-iot-devic es, November 2025. Fortinet Blog (Threat Research). Accessed: 2026-01-23

  51. [51]

    Linksys: Home and Business Wi-Fi and Networking

    Linksys, Inc. Linksys: Home and Business Wi-Fi and Networking. https://www.linksys.com/ , 2026. Accessed: Jan. 26, 2026

  52. [52]

    RoBERTa: A Robustly Optimized BERT Pretraining Approach

    Yinhan Liu. Roberta: A robustly optimized bert pretrain- ing approach.arXiv preprint arXiv:1907.11692, 364, 2019

  53. [53]

    Mediatek | home page

    MediaTek Inc. Mediatek | home page. https://www. mediatek.com/. Accessed: 2026-02-05

  54. [54]

    An empirical study on user reviews targeting mobile apps’ security & privacy.arXiv preprint arXiv:2010.06371, 2020

    Debjyoti Mukherjee, Alireza Ahmadi, Maryam Vahdat Pour, and Joel Reardon. An empirical study on user reviews targeting mobile apps’ security & privacy.arXiv preprint arXiv:2010.06371, 2020

  55. [55]

    NVD - CVE- 2023-6932

    National Vulnerability Database (NIST). NVD - CVE- 2023-6932. https://nvd.nist.gov/vuln/detail /CVE-2023-6932. Accessed: 2026-02-02

  56. [56]

    NVD - CVE- 2024-1151

    National Vulnerability Database (NIST). NVD - CVE- 2024-1151. https://nvd.nist.gov/vuln/detail /CVE-2024-1151. Accessed: 2026-02-02

  57. [57]

    NVD - CVE- 2024-22386

    National Vulnerability Database (NIST). NVD - CVE- 2024-22386. https://nvd.nist.gov/vuln/detail /CVE-2024-22386. Accessed: 2026-02-02

  58. [58]

    NETGEAR: Advanced WiFi & Network- ing Products

    Netgear, Inc. NETGEAR: Advanced WiFi & Network- ing Products. https://www.netgear.com/ , 2026. Accessed: Jan. 26, 2026

  59. [59]

    Short text, large effect: Measuring the impact of user reviews on android app security & privacy

    Duc Cuong Nguyen, Erik Derr, Michael Backes, and Sven Bugiel. Short text, large effect: Measuring the impact of user reviews on android app security & privacy. In2019 IEEE symposium on Security and Privacy (SP), pages 555–569. IEEE, 2019

  60. [60]

    Unveiling {IoT} security in reality: A {Firmware-Centric} journey

    Nicolas Nino, Ruibo Lu, Wei Zhou, Kyu Hyung Lee, Ziming Zhao, and Le Guan. Unveiling {IoT} security in reality: A {Firmware-Centric} journey. In33rd USENIX Security Symposium (USENIX Security 24), pages 5609– 5626, 2024

  61. [61]

    NISTIR 8259: Foundational Cybersecurity Activities for IoT Device Manufacturers

    NIST Internet of Things (IoT) Program. NISTIR 8259: Foundational Cybersecurity Activities for IoT Device Manufacturers. https://www.nist.gov/publica tions/foundational-cybersecurity-activitie s-iot-device-manufacturers , 2020. National Insti- tute of Standards and Technology,Accessed: January 21, 2026

  62. [62]

    Cybercriminal Proxy Services Exploiting End-of-Life Routers

    Federal Bureau of Investigation (FBI). Cybercriminal Proxy Services Exploiting End-of-Life Routers. https: //www.fbi.gov/investigate/cyber/alerts/202 5/cybercriminal-proxy-services-exploitin g-end-of-life-routers , 5 2025. Public Service Announcement, May 7, 2025. Accessed: Feb. 6, 2026

  63. [63]

    unblob: Accurate and fast extraction suite for binary blobs

    ONEKEY. unblob: Accurate and fast extraction suite for binary blobs. https://unblob.org/, 2025. Accessed: Dec. 7, 2025

  64. [64]

    Openwrt: Open source router and embedded operating system

    OpenWrt Project. Openwrt: Open source router and embedded operating system. https://github.com/o penwrt/openwrt/, 2026. Accessed: 2026-02-03

  65. [65]

    Openwrt table of hardware (toh)

    OpenWrt Project. Openwrt table of hardware (toh). https://toh.openwrt.org/?view=normal , 2026. Accessed: 2026-02-02

  66. [66]

    Qualcomm: Intelligent com- puting everywhere

    Qualcomm Incorporated. Qualcomm: Intelligent com- puting everywhere. https://www.qualcomm.com/ . Accessed: 2026-02-05

  67. [67]

    i just hated it and i want my money back

    Rohit Raj, Mridul Newar, and Mainack Mondal. "i just hated it and i want my money back": Data-driven under- standing of mobile vpn service switching preferences in the wild. InUSENIX Security Symposium, 2024

  68. [68]

    Karonte: Detecting in- secure multi-binary interactions in embedded firmware

    Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spen- sky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. Karonte: Detecting in- secure multi-binary interactions in embedded firmware. In2020 IEEE Symposium on Security and Privacy (SP), pages 1544–1561, 2020

  69. [69]

    Binwalk: Firmware Analysis Tool

    ReFirmLabs. Binwalk: Firmware Analysis Tool. ht tps://github.com/ReFirmLabs/binwalk , 2025. Accessed: Dec. 7, 2025

  70. [70]

    Saldana.The Coding Manual for Qualitative Re- searchers

    J. Saldana.The Coding Manual for Qualitative Re- searchers. SAGE Publications, 2015

  71. [71]

    Saturation in qualitative re- search: exploring its conceptualization and operational- ization.Quality & quantity, 52:1893–1907, 2018

    Benjamin Saunders, Julius Sim, Tom Kingstone, Shula Baker, Jackie Waterfield, Bernadette Bartlam, Heather Burroughs, and Clare Jinks. Saturation in qualitative re- search: exploring its conceptualization and operational- ization.Quality & quantity, 52:1893–1907, 2018

  72. [72]

    Threat intelligence research: V olt typhoon compromises 30% of cisco rv320/325 devices in 37 days

    SecurityScorecard STRIKE Team. Threat intelligence research: V olt typhoon compromises 30% of cisco rv320/325 devices in 37 days. https://security scorecard.com/blog/threat-intelligence-res earch-volt-typhoon/, January 2024. Accessed: Dec. 7, 2025

  73. [73]

    Selenium, 2026

    Selenium Contributors. Selenium, 2026. Accessed: January 7, 2026. 18

  74. [74]

    Coccinelle

    Coccinelle Team. Coccinelle. https://coccinelle.g itlabpages.inria.fr/website/ , 2023. Accessed: 2026-02-02

  75. [75]

    Linux exploit suggester

    The-Z-Labs. Linux exploit suggester. https://gith ub.com/The-Z-Labs/linux-exploit-suggester ,

  76. [76]

    Accessed: 2026-02-02

  77. [77]

    Technical news and reports about quad 7 (7777) botnet aka covertnetwork-1658, August 2025

    TP-Link. Technical news and reports about quad 7 (7777) botnet aka covertnetwork-1658, August 2025. TP-Link Support FAQ (Last Updated: 2025-08-29). Ac- cessed: 2026-01-23

  78. [78]

    TP-Link: Networking Products and Solutions

    TP-Link Technologies Co., Ltd. TP-Link: Networking Products and Solutions. https://www.tp-link.com/ in/, 2026. Accessed: Jan. 26, 2026

  79. [79]

    TRENDnet: Networking and Surveil- lance Solutions

    TRENDnet, Inc. TRENDnet: Networking and Surveil- lance Solutions. https://www.trendnet.com/home,

  80. [80]

    26, 2026

    Accessed: Jan. 26, 2026

Showing first 80 references.