What is Dead May Never Die: The Immortality of SDK Bugs
Richard Lawshae
DEF CON 33 · Day 1 · Main Stage
In "What is Dead May Never Die: The Immortality of SDK Bugs," Richard Lawshae, a Principal Security Researcher at Ksite Technologies, delves into the pervasive and enduring threat posed by vulnerabilities within Software Development Kits (SDKs) used in network chipsets. Lawshae, also known as Ricky Lashe or Headless Lique, highlights how these bugs, often introduced early in the development lifecycle, can persist for years, even decades, across a vast and fragmented ecosystem of devices, making them a significant concern for IoT security.
AI review
Lawshae brings real receipts — a 2014 Realtek UPnP bug that hit the CISA KEV list in 2023 is exactly the kind of empirical anchor that makes a thesis land. The supply chain angle is well-documented with specific chipset lineages, acquisition histories, and named services, elevating this above the usual 'IoT is bad' hand-waving.