Many embedded devices ship without adequate security tests, analysis shows

A large scale security test of firmware images for embedded devices easily found thousands of vulnerabilities

An analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufactuers.

The study was performed by researchers from the Eurecom research center in France and Ruhr-University Bochum in Germany, who built an automated platform capable of unpacking firmware images, running them in an emulated environment and starting the embedded Web servers that host their management interfaces.

The researchers started out with a collection of 1,925 Linux-based firmware images for embedded devices from 54 manufacturers, but they only managed to start the Web server on 246 of them. They believe that with additional work and tweaks to their platform that number could increase.

The goal was to perform dynamic vulnerability analysis on the firmware packages' Web-based management interfaces using open-source penetration testing tools. This resulted in 225 high-impact vulnerabilities being found in 46 of the tested firmware images.

A separate test involved extracting the Web interface code and hosting it on a generic server so it could be tested for flaws without emulating the actual firmware environment. This test had drawbacks, but was successful for 515 firmware packages and resulted in security flaws being found in 307 of them.

The researchers also performed a static analysis with another open-source tool against PHP code extracted from device firmware images, resulting in another 9046 vulnerabilities being found in 145 firmware images.

In total, using both static and dynamic analysis the researchers found important vulnerabilities like command execution, SQL injection and cross-site scripting in the Web-based management interfaces of 185 unique firmware packages, affecting devices from a quarter of the 54 manufacturers.

The researchers focused their efforts on developing a reliable method for automated testing of firmware packages without having access to the corresponding physical devices, rather than on the thoroughness of the vulnerability scanning itself. They didn't perform manual code reviews, use a large variety of scanning tools or test for advanced logic flaws.

This means that the issues they found were really the low hanging fruit -- the flaws that should have been easy to find during any standard security testing. This begs the question: why weren't they discovered and patched by the manufacturers themselves?

It would appear that the affected vendors either didn't subject their code to security testing at all, or if they did, the quality of the testing was very poor, said Andrei Costin, one of the researchers behind the study.

Costin presented the team's findings at the DefCamp security conference in Bucharest on Thursday. It was actually the second test performed on firmware images on a larger scale. Last year, some of the same researchers developed methods to automatically find backdoors and encryption issues in a large number of firmware packages.

Some of the firmware versions in their latest dataset were not the latest ones, so not all of the discovered issues were zero-day vulnerabilities -- flaws that were previously unknown and are unpatched. However, their impact is still potentially large, because most users rarely update the firmware on their embedded devices.

At DefCamp, attendees were also invited to try to hack four Internet-of-Things devices as part of the on-site IoT Village. The contestants found two critical vulnerabilities in a smart video-enabled doorbell that could be exploited to gain full control over the device. The doorbell also had the option to control a smart door lock.

A high-end D-Link router was also compromised through a vulnerability in the firmware version that the manufacturer shipped with the device. The flaw was actually known and has been patched in a newer firmware version, but the router doesn't alert users to update the firmware.

Finally, the participants also found a lower-impact vulnerability in a router from Mikrotik. The only device that survived unscathed was a Nest Cam.

Details about the vulnerabilities have not yet been shared publicly because the IoT Village organizers, from security firm Bitdefender, intend to report them to the affected vendors first so they can be patched.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?