Firmware security has barely improved over last decade

A new survey of over 6,000 firmware images has found no improvement in firmware security over the last 15 years as well as lax security standards for the software running connected devices from Linksys, NETGEAR and other major hardware vendors.

The survey was carried out by chief scientist at the Cyber Independent Testing Lab (CITL), Sarah Zatcko who explained that firmware security is worse off than many thought, saying:

“We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products.”

The CITL study surveyed firmware from 18 different vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. The team analyzed over 6,000 firmware versions created from 2003 to 2018 as part of the first logitudinal study of Internet of Things (IoT) safety.

Firmware security

Researchers at CITL studied publicly available firmware images to compile their study and evaluated them based on the inclusion of standard security features such as the use of non-executable stacks, Address Space Layout Randomization (ASLR) and stack guards which are used to prevent buffer overflow attacks.

CITL found that firmware from commonly used manufacturers failed to implement basic security features and this was also true when the researchers tested the most recent versions of the firmware.

There was some good news including the fact that almost all of Linksys and NETGEAR's recent router firmware included non-executable stacks. However, other common security features like ASLR or stack guards were not implemented according to CITL's data.

The researchers documented 299 positive changes in firmware security scores over the 15 years covered by the study but they also found 360 negative changes during the same period. Analyzing the entire data set actually showed that firmware security appeared to get worse over time. The poor scores these devices earned suggest that many companies making IoT devices have not adapted their practices to account for the increased risks that come with connected devices.

Cybercriminals are increasingly targeting connected devices because when compared to Microsoft's Windows, Apple's macOS and Google Chrome, they are easy prey.

Via The Security Ledger

How It works

Search Crack for

Latest IT News

Feb 19
Tutanota is the latest secure email provider to be blocked in Russia as the country looks to stop encrypted communication.
Feb 18
Microsoft is trying something different with the Windows 10X setup process.
Feb 18
A new Windows 10 update is causing serious problems – and Microsoft has now acknowledged this.
Feb 17
Technology is only the start of your digital transformation journey, Oracle says.
Feb 17
Windows 10 is once again suffering from update woes – and this time it looks like files are getting deleted.
Feb 14
Free collage makers to transform ordinary photos into stunning collages, perfect for printing or sharing online.
Feb 14
We’ve already heard the OS will run on clamshell notebooks – and even Apple hardware, it would seem, with some trickery.

Latest cracks