Firmware security has barely improved over last decade

A new survey of over 6,000 firmware images has found no improvement in firmware security over the last 15 years as well as lax security standards for the software running connected devices from Linksys, NETGEAR and other major hardware vendors.

The survey was carried out by chief scientist at the Cyber Independent Testing Lab (CITL), Sarah Zatcko who explained that firmware security is worse off than many thought, saying:

“We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products.”

The CITL study surveyed firmware from 18 different vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. The team analyzed over 6,000 firmware versions created from 2003 to 2018 as part of the first logitudinal study of Internet of Things (IoT) safety.

Firmware security

Researchers at CITL studied publicly available firmware images to compile their study and evaluated them based on the inclusion of standard security features such as the use of non-executable stacks, Address Space Layout Randomization (ASLR) and stack guards which are used to prevent buffer overflow attacks.

CITL found that firmware from commonly used manufacturers failed to implement basic security features and this was also true when the researchers tested the most recent versions of the firmware.

There was some good news including the fact that almost all of Linksys and NETGEAR's recent router firmware included non-executable stacks. However, other common security features like ASLR or stack guards were not implemented according to CITL's data.

The researchers documented 299 positive changes in firmware security scores over the 15 years covered by the study but they also found 360 negative changes during the same period. Analyzing the entire data set actually showed that firmware security appeared to get worse over time. The poor scores these devices earned suggest that many companies making IoT devices have not adapted their practices to account for the increased risks that come with connected devices.

Cybercriminals are increasingly targeting connected devices because when compared to Microsoft's Windows, Apple's macOS and Google Chrome, they are easy prey.

Via The Security Ledger

How It works

Search Crack for

Latest IT News

Sep 22
Chrome is the most widely-used browser in the world, but many people seem to use it begrudgingly. Should Google be worried?
Sep 22
Sets was going to usher in a massive change to the fundamental way Windows works, and it could still be happening…
Sep 21
Several nifty touches have arrived, although not everyone can get them yet, at least according to chatter online.
Sep 20
Independent security researcher Andy Michael has discovered three VPN apps and one antivirus app that are serving users full-screen popup ads.
Sep 20
Surfshark has released a new secure DNS resovler to help Android users protect their privacy online.
Sep 20
Google unveiled a number of new Google Pay initiatives at its annual event in New Dehli.
Sep 19
If you've got creative work to show off on the web, you need to be aware of the best site builders to help.

Latest cracks