Firmware security has barely improved over last decade
A new survey of over 6,000 firmware images has found no improvement in firmware security over the last 15 years as well as lax security standards for the software running connected devices from Linksys, NETGEAR and other major hardware vendors.
The survey was carried out by chief scientist at the Cyber Independent Testing Lab (CITL), Sarah Zatcko who explained that firmware security is worse off than many thought, saying:
“We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products.”
The CITL study surveyed firmware from 18 different vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. The team analyzed over 6,000 firmware versions created from 2003 to 2018 as part of the first logitudinal study of Internet of Things (IoT) safety.
Researchers at CITL studied publicly available firmware images to compile their study and evaluated them based on the inclusion of standard security features such as the use of non-executable stacks, Address Space Layout Randomization (ASLR) and stack guards which are used to prevent buffer overflow attacks.
CITL found that firmware from commonly used manufacturers failed to implement basic security features and this was also true when the researchers tested the most recent versions of the firmware.
There was some good news including the fact that almost all of Linksys and NETGEAR's recent router firmware included non-executable stacks. However, other common security features like ASLR or stack guards were not implemented according to CITL's data.
The researchers documented 299 positive changes in firmware security scores over the 15 years covered by the study but they also found 360 negative changes during the same period. Analyzing the entire data set actually showed that firmware security appeared to get worse over time. The poor scores these devices earned suggest that many companies making IoT devices have not adapted their practices to account for the increased risks that come with connected devices.
Cybercriminals are increasingly targeting connected devices because when compared to Microsoft's Windows, Apple's macOS and Google Chrome, they are easy prey.
Via The Security Ledger