Researchers will present the first large-scale analysis of embedded firmware, revealing poor security practices from various manufacturers that expose these devices to dozens of unpatched vulnerabilities.
The study was performed by researchers at Eurecom, a graduate school and research center specializing in communication systems, by statistically analyzing 32,000 firmware images from websites of many popular manufacturers, such as Xerox, Bosch, Philips, Samsung, LG and Belkin.
Eurecom researchers reported the discovery of a total of 38 previously unknown vulnerabilities in more than 693 firmware images, which have been privately disclosed to vendors. Additionally, the team confirmed that some of these vulnerabilities are affecting at least 140,000 devices accessible over the Internet.
Aurélien Francillon, co-author of the study and assistant professor in the networking and security department at Eurecom, said the majority of the firmware analyzed comes from consumer devices, where market competition often forces manufacturers to promptly release products with minimal costs.
Unlike the PC software market, the security of firmware is often not designed to patch itself periodically and also relies heavily on third-party software that may not be up-to-date. In addition, manufacturers depend on tools and development kits that are already widely used across industries, ultimately distributing the faulty firmware to be sold by a variety of brands.
“As a consequence, some devices will often be left affected by known vulnerabilities, even if updated firmware is available,” said the researchers.
Other key findings from the analysis revealed 41 digital certificates in firmware that were signed with their own private key, linking back to more than 35,000 online devices using these less-secure certificates. Researchers also discovered more than 300 devices potentially vulnerable to “backdoor” access in the firmware’s code.
The researchers plan to leverage this large-scale analysis to bring new insights on the security of embedded devices and to underline and detail several important challenges that should be addressed in future research.
The team will present additional details of the study at the 23rd USENIX Security Symposium in San Diego next week.
Categories: Top Security Stories