Study confirms sorry state of security for IoT devices

Nov 16, 2015 13:14 GMT  ·  By

A newly released study confirms previous theories and opinions about the weak state of security for IoT (Internet of Things) devices.

Researchers Andrei Costin and Aurelien Francillon from EURECOM and Apostolis Zarras from the Ruhr University in Bochum, Germany, studied over 1,925 firmware images from 54 vendors and found 9,271 vulnerabilities in 185 images, in almost a quarter of the analyzed devices.

The three considered items like home routers, modems, VoIP phones, IP/CCTV cameras, and other devices that can be connected to the Internet and accessed through a Web portal.

Vulnerabilities range from XSS flaws to SQL injections

Researchers looked at the security of these Web portals, and how this indirectly affected the devices' firmware, by allowing attackers to rewrite it through malicious updates and other types of attacks. For this, they created a unique testing framework, specifically designed for this task.

"Our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e.,  without involving any physical embedded devices," researchers note. "Then, we analyze the web interfaces within the firmware using both static and dynamic tools."

Researchers found a wide array of vulnerabilities in their research, ranging from common XSS (cross-site scripting) and CSRF (cross-site request forgery) to more complex SQLi (SQL injection) and RCE (remote code/command execution).

These vulnerabilities are dangerous enough to grant attackers access to devices, allowing them the capabilities to spy on users, steal data, or rewrite the firmware to perform any other malicious action.

PHP code in the Web portal of IoT devices is a bad idea

A particular case the researchers analyzed was the presence of PHP code in the Web portal's interface. Despite the fact that only 8% of the firmware images contained PHP code in the management or public access interface, researchers discovered a whopping 5,000 XSS vulnerabilities in 143 firmware images alone.

Other security vulnerabilities found in PHP-based Web portals include 1,129 issues in 98 firmware images and 938 remote command execution flaws on another 41 firmware images.

Additionally, the research staff also revealed that many of the analyzed firmware images also tended to open many ports that should not be open in the first place.

All of these details put together show that many of us are playing Russian roulette every time we buy an Internet-connected device and that vendors need to improve their operations by integrating classic security-scanning toolkits in their firmware's lifecycle, just like with regular computer software programs, mobile apps, and PC drivers.

The full "Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces" study is available on the Cornell University's arXiv portal.