Many embedded devices ship without adequate security tests, analysis shows
According to “computerworlduk”, an analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufactuers.
The study was performed by researchers from the Eurecom research center in France and Ruhr-University Bochum in Germany, who built an automated platform capable of unpacking firmware images, running them in an emulated environment and starting the embedded Web servers that host their management interfaces.
The researchers started out with a collection of 1,925 Linux-based firmware images for embedded devices from 54 manufacturers, but they only managed to start the Web server on 246 of them.
The goal was to perform dynamic vulnerability analysis on the firmware packages' Web-based management interfaces using open-source penetration testing tools. This resulted in 225 high-impact vulnerabilities being found in 46 of the tested firmware images.
A separate test involved extracting the Web interface code and hosting it on a generic server so it could be tested for flaws without emulating the actual firmware environment. This test had drawbacks, but was successful for 515 firmware packages and resulted in security flaws being found in 307 of them.
The researchers also performed a static analysis with another open-source tool against PHP code extracted from device firmware images, resulting in another 9046 vulnerabilities being found in 145 firmware images.
In total, using both static and dynamic analysis the researchers found important vulnerabilities like command execution, SQL injection and cross-site scripting in the Web-based management interfaces of 185 unique firmware packages, affecting devices from a quarter of the 54 manufacturers.
Some of the firmware versions in their latest dataset were not the latest ones, so not all of the discovered issues were zero-day vulnerabilities -- flaws that were previously unknown and are unpatched. However, their impact is still potentially large, because most users rarely update the firmware on their embedded devices.
Details about the vulnerabilities have not yet been shared publicly because the IoT Village organizers, from security firm Bitdefender, intend to report them to the affected vendors first so they can be patched.