The first large-scale analysis of a fundamental type of software known as firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. <\/p>\n
Firmware is a type of software that manages interactions between higher-level software and the underlying hardware, though it can sometimes be the only software on a device. Its found on all kinds of computer hardware, though the study focused on embedded systems such as printers, routers and security cameras. <\/p>\n
Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. <\/p>\n
They found a variety of security issues, including poorly-protected encryption mechanisms and backdoors that could allow access to devices. More than 123 products contained some of the 38 vulnerabilities they found, which they reported privately to vendors. <\/p>\n
Theyre due to present their research next week at the 23rd Usenix Security Symposium in San Diego. <\/p>\n
Most of the firmware they analyzed is in consumer devices, a competitive arena where companies often release products quickly to stay ahead of rivals, said Aurlien Francillon[cq], a coauthor of the study and an assistant professor in the networking and security department at Eurecom. <\/p>\n
You have to be first and cheap, Francillon said in a phone interview. All of those things are what you should not do if you want a secure device. <\/p>\n
Firmware security practices lag far behind those of the PC software market, where vendors like Microsoft learned the hard way that they need to patch software automatically on a regular, frequent schedule. <\/p>\n
Thats often not the case with firmware, which may not be designed to patch itself periodically and also relies heavily on third-party software that may not be current. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. <\/p>\n
On these devices, its a real nightmare, Francillon said. <\/p>\n
<\/p>\n