Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
News: Analysis<br />
Many routers, modems, and other devices<br />
ship without adequate security tests<br />
A large scale security test of firmware images for embedded devices found thousands of vulnerabilities.<br />
Lucian Constantin reports<br />
A<br />
n analysis of hundreds of publicly<br />
available firmware images for<br />
routers, DSL modems, VoIP phones,<br />
IP cameras and other embedded devices<br />
uncovered high-risk vulnerabilities in a<br />
significant number of them, pointing to poor<br />
security testing by manufacturers.<br />
The study was performed by researchers<br />
from the Eurecom research centre in France<br />
and Ruhr University in Bochum, Germany,<br />
who built an automated platform capable of<br />
unpacking firmware images, running them<br />
in an emulated environment and starting<br />
the embedded web servers that host their<br />
management interfaces.<br />
The researchers started out with a<br />
collection of 1,925 Linux-based firmware<br />
images for embedded devices from 54<br />
manufacturers, but they only managed to<br />
start the web server on 246 of them. They<br />
believe that with additional work and tweaks<br />
to their platform that number could increase.<br />
The goal was to perform dynamic<br />
vulnerability analysis on the firmware<br />
packages’ web-based management interfaces<br />
using open-source penetration testing<br />
tools. This resulted in 225 high-impact<br />
vulnerabilities being found in 46 of the<br />
tested firmware images.<br />
A separate test involved extracting<br />
the web interface code and hosting it on<br />
a generic server, so it could be tested<br />
for flaws without emulating the actual<br />
firmware environment. This test had<br />
drawbacks, but was successful for 515<br />
firmware packages and resulted in security<br />
flaws being found in 307 of them.<br />
The researchers also performed a static<br />
analysis with another open-source tool<br />
against PHP code extracted from device<br />
firmware images, resulting in another<br />
9046 vulnerabilities being found in 145<br />
firmware images.<br />
In total, using both static and dynamic<br />
analysis the researchers found important<br />
vulnerabilities like command execution,<br />
SQL injection and cross-site scripting in the<br />
web-based management interfaces of 185<br />
unique firmware packages, affecting devices<br />
from a quarter of the 54 manufacturers.<br />
The researchers focused their efforts<br />
on developing a reliable method for<br />
automated testing of firmware packages<br />
without having access to the corresponding<br />
physical devices, rather than on the<br />
thoroughness of the vulnerability scanning<br />
itself. They didn't perform manual code<br />
reviews, use a large variety of scanning tools<br />
or test for advanced logic flaws.<br />
This means that the issues they found<br />
were really the low-hanging fruit – the flaws<br />
that should have been easy to find during<br />
any standard security testing. This begs the<br />
question: why weren’t they discovered and<br />
patched by the manufacturers themselves?<br />
It would appear that the affected vendors<br />
either didn’t subject their code to security<br />
testing at all, or if they did, the quality of the<br />
testing was very poor, said Andrei Costin,<br />
one of the researchers behind the study.<br />
Team’s findings<br />
Costin presented the team’s findings at<br />
the recent DefCamp security conference<br />
in Bucharest. It was actually the second<br />
test performed on firmware images on<br />
a larger scale. Last year, some of the<br />
same researchers developed methods<br />
to automatically find back doors and<br />
encryption issues in a large number of<br />
firmware packages.<br />
Some of the firmware versions in their<br />
latest data set were not the latest ones,<br />
so not all of the discovered issues were<br />
zero-day vulnerabilities – flaws that were<br />
previously unknown and are unpatched.<br />
However, their impact is still potentially<br />
large, because most users rarely update<br />
the firmware on their embedded devices.<br />
At DefCamp, attendees were also invited<br />
to try to hack four Internet of Things<br />
(IoT) devices as part of the onsite IoT<br />
Village. The contestants found two critical<br />
vulnerabilities in a smart video-enabled<br />
doorbell that could be exploited to gain full<br />
control over the device. The doorbell also<br />
had the option to control a smart door lock.<br />
A high-end D-Link router was also<br />
compromised through a vulnerability in the<br />
firmware version that the manufacturer<br />
shipped with the device. The flaw was<br />
actually known and has been patched in<br />
a newer firmware version, but the router<br />
doesn’t alert users to update the firmware.<br />
Finally, the participants also found a<br />
lower-impact vulnerability in a router from<br />
Mikrotik. The only device that survived<br />
unscathed was a Nest Cam.<br />
Details about the vulnerabilities have<br />
not yet been shared publicly because the<br />
IoT Village organisers, from Bitdefender,<br />
intend to report them to the affected<br />
vendors first, so they can be patched. J<br />
18 www.pcadvisor.co.uk/news February 2016