Stories
Slash Boxes
Comments

SoylentNews is people

Data Shows IOT Security is Moving Backward

posted by chromas on Tuesday August 27 2019, @11:41PM   Printer-friendly
from the soft-targets-are-more-huggable dept.

DannyB writes:

Data Shows IOT Security is Moving Backward

The security of IoT devices has been a running joke for many years, so much so that some researchers have given up trying to point out the weaknesses and get vendors to address the problems. Some vendors have pledged to do better and improve their development practices, but a year-long analysis of the security features in the firmware of 22 IoT device manufacturers found that not only are the vendors not making progress on security, they're actually going backward.

[...] The team wanted to see how IoT vendors were faring in adding standard hardening features to their firmware binaries, so it developed a special methodology that began with downloading available firmware updates from vendor websites, extracting Linux filesystems from the firmware, and then running each binary through the CITL's custom analytic tools. The dataset comprises more than 3.3 million individual binaries from nearly 5,000 firmware updates from 22 vendors, including ASUS, D-Link, Belkin, QNAP, and Mikrotik, and goes back as far as 2003.

What the team found is dispiriting, if not surprising: IoT firmware hardening is getting worse rather than better. Firmware updates are more likely to remove binary hardening features than to add them, and overall there hasn't been any trend in a positive direction for security in the 15 years covered by the CITL dataset.

[...] The CITL study looked for the presence of a number of possible hardening techniques, such as ASLR, non-executable stacks, and stack guards. These technologies are used to mitigate the effects of certain vulnerabilities and have been in wide use in the desktop and server worlds for many years. They have begun to make their way into IoT device firmware in the last few years, but the CITL data shows that updates often remove one or more of the hardening flags and some updates significantly reduce the overall security of the firmware. For example, one update shipped in 2017 by Ubiquiti for its UAP-HD line of wireless access points removed ASLR altogether and the presence of stack guards went from about 70 percent of binaries to virtually none.

[...] Although IoT devices often are associated with consumer applications, a tremendous amount of IoT gear finds its way into enterprise environments, as well, whether it's through official purchases or shadow installations by employees. Many of the firmware images the CITL study looked at are from networking devices, which are vital to enterprises and therefore quite valuable for attackers.

"We found major regressions in access points you would ship to enterprises by the crate. When you take these things in aggregate, that's a very soft target. It's a very low cost to find an exploit in those," Thompson said.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Data Shows IOT Security is Moving Backward | Log In/Create an Account | Top | 33 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Runaway1956 on Wednesday August 28 2019, @12:39AM (3 children)

    by Runaway1956 (2926) Subscriber Badge on Wednesday August 28 2019, @12:39AM (#886536) Journal

    You forgot that silly grin that seems to imply sarcasm.

    There is no difference between the manufacturer spying on me, and some script kiddy instructing my devices to kill me. None. Both are immoral, unethical, unwelcome, illegal, intrusive sons of bitches. For that reason, IOT devices are blocked at the router.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by c0lo on Wednesday August 28 2019, @12:56AM (2 children)

    by c0lo (156) Subscriber Badge on Wednesday August 28 2019, @12:56AM (#886553) Journal

    No grin necessary in that case.

    There is no difference between the manufacturer spying on me, and some script kiddy instructing my devices to kill me. None. Both are immoral, unethical, unwelcome, illegal, intrusive sons of bitches.

    Don't be that stupid, the outcomes of the two are too different to reduce them under the same category.

    For that reason, IOT devices are blocked at the router.

    The fact that fire is good for keeping you warm and cooking your food doesn't make "keeping warm" and "cooking" the same.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

    • (Score: 2) by Runaway1956 on Wednesday August 28 2019, @01:22PM (1 child)

      by Runaway1956 (2926) Subscriber Badge on Wednesday August 28 2019, @01:22PM (#886765) Journal

      Alright, lemme make this a little more clear.

      Frigidaire wants to spy on me. Frigidaire is unsuccessful, because my Frigidaire products are blocked at the router.

      Little Johnny Zithead wants to kill me for lulz. He reasons that if he can connect to my Frigidaire products, he can order them to - uhhhh - short circuit while I'm touching them? Anyway, Zithead fails, because my Frigidaire products are blocked at the router.

      The outcomes of both cases are great big nulls. No difference, OK?

      • (Score: 2) by c0lo on Wednesday August 28 2019, @09:13PM

        by c0lo (156) Subscriber Badge on Wednesday August 28 2019, @09:13PM (#886976) Journal

        The outcomes of both cases are great big nulls. No difference, OK?

        No difference to you. A big distance to "they aren't different at all"

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford