Andrei Costin presents research findings on embedded web interfaces at the DefCamp security conference in Bucharest Romania. (Image Credit: SecurityWeek)
Researchers Find Many Embedded Web Interfaces Used in IoT Devices are Vulnerable and Represent a Considerable Attack Surface
The Internet of Things (IoT) market is expanding fast, and the number of unpatched vulnerabilities that can be found in embedded devices released in this market segment appears to be growing at a similar pace, researchers demonstrated at the DefCamp security conference in Bucharest, Romania last week.
A research paper presented at the conference published by Andrei Costin and Aurelien Francillon from Eurecom research center in France, and Apostolis Zarras from Ruhr-University Bochum in Germany, shows that embedded device firmware images are often susceptible to multiple security flaws because manufacturers fail to conduct adequate security tests before releasing new products to market.
As part of their research, the team analyzed 1925 firmware images from 54 different vendors by creating an automated system capable of unpacking and emulating the images, thus eliminating the need to work with the actual devices. They were looking for vulnerabilities in the Web interfaces of corresponding IoT devices and were able to easily find a total of 9271 vulnerabilities in 185 firmware images, affecting almost a quarter of the vendors analyzed.
Costin explained in a presentation at DefCamp that they managed to emulate the web server for 246 firmware images and that they performed both static and dynamic analysis of the web interfaces. The analysis revealed 225 high impact vulnerabilities in 46 images, all of which were verified through dynamic analysis, as well as 9,046 possible vulnerabilities in 145 unique firmware via static analysis.
According to the paper (PDF), the researchers discovered that cross-site scripting (XSS) and file manipulation constituted the majority of the discovered vulnerabilities, with command injection, file inclusion, and file disclosure next on the list. SQL injection, code execution, and HTTP header injection were also among the discovered security flaws.
At DefCamp, Costin underlined the fact that the team was able to find the aforementioned vulnerabilities fairly easy through unpacking and emulating the firmware images, which suggests that manufacturers could have found them as well, provided they had conducted proper security tests. He also suggested that manufacturers might have not tested firmware images at all in some cases, given the sheer number of already known vulnerabilities found in the dataset.
Also of importance is the fact that the team focused only on flaws in the web server interface of these firmware images and left other possible vulnerabilities aside. The team did not use advanced tools for the research and did not test the available firmware images for logic flaws either, as the entire analysis was conducted via their automatic platform.
The researchers focused on firmware for Linux-based embedded systems and selected images that contained a web server binary and typical configuration files, as well as server-side or client-side code associated with web interfaces. Their dataset included only publicly available firmware images and they used only open source tools to test them, which automatically excluded the firmware for a large percent of embedded devices from the study.
Costin also suggested that, although they conducted their automated testing only on a small number of firmware images, its is likely that the issues are widespread among IoT devices and are not limited to a single vendor or a small group of vendors. Because many of the discovered flaws were already disclosed, the impact on user security is even higher, as people often are not aware of or ignore firmware updates available for their embedded devices.
Also at DefCamp, an on-site IoT Village presented attendees with the possibility to hack several devices, including a doorbell, a high-end D-Link router, a Mikrotik router, and a Nest Cam. While the cam remained unscratched, the other three devices were found to include flaws, two of which were rated critical, further suggesting that IoT devices are highly susceptible to include vulnerabilities should manufacturers skip security testing or perform poor tests on them.
"All software and all firmware have vulnerabilities. For decades, embedded engineers have relied on the obscurity of their devices for protection,” Brian Witten, Senior Director for IoT Security at Symantec, told SecurityWeek. “Now that devices are connected to the Internet, they're becoming detectable and exploitable.”
According to Witten, the findings discovered after analyzing the firmware images highlight the bad outcomes to expect from the all too common amateur attempts to do security.
“That's why we recommend third party security to protect both the maker and the buyer," said Witten, who is heading efforts at Symantec to establish a leadership position in the market for IoT security.
At SecurityWeek’s 2015 ICS Cyber Security Conference last month, Witten told attendees that Symantec currently protects more than 1 billion connected IoT devices through its portfolio of IoT security offerings.
“In 3Q15, Symantec put its stake in the ground of the Internet of Things (IoT) by publishing a reference architecture and messaging the benefits of the vast telemetry already acquired from the millions of Symantec-protected endpoints and other ‘things’ such as cars and medical devices,” Jane Wright, Senior Analyst and Engagement Manager for Security at Technology Business Research, told SecurityWeek earlier this month.
In September, technology firms banded together to launch the Internet of Things Security Foundation (IoTSF), a collaborative initiative aimed at addressing concerns regarding the security of IoT, with an initial focus on promoting excellence in IoT security to make devices safe to connect.
A fast growing segment, IoT devices are subject to incidents not limited to extracting information but also opening companies worldwide to more threats, as Agiliance’s Torsten George explains in a SecurityWeek column.
“To complicate matters, the development of IoT products preceded the creation of a common security framework or standard,” George said. “In the case of many IoT products, security is an afterthought. The only reasonable solution to address the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems.”
“Time will tell if the IoT vendor community can come together to create a common security framework that helps shrink the security risk iceberg and minimize the risk of cyber-attacks.”
Related: IoT: The Security Risk Iceberg