Slashdot Mirror
Study: Firmware Plagued By Poor Encryption and Backdoors
itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.
But really, who's going to hack your fridge?
Your typical "internet of things" plastic garbage will have firmware updates released by the manufacturer for three to four years after which you're on your own. Which, to the point of the article, is not to say you have a secure device at the outset.
You'd think by now some consortium would self-assemble to devise best practices and certifications. In all likelihood it will have to be non-industry parties that do so as the last thing Samsung, et al, want is another hassle to eat into their razor-thin margins.
Is it bad or good? At least the NSA cant sniff the traffic so easily.
It will be like the internet of humans was. Everyone will be in a gold fever. Everyone will want to join the train and everyone just HAS to get with the latest fad and have a sock drawer that has some kind of internet connection. Every petty, crappy, useless gadget will need to have some sort of internet access.
And of course the manufacturers will deliver it. Everything and their dog collar will be online.
Then the first people, I'd predict some geeks with a rather odd sense of humor, will start to piss people off by "talking" to their fridge and telling it to put some milk bones and condoms on the next shopping list, just to make your friends wonder about your ... private life should they get their hand on it.
And given time, someone will come up with a way to abuse the whole shit not just for fun but also for profit. And only THEN we'll stand there and ask why oh why security has not been a core topic right from the start because that should have been obvious... and it probably was.
It was just way cheaper to ignore it. And as long as people buy it (who will react just like the very first person in this thread, i.e. "who's going to hack your fridge?"), why bother with security? Security costs money and it's no selling point. So... to the crapper with it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The point is, who really need a connected fridge?
worst new term since 'the cloud' and 'hashtag'.
I can't ever see secure firmware becoming the norm given the economics of consumer goods, so I think we're going to need much better firewalls than what we see in SOHO routers currently.
Port/address level control is spectacularly insufficient when everything runs on port 80, and nobody is going to spend time mapping out specific source/destination pairs for everything (The washer can talk to the dryer. The washer can talk to my smartphone. The dryer can talk to my smartphone...)
I'd like to see something like a home-PKCS standard where:
1. Any IOT device requires a client certificate supplied by the router
2. The router drops any traffic not signed by a recognized client certificate
3. The router's signing key must be kept on a seperate USB drive, and the WAN port is locked out if the USB drive is inserted.
To set up a new device on your home network you would:
1. Insert USB key into the router (WAN port shuts down)
2. Generate a new client certificate for the new device (push button "a")
3. Install the certificate on the new device (push button "b" on router and also on device within 60 seconds, enter PIN, something automated like that)
4. Remove USB key from router (WAN port comes back up)
The router will now pass signed traffic to/from your new device. Traffic not signed? No talking to IOT devices for you.
Yeah, key management sucks, but I bet it could be fairly easily automated for home use. It would take more thought and detail than I've outlined above, but should be doable. Unfortunately, that would require that everyone agree to follow the same standard for home-PKCS, and I can't see that happening either.
Plus cheap devices would have the crypto implemented badly, plus you wouldn't be able to turn on the microwave from your office, so on and so forth.
Never mind, I give up.
It makes you sound stupid. Servers are things. Desktops are things. Laptops, tablets and phones are things. We've always had an "internet of things". That it's going to get into smaller devices is not in question. What is in question is manufacturers supposedly will bother putting a mini server in your toilet roll to spam you with ads and measure your bowel health. Ain't gonna happen. It's not economical.
connected fridges were cool ten years ago. I have connected, programmable light-bulbs. what bridge have you been living under? :P
Who would not? If its connected to internet it can be used to many nasty things. Spam relay, ssh router, dns ddos slave, etc.... So better question is who would not hack your fridge?
I stopped getting shocked when i hit my first billion-device vulnerability. I now have several.
Still want to buy logic chips from China and Taiwan?
We really need a program that offers bounties for finding such vulnerabilities and backdoors. Put a tax up for companies selling networked devices, pay bounties from that when a third party finds something and pay the money back to the respective companies after a year or two when nobody finds any vulnerabilities in their products. This would make actually putting some effort into secure products commercially viable while giving good hackers a way to earn their living in a good way. Win-win.
Right now we're rewarding companies that sell shoddy products while driving clever and well-educated people into the criminal underground. This actually is the worst setup one could think of. Make a sane, well-regulated market out of that and things will improve quickly while at the same time creating careers for people who deserve it.
This is commonly because the guy who originally set up the image, knew how the code worked, and designed the thing was laid off years ago. The people hired on to maintain it afterwards never figured out how it worked or how it was put together, their goal was just to keep things running. I was recently laid off at a job where I had bothered to take the time to learn how the original image for a device was created and recreate it from scratch so that we wouldn't be left behind and could upgrade. The guys remaining there don't know, care, and cannot recreate the firmware image. If managers would attempt to keep their well-learned staff, give them incentives to stay, not lay them off randomly for short-term gains, and promote documentation then this wouldn't happen.
Sasha Grey is intrigued . . .
If it works on the hardware in question, what's wrong with that? Sometimes being newer isn't better, it's just newer.
I don't see this as a huge problem for embedded systems.... Unless it's something like a firewall or a router that lives on the internet, then it *might* be worth looking at. If it's something like a media player or printer on your private network, who cares? (unless you are member of the tin foil hat society).
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
But in this case it seems they are in perfect agreement when it comes to deciding whether any money or effort should be put into upgrading your kernel on your vcr with the blinking 12:00
Getting a signed certificate for an embedded device may cost more than manufacturing the device... per year.
It's actually worse than that, because you don't even have a fixed target to price up. You have to consider how long a certificate needs to be valid for, the longer the more expensive but if it's not enough for the working lifetime of the device people are going to get upset. There's also the risk that a link in the certification chain could disappear, which is presumably more likely the longer the certificate lasts. For serious equipment running on corporate networks you might also have to consider letting them install their own certs backed by their own in-house CA, which introduces overheads of its own for your technical implementation. And none of this matters for devices that aren't going to be available from a machine with Internet access, because then there's no way to verify certs signed by the major public CAs anyway.
But the AC's basic point is sound. There are genuine concerns being raised here, but there's also a degree of FUD. If you see "10 year old Linux kernel" and assume "security flaw", you're the guy embedded software developers hate. That's not because they don't like criticism, it's because what really happens is they get a report back from some suit in the sales team saying a customer ran a "vulnerability scanner" and it flagged something based on a simple version check or other heuristic and that "vulnerability" must be fixed before you can get the sale. When they point out that patches have been applied for all known vulnerabilities that are relevant to their system and ask the sales guy what actual vulnerability the customer is concerned about, all they get back is crickets.
Then you get someone from management being told by the sales guy who just lost his commission that the engineering team is incompetent, and wanting to know how much it would cost to upgrade the entire system to the latest Linux kernel. Manage gets told by engineering leadership about the cost, the time required to do the work, the time required for a complete regression test, and the risk of some regressions slipping through anyway because you're giving up tried and tested code and maybe being forced to change fundamental things like what kind of filesystem you're using on your internal flash storage. Somewhere around the point where the half dozen guys who normally work on the firmware for that product now need six more guys whose only job is to watch for every relevant update to any software component in the system, integrate it, regression test the results, issue the firmware update, and brief sales and marketing because reading a changelog is too difficult, the manager usually loses interest. It's a huge amount of wasted time and effort all around, for something that in many cases was never actually a real problem in the first place.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Better idea: Give up on this stupid everything-as-to-be-on-the-Internet bullshit.
That's a good idea, but it doesn't solve the problem for devices that actually do have good reasons to be connected: streaming media players, IP-based phones/faxes, consoles with multiplayer games, and so on. Many of these devices are connected to household networks these days, both to access the Internet and to communicate for legitimate reasons with other devices also on that home network. The devices themselves or other devices on the home network may store sensitive data. They may also have sensors, and while cameras and microphones are the most obvious risks, less obvious things like accelerometers in mobile devices and GPS can also create huge security/privacy holes.
Sooner or later, we're going to have to confront the implications of connecting all of this stuff together, and we're going to need a more sophisticated strategy than "just don't do it", because a lot of the time doing it is very useful but also dangerous without proper limitations.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
This reminds me of my brand new Roland Gi synthesizer and how out-dated the firmware is on it. Thank God it isn't able to communicate.
That's correct. In 2015 Roland still doesn't offer any form of transferring files via USB or ethernet in their synths. Besides a LCD that looks like a solid-state screen taken from a 1980 pinball machine this firmware is ancient.
In addition to only recognizing 99 files on a USB drive (FAT format only) it won't recognize folders. That's right! You can only have 99 files and they all have to put into the root of the USB device. It brings loads of fun trying to have MIDI tracks to play along with as you can't sort them other than alphabetic order.
While the device will send and receive MIDI commands through a USB cable there's no other ability to do anything else.
I'm shocked that this company is even in business. My 7 year old Yamaha PSR has better software than this and it cost 1/10th the amount.
The reason embedded device kernels never get updated is because the source code for them is on some SOC vendor's way out there fork of some ancient kernel that nobody with a clue actively develops for anymore.
And the vendor (say, TI) had hired a bunch of clueless interns to write the "BSP"s (old acronym from the binary blob obsessed asshats at vxworks et al) for their SOCs and the cluster of shoddily designed peripherals crowbarred into the SOC.
And those interns wrote code so toxic and broken that no sane kernel developer would ever have accept any of their garbage into any mainline kernel tree.
So there are all these embedded devices out there with kernels from the 90s, and it would take time (and expertise) that none of the vendors have (including the SOC suppliers, like TI) to merge the changes into something even remotely contemporary.
All of this because the requirements for these embedded projects (dictated by clueless PHBs) is only "linux support" not "mainline kernel support", so SOC vendors (like TI) just don't have the incentive to develop SOC peripheral driver code suitable for mainline inclusion.
Not necessarily. The device could easily be loaded with a unique certificate in manufacturing. A quick search shows that Atmel makes parts that would help enable this. I'm sure there are others. I expect the cost of this to continue dropping.
And if you don't like it, stop eating the fucking cheese, mouse.
It'll still be possible to get off your duff and make your own damn cheese, won't it?
Mr. Potato Head. Mr. Potato Head! Back doors are not secrets!
https://www.youtube.com/watch?...
When you can rewrite it with software? Not all progress is good. I want to see black hat types remotely reprogram ROM chips and UV-eraseable EPROM chips from the 1980s.
SD Cards can be several devices, including wifi cards, so those are just as (un)safe as USB devices if the device they are connected to would be susceptible to hot plugged hardware and have the drivers available for those.
SSL/TLS is plagued with bugs due to the backward compatibility issue. Heartbleed anyone?
Self Signed shouldn't be a problem, providing the device has the pubkey for the CA that was used to self sign present.
Doing a wget on an image requires at least a minimal install like busybox on top of a linux kernel. This is currently one of the most used ways to upgrade firmwares and often there are older version of busybox, the kernel and many other applications on the device. Those are one of the big sources of devices being hacked.
As you see, it's not as simple as it seems. Apart from standard apps being outdated and not validating certificates, a lot of the custom parts of firmware aren't written with any security in mind. Things like old fashioned buffer overflows, SQL/XML injections, XSS and whatnot in user interfaces are much more common than in directly web facing websites these days. With IPv6 around the corner and the end of NAT in sight, plenty of these devices will be connected directly to the internet and we will see a large increase in "things" getting hacked once we get to that point.
I was promised a flying car. Where is my flying car?
The only thing that works for this finance-driven development is a public Wall of Shame. If consumers know which firms produce this crap, they at least have a choice of not buying it. The researchers are probably scared of the legal actions of the producers, but not disclosing crimes like back doors is a crime in itself.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Someone please mod parent up, insightful
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
Until lemon laws for computer-related products become pervasive, this shit will continue. Manufacturers are able to skirt liability and hide behind nebulous EULA's.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman