Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study: Firmware Plagued By Poor Encryption and Backdoors

Posted by Soulskill on from the how-the-sausage-is-made dept.

itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.

8 of 141 comments (clear)

  1. Of course by charronia · · Score: 4, Interesting

    But really, who's going to hack your fridge?

    1. Re:Of course by Rinisari · · Score: 3, Interesting

      The manufacturer, so that it breaks, and we have a reason to go buy another expensive one or get it repaired.

      Collusion, I tell ya!

      --
      Colin Dean Go a year without DRM
    2. Re:Of course by gstoddart · · Score: 4, Insightful

      This ain't about fridges and petty crap

      It's not specifically about fridges, but it points to the widespread terrible security practices, and how a single vendor who makes the underlying stuff can basically destroy security for all of it.

      As you add more and more stuff with the same vulnerabilities, the scope of the problem just gets magnified.

      So, your internet connected CCTV, your smart TV, your notional smart fridge, and from the sounds of it possibly even your router ... these are all subject to vulnerability through their weakest links. And it sounds like there's a lot of weak links.

      As long as these companies have a culture of lax security and other terrible practices like this, this problem isn't going to go away.

      --
      Lost at C:>. Found at C.
    3. Re:Of course by Lazere · · Score: 3, Informative

      Once you have IPV6, with no (supposed) need for firewalls.

      Why does somebody always have to trot this out? IPV6 does not mean no need for firewalls. It means no need for NAT. These are not the same thing. Please, please stop spewing this crap.

    4. Re:Of course by AmiMoJo · · Score: 3, Interesting

      I'm a firmware engineer, and although I tend to work a bit below the level being talked about here I can understand why security often plays second fiddle. When you are producing mass market products you are going to get significant support issues, and there is pressure to minimize them as much as possible by making stuff "just work". Unfortunately that is the enemy of security too.

      Look at it this way. Wifi needs a password, but apparently actually knowing the password and figuring out how to type it in is too much to ask of the user. Thus WPS was invented so now all you have to do is push a button, even if it does introduce some fairly severe security flaws.

      It isn't impossible of course. Panasonic use FreeBSD for their smart TVs and they remain fairly secure. The thing is Panasonic doesn't sell super cheap TVs, or in other words you pay a bit more for a well engineered product. Many people just want to pay as little as possible, but also want cutting edge technology. I say let them have it - eventually they will get the message that cheap stuff is usually crap.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. The beginning of the "internet of things" by Opportunist · · Score: 4, Insightful

    It will be like the internet of humans was. Everyone will be in a gold fever. Everyone will want to join the train and everyone just HAS to get with the latest fad and have a sock drawer that has some kind of internet connection. Every petty, crappy, useless gadget will need to have some sort of internet access.

    And of course the manufacturers will deliver it. Everything and their dog collar will be online.

    Then the first people, I'd predict some geeks with a rather odd sense of humor, will start to piss people off by "talking" to their fridge and telling it to put some milk bones and condoms on the next shopping list, just to make your friends wonder about your ... private life should they get their hand on it.

    And given time, someone will come up with a way to abuse the whole shit not just for fun but also for profit. And only THEN we'll stand there and ask why oh why security has not been a core topic right from the start because that should have been obvious... and it probably was.

    It was just way cheaper to ignore it. And as long as people buy it (who will react just like the very first person in this thread, i.e. "who's going to hack your fridge?"), why bother with security? Security costs money and it's no selling point. So... to the crapper with it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. really? by NicolaZandonà · · Score: 4, Insightful

    The point is, who really need a connected fridge?

  4. Going to need MUCH better firewalls by BaronM · · Score: 3, Interesting

    I can't ever see secure firmware becoming the norm given the economics of consumer goods, so I think we're going to need much better firewalls than what we see in SOHO routers currently.

    Port/address level control is spectacularly insufficient when everything runs on port 80, and nobody is going to spend time mapping out specific source/destination pairs for everything (The washer can talk to the dryer. The washer can talk to my smartphone. The dryer can talk to my smartphone...)

    I'd like to see something like a home-PKCS standard where:
    1. Any IOT device requires a client certificate supplied by the router
    2. The router drops any traffic not signed by a recognized client certificate
    3. The router's signing key must be kept on a seperate USB drive, and the WAN port is locked out if the USB drive is inserted.

    To set up a new device on your home network you would:

    1. Insert USB key into the router (WAN port shuts down)
    2. Generate a new client certificate for the new device (push button "a")
    3. Install the certificate on the new device (push button "b" on router and also on device within 60 seconds, enter PIN, something automated like that)
    4. Remove USB key from router (WAN port comes back up)

    The router will now pass signed traffic to/from your new device. Traffic not signed? No talking to IOT devices for you.

    Yeah, key management sucks, but I bet it could be fairly easily automated for home use. It would take more thought and detail than I've outlined above, but should be doable. Unfortunately, that would require that everyone agree to follow the same standard for home-PKCS, and I can't see that happening either.

    Plus cheap devices would have the crypto implemented badly, plus you wouldn't be able to turn on the microwave from your office, so on and so forth.

    Never mind, I give up.