Forgot your password?
typodupeerror
Security Encryption Linux

Study: Firmware Plagued By Poor Encryption and Backdoors 141

Posted by Soulskill
from the how-the-sausage-is-made dept.
itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.
This discussion has been archived. No new comments can be posted.

Study: Firmware Plagued By Poor Encryption and Backdoors

Comments Filter:
  • Of course (Score:4, Interesting)

    by charronia (3780579) on Tuesday August 12, 2014 @04:40PM (#47657961)
    But really, who's going to hack your fridge?
    • Re:Of course (Score:4, Interesting)

      by Rinisari (521266) on Tuesday August 12, 2014 @04:46PM (#47657997) Homepage Journal

      The manufacturer, so that it breaks, and we have a reason to go buy another expensive one or get it repaired.

      Collusion, I tell ya!

      • by MarkGriz (520778)

        "so that it breaks"

        Manufacturers have been "hacking" your appliances to break prematurely long before the transistor was even invented

    • Oh c'mon, at least skim TFA, I don't even expect anyone on /. to read it anymore, but at least click the link and look at the pretty pics.

      This ain't about fridges and petty crap. I guess I needn't explain why being able to hack and modify the firmware of a CCTV can be quite interesting, or do I?

      • Re:Of course (Score:5, Insightful)

        by gstoddart (321705) on Tuesday August 12, 2014 @05:14PM (#47658211) Homepage

        This ain't about fridges and petty crap

        It's not specifically about fridges, but it points to the widespread terrible security practices, and how a single vendor who makes the underlying stuff can basically destroy security for all of it.

        As you add more and more stuff with the same vulnerabilities, the scope of the problem just gets magnified.

        So, your internet connected CCTV, your smart TV, your notional smart fridge, and from the sounds of it possibly even your router ... these are all subject to vulnerability through their weakest links. And it sounds like there's a lot of weak links.

        As long as these companies have a culture of lax security and other terrible practices like this, this problem isn't going to go away.

        • Re:Of course (Score:4, Interesting)

          by AmiMoJo (196126) * <mojo@@@world3...net> on Wednesday August 13, 2014 @03:40AM (#47661033) Homepage

          I'm a firmware engineer, and although I tend to work a bit below the level being talked about here I can understand why security often plays second fiddle. When you are producing mass market products you are going to get significant support issues, and there is pressure to minimize them as much as possible by making stuff "just work". Unfortunately that is the enemy of security too.

          Look at it this way. Wifi needs a password, but apparently actually knowing the password and figuring out how to type it in is too much to ask of the user. Thus WPS was invented so now all you have to do is push a button, even if it does introduce some fairly severe security flaws.

          It isn't impossible of course. Panasonic use FreeBSD for their smart TVs and they remain fairly secure. The thing is Panasonic doesn't sell super cheap TVs, or in other words you pay a bit more for a well engineered product. Many people just want to pay as little as possible, but also want cutting edge technology. I say let them have it - eventually they will get the message that cheap stuff is usually crap.

        • by gtall (79522)

          Those household appliances are small potatoes compared to autos. The car companies outfit our cars with computers but give us no decent way to connect up our PCs or handhelds and have the vehicles tell us what ails them. Why? The conditions that generate sensor signals can be complex and the car companies are essentially saying "we do not understand our vehicles that well"...and it 'tis but a short step from that to forcing you into a dealership or auto repair shop just to "read and reset the computer".

          Okay

      • by mlts (1038732)

        The problem is that bugtastic firmware is just a sign to the "good enough" race to the bottom that plagues a lot of industries.

        Secure firmware upgrades are not rocket science. If a device doesn't have to be connected to the Internet [1], a SD card [2], a routine for signing firmware, and having an atomic transaction based upgrade process (so the upgrade either 100% completes or gets rolled back... no in between states) will solve this. Of course, some way to revert or roll back would be useful. Perhaps a

        • by Cramer (69040)

          Right, because bugs in the cannot-be-replaced version 1.0 firmware will never come back to haunt you. (read: force it to fallback to 1.0, and bob's your uncle.)

        • SD Cards can be several devices, including wifi cards, so those are just as (un)safe as USB devices if the device they are connected to would be susceptible to hot plugged hardware and have the drivers available for those.

          SSL/TLS is plagued with bugs due to the backward compatibility issue. Heartbleed anyone?

          Self Signed shouldn't be a problem, providing the device has the pubkey for the CA that was used to self sign present.

          Doing a wget on an image requires at least a minimal install like busybox on top

        • by AmiMoJo (196126) *

          Secure firmware upgrades are not rocket science.

          True, but they do cost money. You need a processor capable of handling the crypto, which rules out a lot of low cost parts. You need extra memory to store the original factory firmware for factory resets and extra memory for storing the new firmware in case the upgrade fails (power cut etc.)

          Also, if you are going to require SD card you had better ship a free one along with an SD card reader with your product, or expect a lot of customer support calls. USB is starting to become acceptable, but only just.

          The

          • by mlts (1038732)

            The advantage of SD cards is that in a pinch, the manufacturer can always ship a SD card to the customer (especially if the item is a more expensive appliance like a CNC mill.) As for a SD card reader, those are not too difficult to find (most modern laptops except MacBook Air models tend to have them built in.)

            I do agree that a USB flash drive would be better, but a SD card reader is fairly static. One knows that it will have the same device ID (in Linux) or drive letter (in Windows) no matter what, whil

    • by riis138 (3020505)
      I am going to change the shape of your ice cubes! BOOM!
    • by gstoddart (321705)

      Once you have IPV6, with no (supposed) need for firewalls, everything connected to the interweb, and widespread terrible security ... I predict your fridge will be hacked as quickly as an unpatched Windows XP box hooked up to the internet.

      People will try to have anything, and when the device manufacturers are this slack about security, it will get hacked simply because it's there.

      I've always thought the internet connected fridge was a stupid idea, for these exact reasons.

      With the laundry list of terrible se

      • Re:Of course (Score:4, Informative)

        by Lazere (2809091) on Tuesday August 12, 2014 @05:14PM (#47658213)

        Once you have IPV6, with no (supposed) need for firewalls.

        Why does somebody always have to trot this out? IPV6 does not mean no need for firewalls. It means no need for NAT. These are not the same thing. Please, please stop spewing this crap.

        • by gstoddart (321705)

          Why does somebody always have to trot this out?

          Because every time IPV6 comes up, people say "you won't need a firewall", which I've always assumed to be crap, and which is why I put "supposedly".

          Because my reaction is always "no way I'm running without a firewall".

          I still think the "no NAT" thing is stupid. I don't want devices with a globally unique ID, because the marketing assholes any everybody else don't need to know "this is Bob's fridge".

          • by Lazere (2809091)
            Probably, you won't even see NAT go away as ISPs are still going to want to charge for each IP they give. I have a feeling, at least on the residential side, that things will stay exactly as they are, just with an IPv6 address instead of IPv4.
            • Why on earth would you ever use IPv6 on an internal network?

              • Because if you didn't, when (he he....maybe "if") the entire Internet finally switches to IPv6, you'd have to run 4to6 hacks on your router, and probably have large swathes of the Internet unreachable, because your IPv4 internal network doesn't have the capability to properly address the IPv6 address space.
                Much easier to just use IPv6 internally to begin with.

                • I didn't say "Why wouldn't you have a IPv6 capable network" I asked "Why would you use IPv6?" All my equipment/OS's can handle IPv6 just fine, but there's no reason to ever use it inside a local network. I can hit IPv6 outside my network just fine... http://test-ipv6.com/ [test-ipv6.com]

                  Granted, that's entirely up to your ISP. But out-of-the-box equipment that's IPv6 capable equipment should support IPv6 as long as your ISP does as well.

                  • I didn't say "Why wouldn't you have a IPv6 capable network" I asked "Why would you use IPv6?"

                    Well, it's a good thing that I actually answered the second question, rather than the first, isn't it?

                    All my equipment/OS's can handle IPv6 just fine, but there's no reason to ever use it inside a local network. I can hit IPv6 outside my network just fine... http://test-ipv6.com/ [test-ipv6.com]

                    Granted, that's entirely up to your ISP. But out-of-the-box equipment that's IPv6 capable equipment should support IPv6 as long as your ISP does as well.

                    If you only run IP4 internally, then you can only address, at best, a subset of IPv6 addresses on the public Internet.

            • by rahvin112 (446269)

              Considering the smallest recommended handout is a /64 which includes as many addresses as there are in IPv4 total there should never be a problem with the number of addressable IPs you receive. If ISPs try to hand out a /127 address to customers they'll lose many of the auto-routing functions of IPv6 that keep the router tables small and raise their own costs. My bet is they won't give you a static IP without a charge, but you will be given that /64 address and you won't be buying packages of IP addresses.

          • Because every time IPV6 comes up, people say "you won't need a firewall",

            IPv6 capable consumer routers have SPI (Same as NAT - no incoming connections) except without resorting to packet mangling or dangerous ALGs.

            I don't want devices with a globally unique ID, because the marketing assholes any everybody else don't need to know "this is Bob's fridge".

            If not turned on by default, enable IPv6 privacy extensions on the fridge console next to the designer ice cube shaper display.

            Vendors have thus far proven themselves incapable of providing "connected" products not intentionally designed to maximally violate your privacy or otherwise place you at mercy of vendor operated "cloud service".

            The second Bob's fridge connects

      • by vux984 (928602)

        Once you have IPV6, with no (supposed) need for firewalls

        Um... you'll still need a firewall. You just won't need a NAT gateway.

    • http://www.cbsnews.com/news/ha... [cbsnews.com]
      China embedding chips in electric kettles and using the other appliances in the home to pry into home networks on the off chance that you're someone worth hacking.

      Beyond that, hacking someone's fridge is a great way to be irksome to someone you don't like -- I've come home to a failed fridge after a week-long trip and it is definitely not pretty.

    • by flyneye (84093)

      Well...now, lessee...an out of date linux kernel...I'll go out there on a limb and guess it was an OpenMOSIX kernel. That seems about the right timeframe. A cluster computing platform, brilliantly simple. Just think of all those appliances donating spare cycles and ram to a money making scheme by the vendor, selling super computing time on your appliances and bandwidth.

      O.K. that's my vote for what this is rally all about.

    • by crioca (1394491)
      Was literally having a serious work discussion about hacking fridges yesterday. There are a few ways internet enabled fridges could be hacked for profit or for "the lulz"

      1. The fridge could be used for pivoting> into your network [wikipedia.org]

      2. If the fridge is able to automatically purchase food for you, the payment system could be abused

      3. If the fridge is able to automatically purchase food for you, the ordering system could be abused.

      4. It could be used to disable the cooling system

      5. It could be used a

    • > Who's going to hack your fridge?

      If your fridge is tied into your grocery shopping (which would seem to be a major reason to have a smart fridge... really, a dumb fridge is just fine at turning the compressor on and off), then you might be able to hack it and buy neat stuff and get it delivered to a drop location (even the owners own driveway ... "Yeah, I'll be out, drop it behind the paper recycling bin...").

    • Groceries can be very expensive, especially for families. All it takes is a simple temperature change hack to ruin an entire fridge full of food, and cost you another trip to the store (if your fridge is even fixable/usable at that point).
    • by SirGeek (120712)

      Someone who wants you to die ? How hard would it be to increase the temp to "just" above the safe point (so bacteria/etc. grows) ?

      Ingest the food, Get botulism or something else and die.

    • by RockDoctor (15477)

      But really, who's going to hack your fridge?

      Someone who puts a network cable into it.

      No, I'm not going to give the fridge a password into my wifi. Why should I? And I'm certainly not going to pay for a cellphone service for it.

  • Your typical "internet of things" plastic garbage will have firmware updates released by the manufacturer for three to four years after which you're on your own. Which, to the point of the article, is not to say you have a secure device at the outset.

    You'd think by now some consortium would self-assemble to devise best practices and certifications. In all likelihood it will have to be non-industry parties that do so as the last thing Samsung, et al, want is another hassle to eat into their razor-thin mar
    • by 0x15e (961860)
      I would say three to four years if you're lucky. I wouldn't expect most plastic garbage to have updates for more than a year after release, assuming there are any updates at all.
  • Is it bad or good? At least the NSA cant sniff the traffic so easily.
    • >> "Self-signed cert = At least the NSA cant sniff the traffic so easily"

      I hope you're joking, but in case you're not, reread the part about the published "private RSA encryption key." That means that ANYONE who watches an SSL/TLS session get established with that key could decode the session's traffic. And more bad things...

    • by Cramer (69040)

      The issue is that it's embedded in the firmware, which means it's the same damned certificate on every device. Hack it once, and every one of them is now hacked. (remember the issue with debian and sshd keys? there were only a handful of keys because they were generated with a guessable random number (seconds from boot) on the first boot.)

      • Not necessarily. The device could easily be loaded with a unique certificate in manufacturing. A quick search shows that Atmel [atmel.com] makes parts that would help enable this. I'm sure there are others. I expect the cost of this to continue dropping.
        • by Cramer (69040)

          RTFA. They downloaded the installable firmware images for many devices and found a self-signed certificate in some of them. That is not a per-device-unique anything. Every device loads the same blob, and has the same certificate. They aren't even competent enough to get the device to generate it's own certificate. (which could have it's own issues, but at least it has a chance of being different from any other device.)

  • by Opportunist (166417) on Tuesday August 12, 2014 @04:57PM (#47658063)

    It will be like the internet of humans was. Everyone will be in a gold fever. Everyone will want to join the train and everyone just HAS to get with the latest fad and have a sock drawer that has some kind of internet connection. Every petty, crappy, useless gadget will need to have some sort of internet access.

    And of course the manufacturers will deliver it. Everything and their dog collar will be online.

    Then the first people, I'd predict some geeks with a rather odd sense of humor, will start to piss people off by "talking" to their fridge and telling it to put some milk bones and condoms on the next shopping list, just to make your friends wonder about your ... private life should they get their hand on it.

    And given time, someone will come up with a way to abuse the whole shit not just for fun but also for profit. And only THEN we'll stand there and ask why oh why security has not been a core topic right from the start because that should have been obvious... and it probably was.

    It was just way cheaper to ignore it. And as long as people buy it (who will react just like the very first person in this thread, i.e. "who's going to hack your fridge?"), why bother with security? Security costs money and it's no selling point. So... to the crapper with it.

  • really? (Score:4, Insightful)

    by Nicola Zandonà (3783027) on Tuesday August 12, 2014 @04:57PM (#47658069)
    The point is, who really need a connected fridge?
    • by Ichijo (607641)

      In fact, who really needs a fridge at all? We got along just fine without them for thousands of years.

    • Need? Nobody. Being able to auto-generate a shopping list based on the contents of your fridge and cupboards, or order said list for delivery from Safeway/Amazon Fresh/etc.? Timesaver. Hacking someone's smart fridge to order random embarrassing things as a prank? Priceless.
      • by Anonymous Coward

        Auto-generate a shopping list based on the contents of fridge and cupboards? I don't know about anyone else, but from week to week, season to season, the contents of my fridge vary wildly based on what's locally in season and the random recipes I choose for the week. My eating patterns aren't exactly predictable unless you hack my random recipe selector.

      • by Belial6 (794905)
        About a s priceless as smashing the window of their car. Ha Ha. Vandalism isn't new just because it is "on a computer".
    • Look at this way...a connected fridge is utterly pointless, but I can see how it will create new jobs.
      There will be people employed to create software and hardware interfaces, test the interfaces, and finally when it breaks down or exploited, to fix them.
      At least its going to be some extra buttons or a panel on a fridge...there is not going to be a significant hit to the environment. So lets not use the argument "what is the need".
  • by Anonymous Coward

    worst new term since 'the cloud' and 'hashtag'.

    • by Russ1642 (1087959)

      It's hella lame.

    • by Darinbob (1142669)

      Unfortunately, I'm sort of being put into this area now. But this term covers so much stuff, a lot of which has existed before the term existed. The stuff that's eye rolling are bluetooth enabled devices that talk to phones, that's not really the internet of things. But something like a stoplight could be internet of things, if it reports back when a bulb has burned out; it's a thing, it is on some private network, and it is something not traditionally networked in the past. Similarly, smart meters, tra

  • by BaronM (122102) on Tuesday August 12, 2014 @05:08PM (#47658165)

    I can't ever see secure firmware becoming the norm given the economics of consumer goods, so I think we're going to need much better firewalls than what we see in SOHO routers currently.

    Port/address level control is spectacularly insufficient when everything runs on port 80, and nobody is going to spend time mapping out specific source/destination pairs for everything (The washer can talk to the dryer. The washer can talk to my smartphone. The dryer can talk to my smartphone...)

    I'd like to see something like a home-PKCS standard where:
    1. Any IOT device requires a client certificate supplied by the router
    2. The router drops any traffic not signed by a recognized client certificate
    3. The router's signing key must be kept on a seperate USB drive, and the WAN port is locked out if the USB drive is inserted.

    To set up a new device on your home network you would:

    1. Insert USB key into the router (WAN port shuts down)
    2. Generate a new client certificate for the new device (push button "a")
    3. Install the certificate on the new device (push button "b" on router and also on device within 60 seconds, enter PIN, something automated like that)
    4. Remove USB key from router (WAN port comes back up)

    The router will now pass signed traffic to/from your new device. Traffic not signed? No talking to IOT devices for you.

    Yeah, key management sucks, but I bet it could be fairly easily automated for home use. It would take more thought and detail than I've outlined above, but should be doable. Unfortunately, that would require that everyone agree to follow the same standard for home-PKCS, and I can't see that happening either.

    Plus cheap devices would have the crypto implemented badly, plus you wouldn't be able to turn on the microwave from your office, so on and so forth.

    Never mind, I give up.

    • by Anonymous Coward

      Better idea: Give up on this stupid everything-as-to-be-on-the-Internet bullshit. I'll laugh when people buy all these expensive appliances only for malicious people to find ways to fuck with them.

      • by BaronM (122102)

        Well, yes, that actually IS a better idea.

        OTOH, if an IP-connected hot-water heater is the only kind on the market next time I need a new one, I'd prefer to have the 'securing it' worked out in advance, because I'm sure not going to do without.

        • by Lazere (2809091)
          Most important things, like water heaters (and cars), need to be robust enough to function without internet, else they'd have lawsuits on their hands. You could, I don't know, not connect it to the internet.
        • by sconeu (64226)

          Well, you could, you know, NOT CONNECT the IP enabled water heater to the Internet.

          • by 0123456 (636235)

            Well, you could, you know, NOT CONNECT the IP enabled water heater to the Internet.

            Except, in the future, the only way to set water termperature will be through a web interface, and you'll need it connected to download firmware updates so it doesn't explode due to a random memory corruption bug causing it to leave the gas on all day.

            • by Carnildo (712617)

              Fortunately, a water heater is simple enough that you can rip out the "smart" electronics and replace them with the sort of thermostat-and-relay circuit that almost everything uses right now.

          • by chihowa (366380) *

            Well, you could, you know, NOT CONNECT the IP enabled water heater to the Internet.

            What if that's not a choice, either?

            With SuperWiFi 4.0 "IoT edition" (TM), all of your appliances create a mesh network and find a path to the internet !!!

            or

            "I'm sorry sir, your water heater won't operate until it's able to register with the activation server. Please remove the foil from its antenna."

            Do these scenarios really seem too far fetched or unlikely?

      • Better idea: Give up on this stupid everything-as-to-be-on-the-Internet bullshit.

        That's a good idea, but it doesn't solve the problem for devices that actually do have good reasons to be connected: streaming media players, IP-based phones/faxes, consoles with multiplayer games, and so on. Many of these devices are connected to household networks these days, both to access the Internet and to communicate for legitimate reasons with other devices also on that home network. The devices themselves or other devices on the home network may store sensitive data. They may also have sensors, and

  • We really need a program that offers bounties for finding such vulnerabilities and backdoors. Put a tax up for companies selling networked devices, pay bounties from that when a third party finds something and pay the money back to the respective companies after a year or two when nobody finds any vulnerabilities in their products. This would make actually putting some effort into secure products commercially viable while giving good hackers a way to earn their living in a good way. Win-win.

    Right now we're

  • by Anonymous Coward

    This is commonly because the guy who originally set up the image, knew how the code worked, and designed the thing was laid off years ago. The people hired on to maintain it afterwards never figured out how it worked or how it was put together, their goal was just to keep things running. I was recently laid off at a job where I had bothered to take the time to learn how the original image for a device was created and recreate it from scratch so that we wouldn't be left behind and could upgrade. The guys rem

  • by bobbied (2522392) on Tuesday August 12, 2014 @06:22PM (#47658737)

    If it works on the hardware in question, what's wrong with that? Sometimes being newer isn't better, it's just newer.

    I don't see this as a huge problem for embedded systems.... Unless it's something like a firewall or a router that lives on the internet, then it *might* be worth looking at. If it's something like a media player or printer on your private network, who cares? (unless you are member of the tin foil hat society).

  • But in this case it seems they are in perfect agreement when it comes to deciding whether any money or effort should be put into upgrading your kernel on your vcr with the blinking 12:00
  • by nyet (19118) on Tuesday August 12, 2014 @09:17PM (#47659679) Homepage

    The reason embedded device kernels never get updated is because the source code for them is on some SOC vendor's way out there fork of some ancient kernel that nobody with a clue actively develops for anymore.

    And the vendor (say, TI) had hired a bunch of clueless interns to write the "BSP"s (old acronym from the binary blob obsessed asshats at vxworks et al) for their SOCs and the cluster of shoddily designed peripherals crowbarred into the SOC.

    And those interns wrote code so toxic and broken that no sane kernel developer would ever have accept any of their garbage into any mainline kernel tree.

    So there are all these embedded devices out there with kernels from the 90s, and it would take time (and expertise) that none of the vendors have (including the SOC suppliers, like TI) to merge the changes into something even remotely contemporary.

    All of this because the requirements for these embedded projects (dictated by clueless PHBs) is only "linux support" not "mainline kernel support", so SOC vendors (like TI) just don't have the incentive to develop SOC peripheral driver code suitable for mainline inclusion.

    • by vovin (12759)

      And you can't just migrate the patches to latest kernel ... because some the key peripheral parts (video controllers and audio/video encode / decode engines) are binary blobs. Grrrr like TI, NVidia, Qualcomm, Exynos(Samsung), RockChip, AllWinner, MTK, and Freescale. If you *can* forgo those parts then you can migrate to a recent kernel.
      This is in part because a modern SOC is just a collection of assembled IP and the upstream video [OpenGL ES] and h264 encoder/decoder hardware vendors in particular won't all

      • by nyet (19118)

        Absolutely. The situation is not sustainable.

        Even worse, because every SOC is a haphazard pile of random and arbitrarily buggy peripherals, there is no deterministic way (at run time) to enumerate all of the peripherals, and thus which various driver variants (and even worse, binary blobs) are required to make them work.

        So by definition, none of this can EVER go into the mainline. Every kernel fork is its own disconnected universe, dedicated to a single snapshot of a single SOC and its particular collection

  • Mr. Potato Head. Mr. Potato Head! Back doors are not secrets!
    https://www.youtube.com/watch?... [youtube.com]
  • When you can rewrite it with software? Not all progress is good. I want to see black hat types remotely reprogram ROM chips and UV-eraseable EPROM chips from the 1980s.

  • The only thing that works for this finance-driven development is a public Wall of Shame. If consumers know which firms produce this crap, they at least have a choice of not buying it. The researchers are probably scared of the legal actions of the producers, but not disclosing crimes like back doors is a crime in itself.
  • Until lemon laws [wikipedia.org] for computer-related products become pervasive, this shit will continue. Manufacturers are able to skirt liability and hide behind nebulous EULA's.

If a thing's worth having, it's worth cheating for. -- W.C. Fields

Working...