Study: Firmware Plagued By Poor Encryption and Backdoors 141
itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.
Of course (Score:4, Interesting)
Re:Of course (Score:4, Interesting)
The manufacturer, so that it breaks, and we have a reason to go buy another expensive one or get it repaired.
Collusion, I tell ya!
Going to need MUCH better firewalls (Score:3, Interesting)
I can't ever see secure firmware becoming the norm given the economics of consumer goods, so I think we're going to need much better firewalls than what we see in SOHO routers currently.
Port/address level control is spectacularly insufficient when everything runs on port 80, and nobody is going to spend time mapping out specific source/destination pairs for everything (The washer can talk to the dryer. The washer can talk to my smartphone. The dryer can talk to my smartphone...)
I'd like to see something like a home-PKCS standard where:
1. Any IOT device requires a client certificate supplied by the router
2. The router drops any traffic not signed by a recognized client certificate
3. The router's signing key must be kept on a seperate USB drive, and the WAN port is locked out if the USB drive is inserted.
To set up a new device on your home network you would:
1. Insert USB key into the router (WAN port shuts down)
2. Generate a new client certificate for the new device (push button "a")
3. Install the certificate on the new device (push button "b" on router and also on device within 60 seconds, enter PIN, something automated like that)
4. Remove USB key from router (WAN port comes back up)
The router will now pass signed traffic to/from your new device. Traffic not signed? No talking to IOT devices for you.
Yeah, key management sucks, but I bet it could be fairly easily automated for home use. It would take more thought and detail than I've outlined above, but should be doable. Unfortunately, that would require that everyone agree to follow the same standard for home-PKCS, and I can't see that happening either.
Plus cheap devices would have the crypto implemented badly, plus you wouldn't be able to turn on the microwave from your office, so on and so forth.
Never mind, I give up.
Re:Of course (Score:4, Interesting)
I'm a firmware engineer, and although I tend to work a bit below the level being talked about here I can understand why security often plays second fiddle. When you are producing mass market products you are going to get significant support issues, and there is pressure to minimize them as much as possible by making stuff "just work". Unfortunately that is the enemy of security too.
Look at it this way. Wifi needs a password, but apparently actually knowing the password and figuring out how to type it in is too much to ask of the user. Thus WPS was invented so now all you have to do is push a button, even if it does introduce some fairly severe security flaws.
It isn't impossible of course. Panasonic use FreeBSD for their smart TVs and they remain fairly secure. The thing is Panasonic doesn't sell super cheap TVs, or in other words you pay a bit more for a well engineered product. Many people just want to pay as little as possible, but also want cutting edge technology. I say let them have it - eventually they will get the message that cheap stuff is usually crap.