9271 crucial vulnerabilities found in 185 firmware images of embedded devices

A study into the security of the Internet of Things has confirmed that the web interfaces for user administration of commercial, off-the-shelf embedded devices – routers, DSL/cable modems, VoIP phones, IP/CCTV cameras – represent a significant attack surface.

A group of European researchers decided to test embedded firmware images and web interfaces (web servers running web applications) for vulnerabilities.

“It is well known that making secure web applications is not a trivial task,” the researchers noted. “In particular, researchers showed that more than 70% of vulnerabilities are hosted in the (web) application layer. Attackers who are familiar with this fact use various techniques to exploit web applications.”

They did not want to target actual physical devices owned by someone else, as the practice is ethically questionable at best, and illegal at worst, and buying and deploying the devices themselves would have been a Herculean task. So, they leveraged an automated framework that executes firmware images in a software-only environment.

Once full system emulation was achieved, the source code of the firmware images and the web interfaces within the firmware was analyzed both statically and dynamically.

They tested 1925 firmware images from 54 different vendors, and found 9271 crucial vulnerabilities in 185 of them, affecting nearly a quarter of vendors.

A little over 8 percent of the tested embedded firmware images contain PHP code in their server-side, and contain at least one vulnerability. All together, these firmware images sported a total of 9046 security issues – mostly cross-site scripting, file manipulation, and command injection flaws.

The performed dynamic security testing on 246 web interfaces, and found 21 firmware packages vulnerable to command injection, 32 affected by XSS flaws, and 37 vulnerable to CSRF attacks.

“The impact of such vulnerabilities can be significant as a large number of devices may be running these firmware images,” they pointed out. Also, they noticed during dynamic analysis that firmware images start additional network services (web, telnetd, ftp, etc.), which may be vulnerable on their own (and which open unexpected ports).

Despite having some problems with emulating firmware images and testing embedded web interfaces, they found serious vulnerabilities in at least 24% of the web interfaces they were able to emulate, and of these, 225 were high impact.

“Some embedded systems have clear and well-defined security goals, such as the pay-TV smart cards and the Hardware Security Modules (HSM). Therefore, such devices are rather secure. However, many embedded systems are not designed with a clear threat model in mind,” the researchers pointed out.

Most of the manufacturers are not motivated to invest time and money in securing their devices but, in time, they will have to start considering security in their software life-cycle. As the Internet of Things explodes, attackers will begin targeting these systems more and more.