Many embedded devices ship without adequate security tests, analysis shows

A large scale security test of firmware images for embedded devices easily found thousands of vulnerabilities

An analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufactuers.

The study was performed by researchers from the Eurecom research center in France and Ruhr-University Bochum in Germany, who built an automated platform capable of unpacking firmware images, running them in an emulated environment and starting the embedded Web servers that host their management interfaces.

The researchers started out with a collection of 1,925 Linux-based firmware images for embedded devices from 54 manufacturers, but they only managed to start the Web server on 246 of them. They believe that with additional work and tweaks to their platform that number could increase.

The goal was to perform dynamic vulnerability analysis on the firmware packages' Web-based management interfaces using open-source penetration testing tools. This resulted in 225 high-impact vulnerabilities being found in 46 of the tested firmware images.

A separate test involved extracting the Web interface code and hosting it on a generic server so it could be tested for flaws without emulating the actual firmware environment. This test had drawbacks, but was successful for 515 firmware packages and resulted in security flaws being found in 307 of them.

The researchers also performed a static analysis with another open-source tool against PHP code extracted from device firmware images, resulting in another 9046 vulnerabilities being found in 145 firmware images.

In total, using both static and dynamic analysis the researchers found important vulnerabilities like command execution, SQL injection and cross-site scripting in the Web-based management interfaces of 185 unique firmware packages, affecting devices from a quarter of the 54 manufacturers.

The researchers focused their efforts on developing a reliable method for automated testing of firmware packages without having access to the corresponding physical devices, rather than on the thoroughness of the vulnerability scanning itself. They didn't perform manual code reviews, use a large variety of scanning tools or test for advanced logic flaws.

This means that the issues they found were really the low hanging fruit -- the flaws that should have been easy to find during any standard security testing. This begs the question: why weren't they discovered and patched by the manufacturers themselves?

It would appear that the affected vendors either didn't subject their code to security testing at all, or if they did, the quality of the testing was very poor, said Andrei Costin, one of the researchers behind the study.

Costin presented the team's findings at the DefCamp security conference in Bucharest on Thursday. It was actually the second test performed on firmware images on a larger scale. Last year, some of the same researchers developed methods to automatically find backdoors and encryption issues in a large number of firmware packages.

Some of the firmware versions in their latest dataset were not the latest ones, so not all of the discovered issues were zero-day vulnerabilities -- flaws that were previously unknown and are unpatched. However, their impact is still potentially large, because most users rarely update the firmware on their embedded devices.

At DefCamp, attendees were also invited to try to hack four Internet-of-Things devices as part of the on-site IoT Village. The contestants found two critical vulnerabilities in a smart video-enabled doorbell that could be exploited to gain full control over the device. The doorbell also had the option to control a smart door lock.

A high-end D-Link router was also compromised through a vulnerability in the firmware version that the manufacturer shipped with the device. The flaw was actually known and has been patched in a newer firmware version, but the router doesn't alert users to update the firmware.

Finally, the participants also found a lower-impact vulnerability in a router from Mikrotik. The only device that survived unscathed was a Nest Cam.

Details about the vulnerabilities have not yet been shared publicly because the IoT Village organizers, from security firm Bitdefender, intend to report them to the affected vendors first so they can be patched.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?