Mitigating IoT Firmware Risks: It All Comes Down to the Code

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Insecure firmware is running on millions (and soon-to-be billions) of devices. Connected cars, coffee pots and cardiac devices house embedded firmware that’s often highly vulnerable and easily hackable. Why? It literally all comes down to the firmware’s code: how it’s constructed, what’s left inside and what’s included from the outside.

Think about these three points, which are tied to actual exploitations and hacks:

Gaping Holes: The Dyn attack in October 2016 exploited insecure and poorly coded firmware on security cameras to cripple significant portions of the web. If the firmware had been secured, the attack could not have been executed. If firmware has security holes, hackers will find them.Carelessness with Keys: Have you heard people say “don’t leave your keys laying around?” Then why would developers leave their private crypto keys in firmware images? We know firsthand of a Tier One supplier for a car manufacturer that left private crypto keys on a completed firmware image they produced for the manufacturer. You can imagine what happened next.Insecure External Libraries: If you’re integrating externally sourced libraries and lack access to the source code of the libraries, can you verify their security? Third-party libraries can contain extraordinary numbers of vulnerabilities, and even a giant like Apple learned the hard way when using insecure, external libraries.

It’s ironic that secure coding practices are decreasing at a time when overall security practices are increasing. But, in today’s frenzied development environments, the faster developers must build code and the more “cooks” involved, the greater the chances for insecure coding.

With many forces at play to foster insecure coding on devices, security might seem like a pipe dream. Yet, consider the huge number of security holes in Windows software that were corrected over time. Through automated firmware evaluations, it’s neither difficult nor time-consuming to review a compiled firmware image and fix the code.

Insecure coding is the basis for all IoT security issues; mitigating firmware risks hinges on evaluating and securing firmware before production. It’s everyone’s responsibility to secure their firmware in this global IoT village. We’re all as strong as the weakest link and risk mitigation must become a top priority for those who build code for embedded devices. 

Don’t just sit idly by. Improve your firmware security through training on reverse engineering embedded firmware and comprehensive firmware evaluations.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tactical Network Solutions
Are you concerned about risky, vulnerable embedded firmware in IoT devices, connected medical devices, automotive ECUs and industrial control systems? You're not alone. Since 2007, Fortune 500 companies and governments around the world have sought out Tactical Network Solutions for reverse engineering training programs, firmware evaluations, and cyber risk mitigation strategies. Clients are excited to leverage our automated firmware evaluations and consulting performed with the proprietary Centrifuge IoT Security Platform. The evals are completed with NO access to source code on compiled images containing a Linux-based root filesystem compiled for either MIPS, ARM, or X86. We also support QNX (a real-time operating system) and Docker containers. TNS evaluations have revealed thousands of hidden attack vectors including erroneously placed private crypto keys, insecure binaries with highly vulnerable function calls and other rampant security holes on embedded firmware. Our community of clients includes firmware developers, underwriters, law firms, governments and intelligence agencies worldwide who share a common goal: to discover hidden attack vectors in IoT and connected devices.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?