Measuring the Security of IoT Devices
In August, CyberITL completed a large-scale survey of software security practices in the IoT environment, by looking at the compiled software.
Data Collected:
- 22 Vendors
- 1,294 Products
- 4,956 Firmware versions
- 3,333,411 Binaries analyzed
- Date range of data: 2003-03-24 to 2019-01-24 (varies by vendor, most up to 2018 releases)
[…]
This dataset contains products such as home routers, enterprise equipment, smart cameras, security devices, and more. It represents a wide range of either found in the home, enterprise or government deployments.
Vendors are Asus, Belkin, DLink, Linksys, Moxa, Tenda, Trendnet, and Ubiquiti.
CyberITL’s methodology is not source code analysis. They look at the actual firmware. And they don’t look for vulnerabilities; they look for secure coding practices that indicate that the company is taking security seriously, and whose lack pretty much guarantees that there will be vulnerabilities. These include address space layout randomization and stack guards.
A summary of their results.
CITL identified a number of important takeaways from this study:
- On average, updates were more likely to remove hardening features than add them.
- Within our 15 year data set, there have been no positive trends from any one vendor.
- MIPS is both the most common CPU architecture and least hardened on average.
- There are a large number of duplicate binaries across multiple vendors, indicating a common build system or toolchain.
Their website contains the raw data.
Rj Brown • October 3, 2019 7:26 AM
The large number of duplicate binaries can also be attributed to the fact that most of these devices are made in the western Pacific Rim countries, where intellectual property protections are miniscule; therefore, another reason for the large number of duplicate binaries could well be blatant plagerism, or in the case of one certain large country, government control of multiple corporations resulting in sharing of information that would otherwise be trade secret of an individual corporation.