Protecting IoT devices from unpatched code
- By Susan Miller
- Sep 03, 2021
Internet-of-things devices are vulnerable to cyberattacks, not just because of misconfigurations or weak passwords, but also because of their extensive use of third-party code.
Unlike code written from scratch, software developed by piecing together bits of existing code from third-party libraries may introduce vulnerabilities into all applications that use that code, vastly expanding the attack surface. Libraries that have not been updated by vendors with firmware patches can make swaths of IoT devices susceptible to attack.
“Vulnerable libraries lead to vulnerable devices,” said Han Zhang, a Ph.D. student in Carnegie Mellon University’s CyLab Security and Privacy Institute.
After looking at 122 different types of IoT firmware for 27 popular smart home devices, Zhang and his co-authors “found that vendors update libraries very infrequently, and they use outdated -- and often vulnerable -- versions most of the time,” he told CyLab News.
Some libraries took hundreds of days to apply patches after they had been made publicly available, the researchers found, at least partly because it requires too much effort for the vendors with little return.
To help mitigate the challenge of mismanaged code libraries, the team developed Capture, an architecture for writing IoT firmware that allows smart home IoT devices on a local network to access a centralized hub with third-party libraries that are kept up-to-date by a single trusted entity. The solution has two components: Capture-enabled firmware on the device and a remote driver that uses third-party libraries on the Capture hub in the local network, the researchers explained in their study.
In their tests, several devices were successfully modified to use Capture for updates with minimal changes in their performance.
The system would not only benefit users of smart home devices, but IoT device vendors could to use it, offloading to Capture the security updates they fail to make.
“As we continue to deploy a wide variety of smart devices in our homes and offices, coming up with ways to guarantee security and assure users about their privacy practices will be crucial for consumer confidence and widespread adoption,” says CyLab’s Yuvraj Agarwal, a professor in ISR and a co-author on the study.
The code for Capture is open source and available on Github.
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.