Security protocols for networking companies haven’t improved in fifteen years, reads a new study.
The Security Ledger reported that the Cyber Independent Testing Lab (CITL), a non-profit organization that conducts independent tests of software security, examined 6,000 firmware images totalling nearly 3 billion binaries released between 2003 and 2018.
These publicly available firmware images were gathered from Asus, Linksys, Netgear, and other popular networking companies to help CITL figure out if these vendors have improved their approach to securing the firmware of their devices over the 15 years it examined.
CITL found little sign of improvement.
“Nobody is trying,” said Sarah Zatko, the Chief Scientist at the CITL. “We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products.”
Numerous companies reportedly failed to implement basic security features despite growing awareness of the issues they resolved and increasing numbers of attacks on networking devices.
Zatko told The Security Ledger that several of the features missing from the examined networking firmware — stack guards and buffer overflow protection — are “the seatbelts and airbags of the software world.” Lacking those basic protections, she said, puts the firmware years behind operating systems and web browsers in terms of defending against the attacks those safeguards are supposed to stop.
“Stack guards and buffer overflow protection are the canaries in the coal mine,” she said. The absence of even basic protections suggests that the tested firmware may contain more serious vulnerabilities and that firmware security is years behind the security of applications like Google Chrome and Firefox.
“These are the seatbelts and airbags of the software world. These numbers are unheard of in operating systems or (Web) browsers. It’s just a sign that they’re not trying,” Zatko concluded.
Read the entire report on the current state of security with network companies here.