Home SecurityNetwork Security IoT vendors ignore basic security best practices, CITL research finds

IoT vendors ignore basic security best practices, CITL research finds

by ethhack

Turning on compile-time security features is easy. So why aren’t more IoT device makers doing so?

Adding flags for security features when building IoT firmware binaries would dramatically improve the security of IoT devices across the board. Almost no one is doing it, and the problem is getting worse, not better, according to new research from the CITL mass fuzzing project.

Cyber ITL is a non-profit Consumer Reports-style security laboratory that has so far automated the fuzzing of more than three million IoT firmware binaries released over the last 15 years. Its results are discouraging.

“It’s very easy to do,” CITL chief scientist Sarah Zatko tells CSO of IoT vendors’ failure to turn on basic compile-time safety features. “There’s no good reason not to do it, and they’re just not bothering.”

“I don’t think they are neglecting to do it on purpose,” she adds. “This isn’t really a case where someone made a conscious decision to exclude these safety features. More like benign neglect. It didn’t occur to someone that this is their job.”

Time for a post-build checklist?

IoT vendors could easily turn on these compile-time safety flags and check for them as part of their release management process. Good build hygiene includes checking to see if there is a more recent version of the compiler and making sure to enable basic security flags like ASLR, DEP and stack guards. While none of these security mitigations are magic, they serve as the airbags and seatbelts of the IoT world. Maybe they won’t prevent a crash, but they might just save your life.

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment