Internet-of-things devices are vulnerable to cyberattacks, not just because of misconfigurations or weak passwords, but also because of their extensive use of third-party code.
Unlike code written from scratch, software developed by piecing together bits of existing code from third-party libraries may introduce vulnerabilities into all applications that use that code, vastly expanding the attack surface. Libraries that have not been updated by vendors with firmware patches can make swaths of IoT devices susceptible to attack.
“Vulnerable libraries lead to vulnerable devices,” said Han Zhang, a Ph.D. student in Carnegie Mellon University’s CyLab Security and Privacy Institute.
After looking at 122 different types of IoT firmware for 27 popular smart home devices, Zhang and his co-authors “found that vendors update libraries very infrequently, and they use outdated -- and often vulnerable -- versions most of the time,” he told CyLab News.
Some libraries took hundreds of days to apply patches after they had been made publicly available, the researchers found, at least partly because it requires too much effort for the vendors with little return.
To help mitigate the challenge of mismanaged code libraries, the team developed Capture, an architecture for writing IoT firmware that allows smart home IoT devices on a local network to access a centralized hub with third-party libraries that are kept up-to-date by a single trusted entity. The solution has two components: Capture-enabled firmware on the device and a remote driver that uses third-party libraries on the Capture hub in the local network, the researchers explained in their study.
In their tests, several devices were successfully modified to use Capture for updates with minimal changes in their performance.
The system would not only benefit users of smart home devices, but IoT device vendors could to use it, offloading to Capture the security updates they fail to make.
“As we continue to deploy a wide variety of smart devices in our homes and offices, coming up with ways to guarantee security and assure users about their privacy practices will be crucial for consumer confidence and widespread adoption,” says CyLab’s Yuvraj Agarwal, a professor in ISR and a co-author on the study.
The code for Capture is open source and available on Github.