Open source software security

Now is the Time to Update Your Firmware

30 November -0001
Justin C. Klein Keane
April 2, 2008

It's time to update your home router. How do I know this? Because the nature of such devices is that most users plug them in and forget them. Hackers, however, don't forget them. New research has been emerging that demonstrates serious flaws in many embedded devices (such as your wireless receiver or cable/dsl router). While vendors are usually good about producing patches, or "firmware updates", most users never think to download or install these updates. Unlike your operating system there are no pop-up warnings or automated systems to download updates on most embedded devices and thus most are neglected and left to run the original version of their software throughout their lifetime.

Before launching into a wholesale investigation of this problem we should first start with an examination of the vocabulary we're using, specifically "firmware," and "embedded device." Firmware is the customized software that runs on embedded devices. As such it is designed to work with specialized hardware. Certain software, like operating system software, is designed to run on a wide variety of platforms and configurations. Firmware, on the other hand, is engineered to run on a very specific set of hardware. The advantage of this design is that software can be lightweight and efficient since it doesn't have to include any extra drivers for devices that may or may not be present. Firmware can also be written so that it utilizes resources extremely efficiently since it doesn't have to abstract from the hardware layer at all. Many disadvantages of firmware comes from this tight integration however.

Firmware touches most users lives in the form of software that runs on embedded devices. An embedded device is a piece of hardware designed to perform very specific functions (run by software). Examples of common embedded devices are routers, modems, portable digital assistants, etc. The firmware that lives on each embedded device is tightly coupled with not only the architecture, but also the functionality of that embedded device.

Because of it's lightweight nature firmware suffers from a copious lack of security capabilities. Rarely do firmware devices include the ability to 'auto-update' or download and install patches without user intervention. Firmware never (to my knowledge) includes anti-virus or other protection software. This omission is usually blamed on the dearth of space on most embedded devices. These two factors combine to make the security stance most embedded devices degrade quickly over time. This is to say that once they are running, most embedded devices are hardly ever upgraded, and as flaws are discovered by the research community the device becomes increasingly vulnerable to attack and compromise.

Added to this problem is the fact that it is usually a fairly onerous process to update firmware. Take your average home DSL or cable router. Users have to manually download firmware from the manufacturers site, then navigate through an archaic web interface and then upload the firmware to the device. Many times this update process fails, and more often than not firmware download pages are accompanied with ominous warnings against applying firmware patches unless systems are showing problems. This combination further reduces the pool of users who actually apply firmware updates.

Certain embedded devices, such as home routers, maintain persistent internet connections. In todays computing security environment, where connections are just as valuable (if not more) than information, this makes certain embedded devices tempting targets for hackers. Because many black hats are looking to build zombie hosts in a botnet to do things like send spam, commit click fraud, host phishing sites, and assist in other nefarious (and often profitable) schemes, controlling a computing device with an internet connection has become more valuable, in many ways, than stealing information from users. Whereas hackers used to try and break into servers to control large amounts of bandwidth or deface webpages, much of the underground has turned to money making schemes such as those described above. To accomplish these goals hackers need to compromise a large number of systems with reliable internet connections. Altogether combined, these factors make embedded devices with persistent connections extremely valuable resources in the underground.

To make matter worse, research has recently been published, that details how an attacker can compromise home routers by simply getting a user behind the device to view a certain web page or HTML email. Once a router is compromised the end user would likely never be aware. Even a user with completely up to date anti-virus and firewall software on their computer could be compromised in this manner. Because the router doesn't benefit from the protection of the computers behind it (inside the home LAN) it remains just as vulnerable as the day it was first purchased.

The embedded device community has been slow to react to this emerging threat. Because firmware is so tightly coupled to hardware, bugs in firmware updates could likely cause an embedded device to stop functioning. The effects of such an outage could range from inconvenience (with devices such as printers) to catastrophic (for devices such as routers used by businesses). Because the potential financial impact of mismanaged patches is so high, manufacturers are understandably reluctant to release patches.

Added to the lack of patches, and the difficulty of installing them, is the fact that most users are completely unaware that patches (and associated problems) even exist. Manufacturers rarely collect registration details (such as e-mail addresses) from customers in order to alert them of new updates. Most users don't follow the security media and are unaware when problems arise. Essentially users exist in a vacuum when it comes to information about patches to their devices. The devices don't automatically update or alert the user to updates, manufacturers don't contact users, and the user doesn't have any other reliable source of information.

All of this leads to a rather depressing security landscape in the embedded device arena. Of course, this assessment is a matter of perspective. The black hat community is, no doubt, cackling with glee as new exploits and vulnerabilities are discovered in embedded devices. A massive population of fairly inert new targets is becoming available. These are targets that aren't monitored, patched, or even noticed in many cases.

Compromised firmware could be used in any number of evil ways. They could be used to sniff on the local network, carry out denial of service attacks, permit eavesdropping by attackers, host phishing sites or rogue servers. The possibilities for mischief are virtually unlimited and the well of targets is just starting to be tapped.

The threat to embedded devices is only growing. This should serve as a wake up call for manufacturers to respond in some sort of organized fashion. History demonstrates that most manufacturers wont respond until large scale compromises are publicized. In the meantime it is the responsibility of every tech savvy person to warn their friends and colleagues to upgrade the firmware in their embedded devices, keep an eye on security notices posted by vendors, and take steps to monitor new firmware releases. It is important not to overlook the $20 component of your network in your home security equation since it could turn out to be one of the most vulnerable pieces of your internet connection, one capable of defeating the exponentially more expensive firewalls and security software deployed on your computers.