A team of security experts has discovered that the code for firmware is so badly constructed that it could form an attack vector of cyber attacks.
Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin.
They found code which contained poorly-protected encryption mechanisms and backdoors that could allow access to devices. They reported all the problems to the vendors, but it had not been realised how bad the problem really was until now.
In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image.
Aurélien Francillon, a coauthor of the study and an assistant professor in the networking and security department at Eurecom said that most of the firmware analysed was in consumer devices, a competitive arena where companies often release products quickly to stay ahead of rivals.
This has an ethos of being first and cheap and to do that you don’t want a secure device.
