Helping researchers with IoT firmware vulnerability discovery
John Toterhi, a security researcher with IoT security company Finite State, believes that many of the security problems plaguing IoT devices are solvable problems through transparency.
“Manufacturers who make their firmware public and follow GPL practices are doing themselves a huge favor: by making firmware public, manufacturers are enabling a world-wide network of the best security talent to find bugs, disclose them responsibly, and improve security for their customers. Without this transparency they exclude so many responsible researchers and enable threat actors who easily obtain their firmware through chip extraction, man-in-the-middling updates, and stealing firmware from update servers,” he told Help Net Security.
Toterhi and his colleagues have analyzed over 200,000 firmware images from 76 unique manufacturers across many different products: SOHO routers, cameras, televisions, enterprise network appliances, cell phones, medical devices, printers, home/building automation controllers, and more. Luckily, they had the company’s analytics system at their disposal to tackle such a mammoth task.