People are obsessed with self-improvement. Countless books, courses, and seminars promise to help their customers realize their potential if they follow X number of steps or do Y number of exercises so they can be Z. Unfortunately, the Cyber Independent Testing Lab (CITL) reported this week that 18 popular vendors haven't shown a similar drive to improve their firmware security over the last 15 years.
The Security Ledger reported that CITL examined 6,000 firmware images totaling nearly 3 billion binaries released between 2003 and 2018. These publicly available firmware images were gathered from Asus, Linksys, Netgear, and other popular networking companies to help CITL figure out if these vendors have improved their approach to securing the firmware of their devices over the 15 years it examined.
CITL found little sign of improvement. The non-profit's chief scientist, Sarah Zatko, told The Security Ledger "there was no evidence that anybody is making a concerted effort to address the safety hygiene of their products." Numerous companies reportedly failed to implement basic security features despite growing awareness of the issues they resolved and increasing numbers of attacks on networking devices.
Zatko told The Security Ledger that several of the features missing from the examined networking firmware--stack guards and buffer overflow protection--are "the seatbelts and airbags of the software world." Lacking those basic protections, she said, puts the firmware years behind operating systems and web browsers in terms of defending against the attacks those safeguards are supposed to stop.
Those findings would be damning if CITL had to carefully examine all of the drivers. Knowing that CITL only had enough resources to make a cursory evaluation--it's hard to examine thousands of firmware images from more than a dozen vendors--makes it even worse. These issues weren't hard to find; they were detectable by a small team of researchers who had to evaluate the security of this firmware at scale.
CITL's report arrived shortly after the Eclypsium security company published its Screwed Drivers report. Those findings showed that Intel, Nvidia, and other major tech companies had severe vulnerabilities that were signed by Certificate Authorities and certified by Microsoft. That string of failures resulted in Windows 10 devices automatically trusting insecure drivers without their users being any the wiser.
Researchers constantly disclose vulnerabilities, discuss ways to thwart attackers and push companies to protect their customers. CITL's findings and the Screwed Drivers report show that many companies fail to match these efforts. Maybe that makes them more like people who buy into self-improvement than we thought. Why bother with actual change when you can just make empty promises instead?