View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 30, 2015

IoT under threat as 85% of network devices use copied code

News: Affected firms include Cisco, GE and Huawei; Users encouraged to contact device vendors.

By Joao Lima

The future of IoT could be jeopardised as a vast majority of firms are copying each others’ codes making over three million devices vulnerable to attacks.

A report has looked into 4000 embedded devices of over 70 vendors and found that only 580 (14.5%) of those devices had a unique code.

Some of the analysed devices include internet gateways, routers, modems, IP cameras and VoIP phones.

SEC Consult has found, in a joint research with the Carnegie Melon University Software Engineering Institute, more than 900 products from about 50 vendors to be vulnerable. Some of the affected companies include Cisco, GE, Technicolor, ZTE and Huawei.

It has also found that the UK has the tenth highest rate (2.26%) of all affected hosts, HTTPS/SSH. The rank is headed by the US (26.27%), Mexico (16.52%) and Brazil (8.10%).

As a result, a remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.

It may be possible for an attacker to obtain credentials or other sensitive information that may be used in further attacks, according to the company.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

The company analysed HTTPS secure server certificates and cryptographic keys (public keys, private keys, certificates) in firmware images, with the most common use of these static keys being Secure Shell (SSH) Host Keys and X.509 certificates.

HTTPS is a protocol for secure communication over a computer network. SSH is a cryptographic network protocol that allows remote login and other network services to operate securely over an unsecured network.

X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI).

In a statement, SEC Consult said: "Some keys are only found in one product or several products in the same product line. In other cases we found the same keys in products from various different vendors.

"The reasons vary from shared/leaked/stolen code, white-label devices produced by different vendors (OEM, ODM products) to hardware/chipset/SoC vendor software development kits (SDKs) or board support packages firmware is based on."

Speaking to CBR, Jon Darley, Technical Director at Eseye, said that much of the copying of code is probably driven by speed to market and cost.

He said: "The cookie cutter approach helps keep costs down which will inevitably result in the proliferation of copied / reused code (and in this case security keys) unless more is spent on manufacturing processes."

Commenting on how to stop these sort of issues, Darley said that it is more of an understanding problem than a commercial / IPR problem given the move to data as a service.

"It is fine to use open code, if we abide by the license conditions, but also we need to understand that it doesn’t do everything for us."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.