Seeing is not always believing: Insights on IoT manufacturing from firmware composition analysis and vendor survey

Abstract

Attacks on Internet of Things (IoT) devices have become increasingly sophisticated. However, there exist few comprehensive security investigations of IoT devices. We conducted a large-scale systematic investigation by assessing IoT firmware and follow-up survey with professionals involved in IoT-device manufacturing to understand the factors that prevent software security of IoT devices. Consequently, we discovered that many IoT devices continue to use old processor architecture and operating systems that are unable to efficiently use existing attack-mitigation features. Furthermore, we demonstrated that software patches are sometimes implicitly applied without changing the software version number (implicit patching); this may generate false positives in existing vulnerability assessments relying on software versions. On the basis of a follow-up survey, we determined technical and contractual constraints to IoT security emanating from the supply chain in the IoT device manufacturing industry. Based on the results, we discuss challenges associated with secure IoT manufacturing in the IoT-device supply chain.