2020 IoT Terminal Security White Paper

In the era of consumer internet, the value of the Internet of Things (IoT) itself has not been fully explored. With the advent of the 5G era, the IoT field has ushered in new development opportunities. The 5G communication technology defines three major application scenarios: eMBB, uRLLC, and mMTC, greatly enhancing the communication capabilities and flexibility of IoT, providing a good infrastructure for the future development of IoT.

Currently, China is in the large-scale commercial preparation stage of 5G networks, with various regions vigorously cultivating the IoT application ecosystem around smart cities, smart homes, smart factories, smart healthcare, and smart transportation. In the future, the “5G+” model will play an increasingly important role in the digital transformation process across various fields, further driving a new round of technological revolution and IoT industrial transformation. According to statistics, by the end of 2020, the number of cellular IoT connected devices in China reached 1.136 billion, with a net increase of 108 million throughout the year. The number of cellular IoT connections accounted for 41.6% of the total number of mobile network connections. Among the cellular IoT connected devices in China, the proportion of terminal users for smart manufacturing, smart transportation, and smart public services reached 18.5%, 18.3%, and 22.1%, respectively (Data source: Ministry of Industry and Information Technology “2020 Communication Industry Statistical Bulletin”).

As the scale of the IoT industry continues to grow, new types of IoT terminal applications based on 5G networks are increasing, and more hacker organizations are targeting various new IoT terminal devices, exploiting vulnerabilities in these devices to implant malicious programs, control IoT devices to launch DDoS attacks, steal data, or cause business paralysis. The security issues of IoT terminal devices have become a major obstacle to the widespread deployment of IoT services. Analyzing the security risks faced by IoT terminals is of great significance for improving IoT security levels and promoting the healthy development of the IoT ecosystem.

As a professional mobile security and IoT security vendor in China, Bang Bang Security has compiled this report based on previous work and the statistical data from its self-developed IoT firmware integration analysis platform. The aim is to summarize and analyze the security risks faced by typical IoT terminals in 2020, present threat situations from multiple dimensions, quantify vulnerability risk levels, and provide references for IoT-related companies to establish a sound detection and evaluation system focused on IoT terminal security.

As a professional mobile security and IoT security vendor in China, Bang Bang Security has compiled this report based on previous work and the statistical data from its self-developed IoT firmware integration analysis platform. The aim is to summarize and analyze the security risks faced by typical IoT terminals in 2020, present threat situations from multiple dimensions, quantify vulnerability risk levels, and provide references for IoT-related companies to establish a sound detection and evaluation system focused on IoT terminal security.

Despite the ongoing Covid-19 pandemic, the IoT market continues to grow. According to statistics from IoT Analytics, in 2020, the number of IoT-connected devices (such as smart connected cars, smart home devices, and industrial connected terminals) will for the first time exceed that of non-IoT connected devices (such as smartphones, laptops, and desktop computers). By the end of 2020, among the 21.7 billion active connected devices globally, IoT-connected devices will reach 11.7 billion (approximately 54%). By 2025, it is expected that there will be more than 30 billion IoT connections, with nearly 4 IoT devices per person on average globally.

Moreover, during the Covid-19 period, according to tracking results from Zscaler, the usage of enterprise IoT devices increased by 1500%, leading to a new security issue: “Shadow IoT devices” – devices that connect to enterprises without authorization. These devices have almost no security measures, and under these circumstances, the connection of shadow IoT devices to the enterprise network increases the attack surface, posing greater security risks. These IoT devices include: digital set-top boxes, IP cameras, smart home devices, smart TVs, smartwatches, and even automotive multimedia systems.

As various feature-rich smart devices gradually integrate into people’s lives, the connection between people and devices becomes closer. IoT devices carry more and more production and personal privacy data, and their security issues are gradually receiving attention. Due to the massive heterogeneous nature of IoT devices, the consequences of security attacks are also more diverse and severe. For example, an attack on a smart camera may lead to the leakage of household or work privacy, an attack on a smartwatch may lead to the leakage of activity trajectories, and an invasion of smart connected vehicles may directly pose a serious threat to personal safety.

IoT terminal security issues are accelerating growth

Against the backdrop of rapid development in the IoT industry, security incidents related to IoT are frequent, and global spending on IoT security continues to increase. According to a Gartner survey, nearly 20% of enterprises or related institutions have experienced at least one IoT-based attack in the past three years. Gartner predicts that to prevent security threats, global spending on IoT security will reach $2.457 billion by the end of 2020, of which terminal security spending is about $541 million, gateway security spending is about $327 million, and professional services spending is about $1.589 billion.

With the popularization of 5G technology, the application scenarios of IoT have become increasingly complex, and the fragmentation and distributed trends of IoT devices are evident. Security demands and standards are difficult to unify, and there is a lack of unified control measures. Additionally, due to the low cost and limited computing power of IoT devices, the current security mechanisms are challenging to directly reuse on IoT devices, resulting in weak self-protection capabilities of IoT devices, making them susceptible to exploitation of security vulnerabilities for intrusion and attacks.

At the same time, IoT device firmware generally has logical flaws and security vulnerabilities. Some development vendors, in order to save development costs and improve development efficiency, directly call third-party components without paying attention to whether the introduced components have security risks or defects, leading to numerous vulnerabilities in the firmware that remain unpatched and are easily exploited by attackers.

Bang Bang Security utilized its IoT firmware integration analysis platform to automate the capture and security detection of mainstream IoT device firmware in the market in 2020, and conducted statistical analysis on the security detection results of 433 devices with relatively new versions.

1. Distribution of IoT Device Types

Our detection samples include a total of 11 categories, including cameras, routers, smart power terminals, drones, vehicle components, handheld PDAs, set-top boxes, smart transportation, smart home devices, and wearable devices, distributed in the following proportions:

Statistical distribution of detection samples by device type

With the development of technology and the gradual maturity of the industry, smart cameras have been widely used in important scenarios such as identity authentication and security monitoring in smart cities, smart homes, automobiles, drones, AR, etc. The role of routers has also gradually evolved into the connectivity hub of smart homes. Connectivity and intelligence are increasingly influencing our daily lives, raising security demands.

2. Distribution of Security Risks

For the 433 samples, the firmware integration analysis platform detected a total of 20,065 security risks, with an average of 46.34 security risks per IoT device. The types of devices arranged from high to low according to risk vulnerabilities are: set-top boxes, cameras, routers, handheld PDAs, drones, etc. In the wave of digital life, the smart devices around us frequently expose security vulnerabilities and breach incidents, reflecting the lack of security awareness and protection measures among manufacturers and the public.

Statistical distribution of security risks by device type

1. High Exploitability Vulnerabilities are Significant

Through the firmware integration analysis platform, Bang Bang Security conducted security testing on the basic information, code risks, sensitive information leakage, and configuration security of IoT device firmware, with the top 10 detected security risks distributed by type as follows:

Top 10 statistics of security risk distribution

Statistics show that the most common risk types include CWE-457 (Use of Uninitialized Variable), CWE-676 (Unsafe Function Call), CWE-476 (Null Pointer Dereference), CWE-467 (Improper Use of sizeof()), CWE-190 (Integer Overflow Defect), CWE-215 (Debug Information Disclosure), etc. These security risks could lead to denial of service attacks, modification of control flow, buffer overflow, crash restart, runtime errors, and other security threats.

Additionally, in the statistical results, the risk of username and password leakage was found 89 times, and the risk of certificate file/key leakage was found 59 times, which may lead to user information leakage or the use of keys to sign malware, thereby deceiving ordinary users into installing it and other security hazards.

2. Medium Risk Vulnerabilities are the Most Numerous

Referring to the Common Vulnerability Scoring System (CVSS), security risks are classified into high, medium, and low levels, and the distribution of risk levels in the detection results is as follows:

Distribution of risk vulnerabilities by risk level

During the firmware development process, to save development costs and improve development efficiency, many development vendors directly use third-party libraries. Almost all software contains third-party libraries. According to Gartner statistics, in 2018, the code volume using third-party libraries accounted for 80% of the total code volume, while the proportion of self-developed code has been decreasing. Most firmware development vendors do not pay attention to whether the introduced components have security risks or defects when introducing third-party libraries, assuming that software security should be guaranteed by the component provider, i.e., upstream in the supply chain. However, in reality, analysis of some well-known open-source projects shows that these projects almost completely fail to perform any security checks.

1. On average, each firmware contains 21.46 third-party library vulnerabilities, and the versions are generally outdated

According to the statistical results, the average number of third-party library vulnerabilities in each firmware is approximately 21.46. The statistics of the number of calls and vulnerabilities for third-party libraries are as follows:

Statistics of the number of calls for third-party libraries

Statistics of the number of vulnerabilities in third-party libraries

In the third-party libraries called in the firmware, for example, BusyBox, which integrates over 300 commonly used Linux commands and tools, is quite common in embedded development. However, due to some firmware development vendors’ configuration negligence or untimely patch updates, vulnerabilities leading to command execution or even code execution have arisen in IoT devices.

OpenSSL, an open-source library that implements the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLSv1) protocols, supports various encryption algorithms, including symmetric ciphers, hash algorithms, and secure hash algorithms. In 2014, OpenSSL was found to have the Heartbleed vulnerability, and in 2020, vulnerabilities such as CVE-2020-1971, CVE-2020-1968 (Raccoon Attack), and CVE-2020-1967 emerged.

Thus, the security risks posed by third-party library vulnerabilities cannot be underestimated.

2. High-risk vulnerabilities account for nearly 40%

The distribution of third-party library security risks classified by high, medium, and low levels is as follows, with the proportion of high and medium risks exceeding 90%, indicating a severe security risk situation caused by third-party libraries.

Distribution of third-party library vulnerability risk levels

3. OpenSSL library has many potential security risks

The library with the most vulnerabilities, OpenSSL, was called 35 times, with a total of 1,283 security vulnerabilities found, distributed across five versions: 0.9.7, 0.9.8, 1.0.0, 1.0.1, and 1.0.2. Many firmware called version 1.0.1. These versions were released a long time ago and are no longer maintained or updated. Many firmware development vendors lack security patch tracking and version update security strategies and management mechanisms. Newly released CVE vulnerabilities are unlikely to be patched on these old versions, leading to greater security risks for firmware that integrates these versions.

Statistics of IoT firmware OpenSSL library usage and vulnerabilities

4. Busybox is the most called library, and security risks remain a concern

The library called the most, Busybox, was called 126 times, with a total of 348 security vulnerabilities found, covering 19 versions from 1.00 to 1.26.2. Similar to OpenSSL, the versions of Busybox integrated by various firmware development vendors are also outdated. Taking the most integrated version 1.20.2 as an example, it has been 9 years since the last targeted patch was released; compared to the latest version 1.26.2, the last patch update was in 2017.

Top 10 usage statistics of IoT firmware Busybox library

Due to the fragmentation and diversity of the IoT industry itself, obtaining firmware and conducting general, efficient, and precise automated security detection is quite challenging. On one hand, most IoT device development vendors develop based on existing modules or open-source code, or adapt fragmented code, coupled with weak security awareness among design and development personnel, leading to various security risks from the factory. On the other hand, the variety of IoT device operating systems, different usage architectures, and diverse firmware formats all pose challenges to automated security analysis.

As the security of application software has been significantly strengthened, hackers’ attack paths have begun to “move down” the technology stack, targeting IoT device firmware. More and more smart device manufacturers are realizing that firmware security is no longer a theoretical issue. Although various solutions have been introduced, most manufacturers are clearly not yet prepared. Analysis conclusions indicate that many vulnerabilities remain undetected and unpatched, giving rise to various security risks.

To achieve basic risk management and security compliance, smart device manufacturers should incorporate firmware vulnerability detection and evaluation as part of their continuous integration (CI) environment, regularly conducting static and dynamic analysis tests to identify security vulnerabilities and design flaws in IoT firmware, guiding the order of vulnerability remediation based on severity ratings, and conducting regression tests to ensure overall improvement in firmware security and reduction of security risks for smart devices in an ever-changing threat environment.