"'Capture' Your IoT Devices and Improve Their Security"
Most cyberattacks on Internet of Things (IoT) devices are caused by misconfigurations or weak passwords. However, security researchers are concerned about the extensive use of third-party libraries (i.e., collections of code vendors might use in their devices' software). The concern is that if security vulnerabilities are present in these libraries, they would also affect every vendor who uses them. This could result in a large number of IoT devices being affected by vulnerabilities in libraries commonly used among vendors. Researchers at Carnegie Mellon University's CyLab recently presented a new study at the USENIX Security Symposium in which they examined 122 different IoT firmware for 27 different smart home devices released over the span of eight years. The goals of the study were to learn the pervasiveness of device vendors' use of common libraries, whether these libraries are updated to patch vulnerabilities, and whether there were significant delays in patching them. The study found that vendors do not frequently update libraries, and they use outdated versions most of the time. Some libraries were discovered to be hundreds of days behind in applying publicly available, critical security patches. The team proposed a new system named "Capture" to help address the challenge of mismanaged libraries. Capture enables devices on a local network, such as a single home Wi-Fi network, to use a centralized hub with libraries that are kept updated. According to the CyLab researchers, Capture would make a home's collection of smart devices always run, using secure and updated libraries. Testing of the system showed that several example IoT devices could be modified to use Capture with little change in their performance. This article continues to discuss the capabilities and limitations of the new software architecture Capture proposed by CyLab researchers to help protect IoT devices from using code from vulnerable software libraries, as well as the study behind this system.
CyLab reports "'Capture' Your IoT Devices and Improve Their Security"