Uncovering Hidden Risks in IoT devices: A Post-Pandemic National Study of SOHO Wi-Fi Router Security
DOI:
https://doi.org/10.5753/jisa.2024.3834Keywords:
Cybersecurity, SOHO Wi-Fi Routers, Network Security, Open-source Firmware, COVID-19, Network Perimeter, Vulnerability AnalysisAbstract
This study thoroughly analyzes the cybersecurity status of Small Office/Home Office (SOHO) Wi-Fi routers. These routers are crucial but frequently overlooked elements in network infrastructure, particularly in light of the impact of the COVID-19 pandemic on network security. The pandemic has led to shifts in network usage patterns, blurring traditional security perimeters and extending them into private residences, creating additional points of vulnerability in urban environments. Our nationwide research evaluated an extensive dataset of router brands and models currently used at scale. We measured the prevalence of known vulnerabilities, assessed the currency of userspace and kernel software versions, and compared the security robustness of proprietary firmware against open-source alternatives. Our findings reveal a concerning landscape of widespread vulnerabilities and outdated software components, posing latent risks to end-users. The results indicate a predominance of Linux on MIPS and ARM architectures, with an average delay of 5 to 10 years between the release of the kernel and the implementation of the most recent firmware versions. As a result, we observed an average of 1344 and 72 vulnerabilities in the kernel and applications. One significant discovery from our research is that replacing the manufacturer's original firmware with open-source alternatives, such as DD-WRT, OpenWrt, and Tomato, can substantially enhance the security of the software stack. This enhancement results in improvements of up to 97% in the case of binaries and 98.42% in the kernel. Our research helps increase cybersecurity awareness by pinpointing critical home network environment weaknesses and alerting the need for more rigorous security practices in producing and maintaining SOHO routers. This investigation also allowed the report of a new remote code execution vulnerability (disclosed in CVE-2022-46552).
Downloads
References
ACI (2018). Securing iot devices: How safe is your wi-fi router? Available online [link]. Last access: December, 2022.
Alfonso, I., Garcés, K., Castro, H., and Cabot, J. (2021). Self-adaptive architectures in iot systems: a systematic literature review. Journal of Internet Services and Applications, 12(1):1-28. DOI: 10.1186/s13174-021-00145-8.
ANATEL (2023). Ato ntextdegree 2436 - requisitos mínimos de segurança cibernética. Available online [link]. Last access: May, 2023.
Chen, D. D., Woo, M., Brumley, D., and Egele, M. (2016). Towards automated dynamic analysis for linux-based embedded firmware. In NDSS, volume 1, pages 1-1. Available online [link].
Conversion (2022). E-commerce no brasil: conheça os principais dados, o market share, o crescimento e as principais estatísticas, com atualização mensal! Available online [link]. Last access: November, 2022.
Costin, A., Zarras, A., and Francillon, A. (2016). Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS '16, page 437–448, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/2897845.2897900.
Feng, X., Zhu, X., Han, Q.-L., Zhou, W., Wen, S., and Xiang, Y. (2022). Detecting vulnerability on iot device firmware: A survey. IEEE/CAA Journal of Automatica Sinica, pages 1-17. DOI: 10.1109/JAS.2022.105860.
Fiorenza, M., Kreutz, D., Escarrone, T., and Temp, D. (2020). Uma análise da utilização de https no brasil. In Anais do XXXVIII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 966-979, Porto Alegre, RS, Brasil. SBC. DOI: 10.5753/sbrc.2020.12338.
Freitas, O., Corrêa, F., Santos, A., and Junior, L. P. (2023). Caracterização das vulnerabilidades dos roteadores wi-fi no mercado brasileiro. In Anais do XLI SBRC, PA, RS, Brasil. SBC. DOI: 10.5753/sbrc.2023.487.
GSI-PR (2023). Política nacional de cibersegurança (pnciber). Available online [link]. Last access: June, 2023.
He, H., Xiong, X., and Zhao, Y. (2023). Alemu: A framework for application-layer programs emulation of embedded devices. In 2023 4th ICCEA, pages 406-411. DOI: 10.1109/ICCEA58433.2023.10135383.
Helmke, R. and Dorp, J. v. (2022). Towards reliable and scalable linux kernel cve attribution in automated static firmware analyses. DOI:.
IoT Analytics (2023). State of iot 2023: Number of connected iot devices growing 16% to 16.7 billion globally. IoT Analytics. Available online [link]. Last access: May, 2023.
Kim, M., Kim, D., Kim, E., Kim, S., Jang, Y., and Kim, Y. (2020). FirmAE: Towards large-scale emulation of iot firmware for dynamic analysis. In Annual Computer Security Applications Conference (ACSAC), Online. DOI: 10.1145/3427228.3427294.
Kluban, M., Mannan, M., and Youssef, A. (2022). On measuring vulnerable javascript functions in the wild. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, ASIA CCS '22, page 917–930, New York, NY, USA. ACM. DOI: 10.1145/3488932.3497769.
Mitre (2023). CVE-2022-46552. Available from MITRE, CVE-ID CVE-2022-46552. Available online [link].
Networks, P. A. (2020). 2020 unit 42 iot threat report. Available online [link]. Last access: December, 2022.
Peter, C., Penning, L., Zimpeck, A., Marques, F., and Yamin, A. (2023). An approach to remote update embedded systems in the internet of things. Journal of Internet Services and Applications, 14(1):151–159. DOI: 10.5753/jisa.2023.3078.
Ponce, L., Gimpel, M., Fazzion, E., Ítalo Cunha, Hoepers, C., Steding-Jessen, K., Chaves, M., Guedes, D., and Jr., W. M. (2022). Caracterização escalável de vulnerabilidades de segurança: um estudo de caso na internet brasileira. In Anais do XL Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 433-446, Porto Alegre, RS, Brasil. SBC. DOI: 10.5753/sbrc.2022.222341.
Qin, C. et al. (2023). Ucrf: Static analyzing firmware to generate under-constrained seed for fuzzing soho router. Computers & Security, page 103157. DOI: 10.1016/j.cose.2023.103157.
Redini, N., Machiry, A., Wang, R., Spensky, C., Continella, A., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. (2020). Karonte: Detecting insecure multi-binary interactions in embedded firmware. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1544-1561. DOI: 10.1109/SP40000.2020.00036.
Romana, S., Grandhi, J., and Eswari, P. R. L. (2020). Security analysis of soho wi-fi routers. In 2020 International Conference on Software Security and Assurance (ICSSA), pages 72-77. DOI: 10.1109/ICSSA51305.2020.00020.
Toso, G. and Pereira, L. A. (2021). Enumeração de sistemas operacionais e serviços de firmwares de roteadores sem-fio. In Anais Estendidos do XXI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC. DOI: 10.5753/sbseg_estendido.2021.17351.
WEFORUM, W. E. F. (2022). Employers are giving workers the work from home days they want. Available online [link]. Last access: July, 2023.
Wright, C., Moeglein, W. A., Bagchi, S., Kulkarni, M., and Clements, A. A. (2021). Challenges in firmware re-hosting, emulation, and analysis. ACM Comput. Surv., 54(1). DOI: 10.1145/3423167.
Zhang, H., Lu, K., Zhou, X., et al. (2021). Siotfuzzer: fuzzing web interface in iot firmware via stateful message generation. Applied Sciences, 11(7):3120. DOI: 10.3390/app11073120.
Zheng, Y., Davanian, A., Yin, H., Song, C., Zhu, H., and Sun, L. (2019).{FIRM-AFL}:{High-Throughput} greybox fuzzing of {IoT} firmware via augmented process emulation. In 28th USENIX Security Symposium (USENIX Security 19), pages 1099-1114. Available online [link]
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Journal of Internet Services and Applications
This work is licensed under a Creative Commons Attribution 4.0 International License.