Building Embedded Systems Like It's 1996

TL;DR

This paper investigates the low adoption of security attack mitigations in embedded Linux devices, revealing widespread omissions and highlighting factors hindering security improvements in the growing IoT landscape.

Contribution

It provides the first large-scale measurement of attack mitigation adoption in embedded devices and identifies key factors affecting their implementation.

Findings

Embedded devices have significantly lower mitigation adoption than desktops.

Mitigation adoption rates are not improving over time.

Factors like software reuse and outdated kernels hinder mitigation deployment.

Abstract

Embedded devices are ubiquitous. However, preliminary evidence shows that attack mitigations protecting our desktops/servers/phones are missing in embedded devices, posing a significant threat to embedded security. To this end, this paper presents an in-depth study on the adoption of common attack mitigations on embedded devices. Precisely, it measures the presence of standard mitigations against memory corruptions in over 10k Linux-based firmware of deployed embedded devices. The study reveals that embedded devices largely omit both user-space and kernel-level attack mitigations. The adoption rates on embedded devices are multiple times lower than their desktop counterparts. An equally important observation is that the situation is not improving over time. Without changing the current practices, the attack mitigations will remain missing, which may become a bigger threat in the upcoming IoT era. Throughout follow-up analyses, we further inferred a set of factors possibly contributing to the absence of attack mitigations. The exemplary ones include massive reuse of non-protected software, lateness in upgrading outdated kernels, and restrictions imposed by automated building tools. We envision these will turn into insights towards improving the adoption of attack mitigations on embedded devices in the future.