AutoFirm: Automatically Identifying Reused Libraries inside IoT Firmware at Large-Scale

TL;DR

AutoFirm is an automated tool that detects reused software libraries in IoT firmware at large scale, helping identify security vulnerabilities and outdated libraries to improve IoT device security.

Contribution

The paper introduces AutoFirm, a novel automated approach for large-scale detection of reused libraries in IoT firmware, and provides an empirical study on library reuse and security gaps.

Findings

67.3% of outdated libraries were not updated in IoT firmware

Outdated libraries persisted for over 1.34 years on average before remediation

Vulnerable libraries pose significant security threats to widespread IoT devices

Abstract

The Internet of Things (IoT) has become indispensable to our daily lives and work. Unfortunately, developers often reuse software libraries in the IoT firmware, leading to a major security concern. If vulnerabilities or insecure versions of these libraries go unpatched, a massive number of IoT devices can be impacted. In this paper, we propose the AutoFirm, an automated tool for detecting reused libraries in IoT firmware at a large scale. Specifically, AutoFirm leverages the syntax information (library name and version) to determine whether IoT firmware reuses the libraries. We conduct a large-scale empirical study of reused libraries of IoT firmware, investigating more than 6,900+ firmware and 2,700+ distinct vulnerabilities affecting 11,300+ vulnerable versions from 349 open-source software libraries. Leveraging this diverse information set, we conduct a qualitative assessment of vulnerable library versions to understand security gaps and the misplaced trust of libraries in IoT firmware. Our research reveals that: manufacturers neglected to update outdated libraries for IoT firmware in 67.3\% of cases; on average, outdated libraries persisted for over 1.34 years prior to remediation; vulnerabilities of software libraries have posed server threats to widespread IoT devices.