A look at home routers, and a surprising bug in Linux/MIPS
We reviewed 28 popular home routers for basic hardening features. None performed well. Oh, and we found a bug in the Linux/MIPS architecture.
Today we're pleased to announce the release of two papers:
- Build Safety of Software in 28 Popular Home Routers, by Parker Thompson and Sarah Zatko
- Linux MIPS - A soft target: past, present, and future, by Parker Thompson and Mudge Zatko
In the first paper, we analyze the firmware images of 28 popular home routers, checking for basic code hygiene and software safety features. What we found was disappointing: none of the routers made consistent use of basic software safety features like ASLR, stack guards, and DEP - features which have been standard in desktop environments for over 15 years.
Given the role these devices play in consumers' homes, and the ease with which these issues could be resolved, we believe the absence of these features is reckless and negligent. We strongly urge vendors to review their software build practices and adopt practices which ensure these basic security features are present prior to product release.
But that's not all. In the second paper, we describe an unfortunate bug in the Linux/MIPS architecture which we encountered in the course of our reporting on routers. This bug, whose origins date back to 2001, prevents most Linux/MIPS binaries from enjoying the full protections of DEP and ASLR. Given the popularity of Linux/MIPS in embedded devices (such as IoT, consumer and enterprise network equipment, etc), and the enormous diversity of threat models for such devices, we believe this bug represents a significant risk to a large segment of Internet-connected devices.