Is proprietary more secure than open source? Vulnerability analysis of embedded router firmwares
April 2017 by Marc Jacob
Sirin Software specialises and has successfully completed the number of projects in field of embedded systems, where cyber security is an extremely important issue for nowadays trending IoT, Big Data and Cloud solutions development.
Sirin Software in partnership with Tactical Network Solutions made a sensibility research of embedded router firmwares, so the following analysis shows the level of security tested by cloud based firmware analyzer tool of the most popular routers.
Number of routers in our houses and offices
There are a lot of routers in our homes and offices. Regarding latest report of statista.com, the total number of internet users as of end of 2016 is 3,5 billions. If we make an assumption that there are approximately 4 users behind each router, we get the number 850 millions of routers in use. Of course this is very rough calculations and finally nobody knows how many routers exactly in use in the world.
Why open source?
First of all, open source software is free. It is free not only to use, but to investigate too. There are some companies that offer security audition of the source code. One can purchase one-time audition of existing firmware to make sure of using free of backdoors solution. There is no direct/easy way to investigate proprietary solutions. You should fully trust your vendor or seek justice in a court after data leakage. However, there is a legal disclaimer in the terms of use from the most routers’ suppliers. In fact, there is tricky way to examine the firmware: search by binary patterns - exactly what Centrifuge do. Centrifuge is a cloud based firmware analyzer tool developed by Tactical Network Solutions (maybe a link). It uses heuristic analysis to guess library versions, to count possible buffer overflows and potentially dangerous functions in already compiled code.
Security importance
Theoretically botnet made even of 1% of this number of routers can easily produce a 9 Tbps attack, which will be the largest DDoS attack ever and can cause denial of service of almost any existing service. From other side our personal privacy is the most important thing we should care of.
Direct security comparison using Centrifuge tool
Technically most of the commercial and open-source firmwares are unix-based and use some custom build on top of Linux or FreeBSD kernel. Most of the linux based firmwares using the same technology stack and similar software bundles. However they are totally different in kernel and software versions.
Engineers of Sirin Software reviewed few proprietary firmwares of different suppliers in a comparative way. Because of closed source of proprietary firmware it’s impossible to compare them by code audition. But we can compare them using Centrifuge binary firmware analyzer by number of vulnerabilities in the whole firmware, by number of outdated and compromised libraries and so on. The latest firmware bundles were downloaded from the most popular vendors and analyzed by Centrifuge.We need to mention that firmwares also differ by size, so to cover this issue and to be more precise and we are using relative measures to reflect actual level of security. The final results of analysis are presented in table below.
Conclusions
There is no any common certification organisation that can assess and classify routers by security level. That is why even buying router from respectful supplier you cannot be sure that it is safe and secure. It is well known that security by hiding the implementation is the worst approach. It would be nice if all manufactures provide at least meta-information such as versions of used libraries and kernel, list of fixed security holes or something like that. Alternatively people can use tools like Centrifuge to analyze the actual level of security.