In days gone by, defense towers and heavy gates provided protection against attackers, but these days cyber criminals can easily gain access to our private property via home routers. © unsplash Fraunhofer magazine 3.20 - 41 My home is my castle – this famous remark made by English barrister Sir Edward Coke describes the profoundly human need for protection and security within our own four walls. During Coke’s lifetime some 400 years ago, locks on doors and windows were enough to protect the occupants against intruders. Now- adays, an army of hard-to-catch cyber criminals has joined the swarms of conventional intruders. These criminals use an inconspicuous device as a gateway to your private property: “Home routers are a common and frequent target,” explains Johannes vom Dorp, an employee at the Fraun- hofer Institute for Communication, Information Processing and Ergonomics FKIE. Over the past five years, he has been working intensively to address questions involving security issues. “Everything in our homes that is networked can be reached via the router,” says vom Dorp. A hacked robotic vacuum cleaner could be sending images of our living room to criminals while we are at home; the children’s game con- sole, the PC or TV could be used in a blackmail attempt. “There is also a major risk posed by misuse of the router as part of a botnet,” adds Adil Aden from the infrastructure security unit at Germany’s Federal Office for Information Secu- rity (BSI). The user rarely notices that anything is wrong. DDoS attacks can be launched by hijacking and combining hundreds or thousands of routers and smart devices to form botnets. BSI registers up to 110,000 bot infections in German systems daily. A BSI survey from 2019 indicated that almost one in four (24 percent) has already been a victim of cyber criminals. All devices tested have security flaws With this in mind, it is hardly surprising that the results of the Fraunhofer FKIE Home Router Security Report 2020 caused a big stir and that numerous media outlets reported on it. The tests at Fraunhofer FKIE showed that the firmware of almost all of the 127 models tested had significant security flaws. Unlike an app or software that the user buys and then installs, firmware is embedded in the respective hardware of the device. Without firmware, the washing machine would not know which wash cycle has been selected; the vacuum cleaner would not know when it needs to be emptied; the smart light bulb would not know how bright it needs to glow. And of course, firmware is also the operating software of every home router. Fraunhofer FKIE has developed the FACT tool to check firmware for security vulnerabilities. It is intended to make the security status more transparent for manufacturers and users and to make problems easier to solve. “FACT is an automated tool that you can use to easily examine firmware,” says vom Dorp. Tools like this have not existed until now, even though the number of Internet-enabled devices has been growing rapidly for years. According to Statista, there are currently more than 20 billion networked devices, almost two thirds of which are owned by private individuals. The first thing FACT does is unpack the firmware. Since it can contain any number of components, which are grouped and packed differently, this is not a trivial matter. “The outer container can easily hold up to 20,000 or 30,000 files,” says vom Dorp. The files include the operating system, drivers and function blocks as well as stand-alone programs and perhaps a web server. Content and structure vary depending on the model and device. Fur- thermore, not all containers are the same. Each manufacturer designs the outer container dif- ferently, depending on the intended installation routine, for example. “There are lots of creative approaches,” says vom Dorp. The extraction process is a challenging undertaking and FACT programmers need to adapt it regularly to new file types and manufacturers. Once the firmware has been unpacked, it is time to take stock: “There are small independent programs for moving, copying and deleting files, configuration files, stored IP addresses, URLs, processor architectures, passwords and cryptographic keys,” lists vom Dorp. Comparison with known security vulnerabilities The actual analysis can only start once stocktaking is complete. This involves the tool comparing all security vulnerabilities stored in the CVE open source database with the available material. CVE stands for Common Vulnerabilities and Exposures and is a collection of publicly known security vulnerabilities. The database has existed since 1999 and is used by hackers, developers and institutions alike. After performing a comparison with the CVE, an overview of all weaknesses identified in the existing firmware is displayed. However, not every vulnerability is necessarily found on every device. The result can vary depending on the software variant installed. The popular routers from AVM GmbH performed best in the test. Regular updates on these routers ensure the closure of many, but not all gaps in security. Other manufacturers often wait years to update their software – an unnecessary failing, according to vom Dorp, since the Linux operating system, which is used 90 percent of the time, is constantly providing updates. In order to make devices more secure in the future, BSI advises manufacturers to consult the Secure Broadband Router technical guidelines during development. These guidelines describe the current security requirements and are used by Fraunhofer FKIE, which works closely with BSI, for the further development of FACT. This may result in smart homes truly becoming as secure as castles in the future. back to page 1