By J.M. Porup
September 10, 2019
Turning on compile-time security features is easy. So why aren’t more IoT
device makers doing so?
Adding flags for security features when building IoT firmware binaries would
dramatically improve the security of IoT devices across the board. Almost no
one is doing it, and the problem is getting worse, not better, according to new
research from the CITL mass fuzzing project.
Cyber ITL is a non-profit Consumer Reports-style security laboratory that has
so far automated the fuzzing of more than three million IoT firmware binaries
released over the last 15 years. Its results are discouraging.
It’s very easy to do, CITL chief scientist Sarah Zatko tells CSO of IoT
vendors’ failure to turn on basic compile-time safety features. There’s no
good reason not to do it, and they’re just not bothering.