About firmware vulnerabilities

Last updated: 2023-09-06

Comments on Mastodon

All posts: Index

Today, our devices are more connected to the Internet than ever before, and I don’t see that changing anytime soon. From washing machines to light bulbs and everything in between are online. Some of these IOT devices are useful, some not so much.

These gadgets have one thing in common; they are small computers. They run software. As we all know, there’s no such thing as bug-free software. Software has bugs, always.

Recently, critical security vulnerabilities were found on common end-user routers. There’s nothing new about this, but it got me thinking. Although some routers do automatically update firmware without user interaction, it’s often not the case. Or the automatic update functionality is disabled by default. This leaves the responsibility of updating the router to the end user. Let’s be honest, most of the people are not interested in these kinds of things. They buy the product online or from a local shop, plug it in and be done with it. It’s perfectly understandable, in the end the devices are means to an end. They are tools. I’m only talking about routers here…there are thousands of other types of “smart products” that might not even have a way to upgrade the firmware. Let’s alone the fact that the manufacturers don’t even release any updates for them.

There is now Cyber Resilience Act in the EU and UK to increase the responsibility of manufacturers. This is a very welcome change, but it doesn’t completely get rid of the problem. For example, there will be a support period in which manufacturers are obliged to supply security updates for their devices. However, people often use these devices for a long time, and it’s more than likely that the device will be used longer than what the device support period is. There are also effects on software development.

How to keep your devices safe

There are no silver bullets for this one. What I recommend is to buy Internet facing devices from a respectable manufacturer, read some reviews about them before buying, and take the extra steps to see that the automatic update feature is enabled. Or ask tech-savvy relatives to set up the device for you. It’s also a good idea to buy a new device every few years, albeit that will not help with the e-waste issue.

Also, remember that it’s not necessary to connect every possible device to the Internet. Personally, I find it hard to come up with a reason why a light bulb should be online.

It’s worth the trouble to spend just a little more time and money on these things. It’s certainly a better option than finding out that your home network is part of a global botnet.